Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

hik-connect.com / ezvizlife.com Authentication Bypass

🗓️ 26 Apr 2018 00:00:00Reported by Vangelis StykasType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 63 Views

Authentication Bypass on hik-connect.com and ezvizlife.co

Code
`There is a full write up of this bug here: https://medium.com/@evstykas/hackvision-8f50924e56d <https://medium.com/@evstykas/hackvision-8f50924e56d>  
  
Vulnerability Security Advisory < 20180424 >  
=======================================================================  
title: No validation on cookie values   
product: hik-connect.com and ezvizlife.com  
vulnerable version: latest  
fixed version: fixed  
CVE number: -  
impact: critical  
found: 2018-04-19  
by: Vangelis Stykas & George Lavdanis  
  
=======================================================================  
  
Vendor description:  
-------------------  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) No validation on cookie values   
  
Both cloud services (hik-connect.com and ezvizlife.com) rely on cookie value AS_UserID to authenticate the user.Directly changing the value to another valid User id will result in hijacking that user session and be access its cameras/DVRS and change its password and/or email and phone.As the user id is not an incremental number but a hash we will need a way of finding out valid User ids.  
In order to do that we can use the https://xxx.ezvizlife.com/friend/queryByMobile.json or endpoint AFTER making that user a friend and get his userId.  
That endpoints has a GET parameter (mobile) that will check for a user with username, email or phone number.  
After that changing the cookie value to his user id will result in having us logged in as that user.  
  
  
Proof of concept:  
-----------------  
1) No validation on cookie values:  
  
### Details  
* Attack Vector: HTTP GET  
* Prerequisites: None  
* CWE: CWE-784: Reliance on Cookies without Validation and Integrity Checking in a Security Decision  
* Technical Impact: Login as any user with no password required  
* Vulnerable query URL: /  
* Vulnerable Cookie parameter: AS_UserId  
  
  
  
  
  
  
Vulnerable / tested versions:  
-----------------------------  
Http://www.hik-connect.com/ (and all geographically distributed servers)  
  
  
Vendor contact timeline:  
------------------------  
2018-04-21: Sent initial report to Hikvision   
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Apr 2018 00:00Current
0.3Low risk
Vulners AI Score0.3
vulnerabilityauthentication bypasshik-connect.comezvizlife.comcookie valuesuser sessionsecurity advisorycloud servicesproof of conceptvendor contact timelinehttp getcwe-784vulnerable query url
63