Title: Brickcom 100ap Series Vulnerabilities
Date Published: 12/06/2013
Date of last updated: 12/06/2013
Multiples vulnerabilities have been found in this device.
-CVE-2013-3689. Authentication Bypass Issues(CWE-592) and Clear Text Storage of Sensitive Information(CWE-312)
-CVE-2013-3690. Cross Site Request Forgery(CWE-352), Permissions, Privileges, and Access Control(CWE-264) and Execution with Unnecessary Privileges(CWE-250)
The following products are affected by these vulnerabilities:
FB-100Ap, WCB-100Ap, MD-100Ap, WFB-100Ap, OB-100Ae, OSD-040E
Its possible others models are affected but they were not checked.
We have detected the following vulnerable firmwares: firmwareVersion=v220.127.116.11, v18.104.22.168, v22.214.171.124C1
In the next firmwares, you need to be log-in as administrator to download this file, but the information is in plain text yet: firmwareVersion=v126.96.36.199,v188.8.131.52
All firmware checked.
4.1.Authentication Bypass & Clear Text Storage of Sensitive Information
CVE-2013-3689, These allows you to download the all the configuration device file writing the next URL (all data shown will be in plain text). Its not necessary any authentication.
The most interesting parameters could be:
4.2.Cross Site Request Forgerty (CSRF) + Privilege Escalation
CVE-2013-3690, CSRF is possible via POST method.
Also is possible a privilege escalation from a viewer user to an administrator user.
These cameras use a web interface which is prone to CSRF vulnerabilities.
A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters.
The following request can exploit this vulnerability
<form name="gobap" action="http://xx.xx.xx.xx/cgi-bin/users.cgi" method="POST">
<input type="hidden" name="action" value="add">
<input type="hidden" name="index" value="0">
<input type="hidden" name="username" value="test2">
<input type="hidden" name="password" value="test2">
<input type="hidden" name="privilege" value="1">
-CVE-2013-3689 was discovered by Eliezer Varad Lopez, Javier Repiso Snchez and Jons Ropero Castillo.
-CVE-2013-3690 was discovered by Jons Ropero Castillo.
-2013-05-31: Students team notifies the Brickcom Customer Support of the vulnerabilities.
-2013-05-31: Brickcom answers saying this in accordance with some of the vulnerabilities, but there are some that they think is not correct.
(CVE-2013-3689, Authentication bypass and plain text information: After talk with vendor, its looks that after firmware 3.1.x.x, this bug is fixed but still the information is shown in plain text, so they should fix this second one)
-2013-06-03: Students check and communicate Brickcom the detail products and firmwares affected by vulnerabilities.
-2013-06-04: The vendor is agree with everything stated and reports that will fix it as soon as possible.