FlexWATCH-Webs 2.2 (NTSC) Authorization Bypass
From: Rafel Ivgi, The-Insider (theinsider_at_012.net.il)
Date: 02/24/04
- Previous message: Luigi Auriemma: "Remote server crash in Haegemonia <= 1.07"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "bugtraq" <bugtraq@securityfocus.com> Date: Tue, 24 Feb 2004 16:45:23 +0200
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application: FlexWATCH-Webs
Vendors: Seyeon TECH Co., Ltd.
http://www.flexwatch.com/
http://www.seyeon.co.kr
Versions: <= 2.2 (NTSC)
Platforms: Windows
Bug: Authorization Bypass
Risk: Very High
Exploitation: Remote with browser
Date: 26 Jan 2004
Author: Rafel Ivgi, The-Insider
e-mail: the_insider@mail.com
web: http://theinsider.deep-ice.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Introduction
2) Bugs
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============
1) Introduction
===============
FlexWATCH is used as for remote administration and for
security surveillance server. Security cameras servers should
not be accessible to anyone but the administrator.
Some of Las Vegas Casinos are using FlexWATCH(Tip for them)
as their security surveillance server, it is ridiculous that a company
invests money in a software to increase security and instead
reduces it. I can only imagine the risk for a casino which uses
this software.
FlexWATCH also contains an ftp server and the machine's
dial-up accounts and configuration, taking over the machine is
also possible.
FlexWATCH describe their product the following way:
------------------------------------------------------------------------
"FlexWATCH™ Network Camera and video server series are all stand-alone video
transmission system to deliver
crystal clear real time live video over the TCP/IP network. FlexWATCH™
System has a built-in web server that
enable you to view live video through standard web browser such as MSIE or
Netscape Navigator.
Once you connect the FlexWATCH™ System to the existing network such as LAN,
Cable modem, DSL and assign
IP address, you can view remote site from anywhere anytime through web
browser without any viewing software.
Various types of Network camera and Video servers are provided by Seyeon
technology to meet different customer needs.
For more information go to Network camera or Network video server page.
By combining with other supporting software and hardware, you can easily
build up various type of solution for remote
monitoring and security."
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
======
2) Bug
======
Authorization Bypass:
This case is a classic case of "Authorization Bypass" which is
caused by the use of double slash when reffering to files on the
server.
using each one of the following links will allow anyone full control
If an attacker will request the following url from the server:
This vulnerability can allow attackers to rewrite the contents of the
In the words of securityfocus.com :
If all of these circumstances are met, an attacker may be able to exploit
Attacks of this nature may make it possible for attackers to manipulate web
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===========
Authorization Bypass:
Cross Site Scripting:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
over the server:
http://
http://
http://
http://
http://
http://
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa<script>alert('xss')</script>
XSS appears and the server allows an attacker to inject & execute scripts.
webpage by injecting scripts to it.
Imagine a client of one of nextplace.com clients coming to buy something and
his credit card and
personal details are being sent to the "hacker" instead of the company.
Why? because the "hacker" can spread links and popups of the websites with
the injected scripts,
maby even a new email worm sending evil links to all the world. In addition
users cookies
(that may contain the same important data) can be stolen, and creating such
evil links will effect forever,
because Internet Explorer vulnerabilities of the past and the future will be
a key to hurt the surfers.
~~~~~~~~~~~~~~~~~~~~~~~~~~
this issue
via a malicious link containing arbitrary HTML and script code as part of
the hostname.
When the malicious link is clicked by an unsuspecting user, the
attacker-supplied HTML
and script code will be executed by their web client. This will occur
because the server
will echo back the malicious hostname supplied in the client's request,
without sufficiently
escaping HTML and script code.
content or to
steal cookie-based authentication credentials. It may be possible to take
arbitrary actions as the victim user.
3) The Code
===========
http://
http://
http://
http://
http://
http://
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa<script>alert('xss')</script>
---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com
"Scripts and Codes will make me D.O.S , but they will never HACK me."
Relevant Pages
... This PHP script can reside on other servers (for ... if an attacker calls it directly he/she may cause the script to run remote ... Where the attacker server has a file called Packer.php. ...
(Securiteam)
... /include directory which results in allowing an attacker to execute remote ... code on the server with web server's permission setting. ... Remote Arbitrary Code Execution: ...
(Securiteam)
... vulnerabilites exist in the /include directory which may result in allowing the attacker ... Remote Arbitrary Code Execution: ... allow remote attacker to include their own remote arbitrary code and run it on the server. ... php will execute the attackers code. ...
(Bugtraq)
... > Prerequisite to running remote scripts. ... > Remote WSH, which is a new technology included in WSH 5.6, provides the ... use Poledit.exe on the server. ...
(microsoft.public.windows.server.scripting)
... Prerequisite to running remote scripts. ... Remote WSH, which is a new technology included in WSH 5.6, provides the ... use Poledit.exe on the server. ...
(microsoft.public.windows.server.scripting)
