15 matches found
Zivif PR115-204-P-RS Security Bypass Vulnerability
The Zivif PR115-204-P-RS is a webcam device. A security bypass vulnerability exists in the Zivif PR115-204-P-RS version 2.3.4.2103, which stems from the program's failure to perform sufficient authentication checks on requests sent to a CGI page. A remote attacker can exploit the vulnerability by...
CVE-2017-17106
Credentials for Zivif PR115-204-P-RS V2.3.4.2103 Webcams can be obtained by an unauthenticated remote attacker using a standard web /cgi-bin/hi3510/param.cgi?cmd=getuser HTTP request. This vulnerability exists because of a lack of authentication checks in requests to CGI pages...
CVE-2017-17107
Zivif PR115-204-P-RS V2.3.4.2103 web cameras contain a hard-coded cat1029 password for the root user. The SONIX operating system's setup renders this password unchangeable and it can be used to access the device via a TELNET session...
Design/Logic Flaw
Credentials for Zivif PR115-204-P-RS V2.3.4.2103 Webcams can be obtained by an unauthenticated remote attacker using a standard web /cgi-bin/hi3510/param.cgi?cmd=getuser HTTP request. This vulnerability exists because of a lack of authentication checks in requests to CGI pages...
Hardcoded credentials
Zivif PR115-204-P-RS V2.3.4.2103 web cameras contain a hard-coded cat1029 password for the root user. The SONIX operating system's setup renders this password unchangeable and it can be used to access the device via a TELNET session...
Command injection
Zivif PR115-204-P-RS V2.3.4.2103 and V4.7.4.2121 and possibly in-between versions web cameras are vulnerable to unauthenticated, blind remote command injection via CGI scripts used as part of the web interface, as demonstrated by a...
CVE-2017-17106
Credentials for Zivif PR115-204-P-RS V2.3.4.2103 Webcams can be obtained by an unauthenticated remote attacker using a standard web /cgi-bin/hi3510/param.cgi?cmd=getuser HTTP request. This vulnerability exists because of a lack of authentication checks in requests to CGI pages. Recent assessments...
CVE-2017-17105
Zivif PR115-204-P-RS V2.3.4.2103 and V4.7.4.2121 and possibly in-between versions web cameras are vulnerable to unauthenticated, blind remote command injection via CGI scripts used as part of the web interface, as demonstrated by a...
CVE-2017-17107
CVE-2017-17107 affects Zivif PR115-204-P-RS Webcams (version 2.3.4.2103). The root user password is hard-coded as cat1029, and the SONIX OS setup makes it unchangeable, enabling root access via TELNET. This CVE is part of a set (CVE-2017-17105, -17106, -17107) describing authentication bypass, co...
CVE-2017-17107
Zivif PR115-204-P-RS V2.3.4.2103 web cameras contain a hard-coded cat1029 password for the root user. The SONIX operating system's setup renders this password unchangeable and it can be used to access the device via a TELNET session...
CVE-2017-17106
Credentials for Zivif PR115-204-P-RS V2.3.4.2103 Webcams can be obtained by an unauthenticated remote attacker using a standard web /cgi-bin/hi3510/param.cgi?cmd=getuser HTTP request. This vulnerability exists because of a lack of authentication checks in requests to CGI pages...
CVE-2017-17105
Zivif PR115-204-P-RS V2.3.4.2103 and V4.7.4.2121 and possibly in-between versions web cameras are vulnerable to unauthenticated, blind remote command injection via CGI scripts used as part of the web interface, as demonstrated by a...
CVE-2017-17105
CVE-2017-17105 affects Zivif PR115-204-P-RS webcams (notably V2.3.4.2103 and V4.7.4.2121 and potentially intermediate builds). The vulnerability is an unauthenticated, blind remote command injection via CGI scripts used in the web interface, demonstrated by a request such as cgi-bin/iptest.cgi?cm...
CVE-2017-17106
CVE-2017-17106 affects Zivif PR115-204-P-RS V2.3.4.2103 Webcams. The vulnerability arises from a lack of authentication in CGI page requests (specifically /web/cgi-bin/hi3510/param.cgi?cmd=getuser), enabling an unauthenticated remote attacker to obtain credentials. Impact is credential disclosure...
Zivif PR115-204-P-RS 2.3.4.2103 Bypass / Command Injection / Hardcoded Password
Attack vector: Remote Authentication: None Researcher: Silas Cutler p1nk Release date: December 10, 2017 Full Disclosure: 90 days CVEs: CVE-2017-17105, CVE-2017-17106, and CVE-2017-17107 Vulnerable Device: Zivif PR115-204-P-RS Version: V2.3.4.2103 Timeline: 1 September 2017: Initial alerting to...