![]() ![]() Upon downloading the firmware file, I used binwalk, a command line tool used for searching firmware images for embedded files and code, to extract the file system currently in use by the camera. However, since this is not the case we can proceed to download the firmware file from the manufacturer’s website. did not publicly provide firmware, we could resort to obtaining a physical shell through the device’s debugging ports. However, since there is no way to enable such functionality through the camera’s web application interface, we’ll have to refer to the manufacturer’s website for the firmware, which we can obtain here. Ideally, to expedite the search for vulnerabilities in embedded devices, such as the camera, we would enable an SSH service to connect to the device and pull files, such as the camera’s web root directory for static analysis. Now, when an unsuspecting user visits the camera’s web interface and views the /setup/system/syslog.html endpoint, arbitrary JavaScript will be executed in the context of the user’s browser.Įnabling Hidden Services (CVE-2018–18004) HTTP/1.1 403 Forbidden Date: Fri, 20:26:39 GMT Server: Web Server Accept-Ranges: bytes Connection: close Content-Type: text/html charset=ISO-8859-1 403 Forbidden 403 Forbidden Your client does not have permission to get URL /cgi-bin/privilege.cgi from this server. Issuing the request above will result in the following response, just as we expect. In addition to these “unauthorized access” log messages, the HTTP Referer header from the originating request was being included as well.ĭue to the fact that the Referer header is a client-controlled value that can easily be modified using an HTTP intercepting proxy, such as Burp Suite, or a command line utility, such as cURL, an attacker can issue the following cURL request to trigger an “unauthorized access” log message containing a cross-site scripting payload. Because of this, I was able to observe that the camera’s logging service also included information regarding unauthorized attempts to access the application’s CGI endpoints. Since verbose logging can assist in discovering unexpected application or service behavior, I made sure to keep an eye on it while performing my authorization and additional injection tests. ![]() Let’s get started by taking a look at the web application and searching for web-based vulnerabilities that can be leveraged to gain access or potentially compromise this device. PORT STATE SERVICE VERSION 80/tcp open http Boa httpd 443/tcp open ssl/http Boa httpd 554/tcp open rtsp Vivotek FD8134V webcam rtspd 8080/tcp open http Boa httpdįrom the resulting information, we can see that the FD8369A-V appears to be hosting a web application interface on a Boa web server, as well as a real-time streaming protocol service for viewing a live video feed from the camera. Keeping this in mind, let’s gather some information about the camera by using Nmap to enumerate open ports and services running on the FD8369A-V. It is important to realize that the growing amount of services and features in embedded devices has also increased the attack surface available to remote adversaries. In this blog, I will be going over how I found DOM-based XSS, Persistent XSS, a hidden CGI endpoint to enable services, and how we can use these vulnerabilities to acquire a remote shell on the Vivotek FD8369A-V camera, firmware version 0206b. As a personal project, I took it upon myself to research and discover vulnerabilities within various embedded devices, such as a Network Attached Storage (NAS), IP camera, and router.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |