Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
MOBOTIX S14 Camera - MX-V4.2.1.61 - Multiple Vulnerabilities
Default Web Management Interface Credentials (https://www.use-ip.co.uk/forum/threads/mobotix-default-password.76/) - CVE-2009-5154
In a default state, the admin's hash was - Wx3P0QA1/y1bg, this was cracked to reveal 'meinsm'.
See: https://gist.github.com/llandeilocymro/430bdd50266e03c75e6116c3e80bf78f for PoC in python.
Administrator Credentials stored in weak hashing format - CVE-2019-7673
In a default state, the admin's hash was found to be - Wx3P0QA1/y1bg. This is a DES hash and isn't considered secure.
Clear text credentials / Basic authentication - CVE-2019-7675.
The default management application was delivered over HTTP and used basic authentication.
GET /admin/index.html?cachedummy=947405 HTTP/1.1
Host: XX.XXX.XXX.XX:8001
Authorization: Basic YWRtaW46bWVpbnNt
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://86.182.103.99:8001/control/userimage.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,cy;q=0.8
Connection: close
Poor password policy - CVE-2019-7674
A user, through the management interface was able to create a password of 'aaaaa'. See the below request/response:
POST /admin/access HTTP/1.1
Host: XX.XXX.XXX.XX:8001
Content-Length: 311
Cache-Control: max-age=0
Authorization: Basic YWRtaW46bWVpbnNt
Origin: http://86.182.103.99:8001
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://86.182.103.99:8001/admin/access
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,cy;q=0.8
Connection: close
user_name_0=admin&user_group_0=admins&user_passwd_a_0=***&user_passwd_b_0=***&user_name_1=craigsand&user_group_1=admins&user_passwd_a_1=***&user_passwd_b_1=***&user_name_2=test&user_group_2=undefined&user_passwd_a_2=aaaaa&user_passwd_b_2=aaaaa&sv_passwd_a=&sv_passwd_b=&super_pin_1=&super_pin_2=&save_config=Set
Response
HTTP/1.0 200 OK
Content-type: text/html; charset=UTF-8
Cache-Control: no-cache
@llandeilocymro

This comment has been minimized.

Copy link
Owner Author

commented May 29, 2019

An example of usage:
Screen Shot 2019-05-29 at 1 34 09 PM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.