AVTECH video surveillance equipment authentication bypass and other vulnerabilities

ID SSV:92494
Type seebug
Reporter Root
Modified 2016-10-25T00:00:00


Authentication bypass vulnerability

There are two ways to achieve authentication bypass:

The first one is. cab way, the cab file format is a video player plug-in, stored in the web root directory, it may need to verify directly be accessed and downloaded, and the device end only through the strstr function to find link existence. cab field, if it contains directly think free certification.

The second kind is that nobody method, also due to the device side only through the strstr function to find the link whether there is a nobody field, if there is a direct-free certification. The two way link may be as follows,. cab and/nobody can put in the link in the other place, to obtain device configuration information, including the login user name and password. http://<device_ip>/cgi-bin/user/Config. cgi?. cab&action=get&category=Account.* http://<device_ip>/cgi-bin/user/Config. cgi?/ nobody&action=get&category=Account.*

Login CAPTCHA bypassed

The device at login time by adding the verification code way to prevent violence guess the user name and password, but because the system design is unreasonable, can be increased by increasing login=quick direct bypass. The link format is as follows: http://<device_ip>/cgi-bin/nobody/VerifyCode. cgi? account=<b64(username:password)>&login=quick If you do not use quick mode, then the link format is as follows: http://<device_ip>/cgi-bin/nobody/VerifyCode. cgi? account=<b64(username:password)>&captcha_code=ZVFU&verify_code=ZVmHTLN5eiGB Since captcha_codeand verify_codeis supporting, we can manually set to keep them consistent can also bypass CAPTCHA verification to violence guess the user name and password.

Other security vulnerabilities

First: use no authentication certificate of the Https service. System SyncCloudAccount.shThat QueryFromClient.shand SyncPermit.shuse wget to access the https site as https://payment. eagleeyes. tw. Since there is no validation of the certificate, the https communication may suffer from the middleman attack.

Second: the password plaintext storage. Easily be attacked easily access all user login passwords and other sensitive information.

Third: the CSRF vulnerability. Device without any anti-CSRF attack measures, when the administrator is logged on, may be subject to CSRF attacks.