llandeilocymro/MOBOTIX S14 Camera - MX-V4.2.1.61 - Multiple Vulnerabilities

## MOBOTIX S14 Camera - MX-V4.2.1.61 - Multiple Vulnerabilities
Default Web Management Interface Credentials (https://www.use-ip.co.uk/forum/threads/mobotix-default-password.76/) - CVE-2009-5154
In a default state, the admin's hash was - Wx3P0QA1/y1bg, this was cracked to reveal 'meinsm'.
See: https://gist.github.com/llandeilocymro/430bdd50266e03c75e6116c3e80bf78f for PoC in python.

Administrator Credentials stored in weak hashing format - CVE-2019-7673
In a default state, the admin's hash was found to be - Wx3P0QA1/y1bg.  This is a DES hash and isn't considered secure.

Clear text credentials / Basic authentication - CVE-2019-7675.
The default management application was delivered over HTTP and used basic authentication.

GET /admin/index.html?cachedummy=947405 HTTP/1.1
Host: XX.XXX.XXX.XX:8001
Authorization: Basic YWRtaW46bWVpbnNt
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://86.182.103.99:8001/control/userimage.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,cy;q=0.8
Connection: close

Poor password policy - CVE-2019-7674
A user, through the management interface was able to create a password of 'aaaaa'.  See the below request/response:

POST /admin/access HTTP/1.1
Host: XX.XXX.XXX.XX:8001
Content-Length: 311
Cache-Control: max-age=0
Authorization: Basic YWRtaW46bWVpbnNt
Origin: http://86.182.103.99:8001
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://86.182.103.99:8001/admin/access
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,cy;q=0.8
Connection: close

user_name_0=admin&user_group_0=admins&user_passwd_a_0=***&user_passwd_b_0=***&user_name_1=craigsand&user_group_1=admins&user_passwd_a_1=***&user_passwd_b_1=***&user_name_2=test&user_group_2=undefined&user_passwd_a_2=aaaaa&user_passwd_b_2=aaaaa&sv_passwd_a=&sv_passwd_b=&super_pin_1=&super_pin_2=&save_config=Set


Response
HTTP/1.0 200 OK
Content-type: text/html; charset=UTF-8
Cache-Control: no-cache
	Default Web Management Interface Credentials (https://www.use-ip.co.uk/forum/threads/mobotix-default-password.76/) - CVE-2009-5154
	In a default state, the admin's hash was - Wx3P0QA1/y1bg, this was cracked to reveal 'meinsm'.
	See: https://gist.github.com/llandeilocymro/430bdd50266e03c75e6116c3e80bf78f for PoC in python.

	Administrator Credentials stored in weak hashing format - CVE-2019-7673
	In a default state, the admin's hash was found to be - Wx3P0QA1/y1bg. This is a DES hash and isn't considered secure.

	Clear text credentials / Basic authentication - CVE-2019-7675.
	The default management application was delivered over HTTP and used basic authentication.

	GET /admin/index.html?cachedummy=947405 HTTP/1.1
	Host: XX.XXX.XXX.XX:8001
	Authorization: Basic YWRtaW46bWVpbnNt
	Upgrade-Insecure-Requests: 1
	User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8
	Referer: http://86.182.103.99:8001/control/userimage.html
	Accept-Encoding: gzip, deflate
	Accept-Language: en-US,en;q=0.9,cy;q=0.8
	Connection: close

	Poor password policy - CVE-2019-7674
	A user, through the management interface was able to create a password of 'aaaaa'. See the below request/response:

	POST /admin/access HTTP/1.1
	Host: XX.XXX.XXX.XX:8001
	Content-Length: 311
	Cache-Control: max-age=0
	Authorization: Basic YWRtaW46bWVpbnNt
	Origin: http://86.182.103.99:8001
	Upgrade-Insecure-Requests: 1
	Content-Type: application/x-www-form-urlencoded
	User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8
	Referer: http://86.182.103.99:8001/admin/access
	Accept-Encoding: gzip, deflate
	Accept-Language: en-US,en;q=0.9,cy;q=0.8
	Connection: close

	user_name_0=admin&user_group_0=admins&user_passwd_a_0=*&user_passwd_b_0=&user_name_1=craigsand&user_group_1=admins&user_passwd_a_1=&user_passwd_b_1=*&user_name_2=test&user_group_2=undefined&user_passwd_a_2=aaaaa&user_passwd_b_2=aaaaa&sv_passwd_a=&sv_passwd_b=&super_pin_1=&super_pin_2=&save_config=Set


	Response
	HTTP/1.0 200 OK
	Content-type: text/html; charset=UTF-8
	Cache-Control: no-cache