ID

VAR-E-201401-0070


CVE

cve_id:CVE-2013-7204

Trust: 3.0

sources: BID: 64761 // PACKETSTORM: 124747 // EXPLOIT-DB: 30914 // EDBNET: 52527 // EDBNET: 21506

EDB ID

30914


TITLE

Conceptronic Wireless Pan & Tilt Network Camera - Cross-Site Request Forgery - Hardware webapps Exploit

Trust: 0.6

sources: EXPLOIT-DB: 30914

DESCRIPTION

Conceptronic Wireless Pan & Tilt Network Camera - Cross-Site Request Forgery. CVE-2013-7204CVE-101930 . webapps exploit for Hardware platform

Trust: 0.6

sources: EXPLOIT-DB: 30914

AFFECTED PRODUCTS

vendor:conceptronicmodel:wireless pan & tilt network camerascope: - version: -

Trust: 2.2

vendor:conceptronicmodel:cipcamptiwlscope:eqversion:21.37.2.49

Trust: 0.5

sources: PACKETSTORM: 124747 // EXPLOIT-DB: 30914 // EDBNET: 52527 // EDBNET: 21506

EXPLOIT

**General Details**

Affected Product: Conceptronic camera CIPCAMPTIWL
Tested Firmware: 21.37.2.49
Tested Web UI Firmware: 0.61.4.18
Assigned CVE: CVE-2013-7204
CVSSv2 Base Score: 5.8 (AV:N/AC:M/AU:N/C:P/I:P/A:N)
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
Solution Status: Not Fixed
Vendor Notification Timeline:
- 23/12/2013: Contacting with technical support through their web
form http://www.conceptronic.net/supcon.php?action=init
- 23/12/2013: Contacting with general information email addres
(info@conceptronic.net) to inform about the vulnerability and request
suitable security or technical contact to send the complete details of
the CSRF.
- 25/12/2013: Contacting with public twitter accounts
@conceptronic and @conceptronic_es to request suitable security or
technical contact to send the complete details of the CSRF.
- 28/12/2013: Recontacting the technical support.
- 28/12/2013: Recontacting general information address
info@conceptronic.net.
- 02/01/2014: Trying to conntact with security@conceptronic.net y
vulnerabilities@conceptronic.net but they are non existent addresses.
- 03/01/2014: Involve Inteco CERT in the notification proccess.
- 08/01/2014: Inteco confirms that there is still no response from
Conceptronic.

None of the comunication atempts with the vendor received a response,
so I'm publishing the advisory to warn users and confirm the
vulnerability with you.

**Vulnerabilitty details**

The CSRF is present in the CGI formulary used to create and modify
users of the web interface of the camera (/set_users.cgi). This CSRF
would allow a malicious attacker to create users in the camera web
interface (including administrator users) if he is able to lure the
legitimate administrator of the camera to visit a web controlled by
the attacker.

An example of the process to exploit this vulnerability:

1- A webcam administrator is already logged in the camera web interface.

2- A malicious user knows it and send a link to this administrator
pointing to a web controlled by this attacker
(http://example.com/conceptronic_csrf.html). In this web, the attacker
placed an image with the following code:

<img alt="csrf image"
src="http://<victim_camera_server>/set_users.cgi?next_url=rebootme.htm&user1=attacker&pwd1=attacker&pri1=2&user2=&pwd2=&pri2=0&user3=&pwd3=&pri3=0&user4=&pwd4=&pri4=0&user5=&pwd5=&pri5=0&user6=&pwd6=&pri6=0&user7=&pwd7=&pri7=0&user8=&pwd8=&pri8=0">

3- The webcam administrator visit the link.

4- The page http://example.com/test_csrf.html tries to load the image
by making a GET request to the pointed URL, thus, making the
legitimate administrator to create a new user identified by "attacker"
and password "attacker".

A video was uploaded to youtube showing this behaviour:

https://www.youtube.com/watch?v=URXEe_VRc74

This issue can be fixed by adding an additional step to the user
creation CGI, either requesting the administrator password again
before creating/modifying any user or creating a hidden random token
for each form (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet)

--
Felipe Molina de la Torre

Trust: 1.0

sources: EXPLOIT-DB: 30914

EXPLOIT LANGUAGE

txt

Trust: 0.6

sources: EXPLOIT-DB: 30914

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 30914

TYPE

CSRF Vulnerability

Trust: 1.2

sources: EDBNET: 52527 // EDBNET: 21506

TAGS

tag:exploit

Trust: 0.5

tag:csrf

Trust: 0.5

sources: PACKETSTORM: 124747

CREDITS

Felipe Molina

Trust: 0.6

sources: EXPLOIT-DB: 30914

EXTERNAL IDS

db:NVDid:CVE-2013-7204

Trust: 3.0

db:EXPLOIT-DBid:30914

Trust: 1.6

db:EDBNETid:52527

Trust: 0.6

db:0DAYTODAYid:21748

Trust: 0.6

db:EDBNETid:21506

Trust: 0.6

db:PACKETSTORMid:124747

Trust: 0.5

db:BIDid:64761

Trust: 0.3

sources: BID: 64761 // PACKETSTORM: 124747 // EXPLOIT-DB: 30914 // EDBNET: 52527 // EDBNET: 21506

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2013-7204

Trust: 2.7

url:https://www.exploit-db.com/exploits/30914/

Trust: 0.6

url:https://0day.today/exploits/21748

Trust: 0.6

sources: PACKETSTORM: 124747 // EXPLOIT-DB: 30914 // EDBNET: 52527 // EDBNET: 21506

SOURCES

db:BIDid:64761
db:PACKETSTORMid:124747
db:EXPLOIT-DBid:30914
db:EDBNETid:52527
db:EDBNETid:21506

LAST UPDATE DATE

2022-07-27T09:35:28.433000+00:00


SOURCES UPDATE DATE

db:BIDid:64761date:2014-01-10T00:00:00

SOURCES RELEASE DATE

db:BIDid:64761date:2014-01-10T00:00:00
db:PACKETSTORMid:124747date:2014-01-10T20:22:22
db:EXPLOIT-DBid:30914date:2014-01-14T00:00:00
db:EDBNETid:52527date:2014-01-14T00:00:00
db:EDBNETid:21506date:2014-01-14T00:00:00