Last active
May 29, 2019 12:44
-
-
Save llandeilocymro/7dbe3daaab6d058d609fd9a0b24301cb to your computer and use it in GitHub Desktop.
MOBOTIX S14 Camera - MX-V4.2.1.61 - Multiple Vulnerabilities
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Default Web Management Interface Credentials (https://www.use-ip.co.uk/forum/threads/mobotix-default-password.76/) - CVE-2009-5154 | |
In a default state, the admin's hash was - Wx3P0QA1/y1bg, this was cracked to reveal 'meinsm'. | |
See: https://gist.github.com/llandeilocymro/430bdd50266e03c75e6116c3e80bf78f for PoC in python. | |
Administrator Credentials stored in weak hashing format - CVE-2019-7673 | |
In a default state, the admin's hash was found to be - Wx3P0QA1/y1bg. This is a DES hash and isn't considered secure. | |
Clear text credentials / Basic authentication - CVE-2019-7675. | |
The default management application was delivered over HTTP and used basic authentication. | |
GET /admin/index.html?cachedummy=947405 HTTP/1.1 | |
Host: XX.XXX.XXX.XX:8001 | |
Authorization: Basic YWRtaW46bWVpbnNt | |
Upgrade-Insecure-Requests: 1 | |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 | |
Referer: http://86.182.103.99:8001/control/userimage.html | |
Accept-Encoding: gzip, deflate | |
Accept-Language: en-US,en;q=0.9,cy;q=0.8 | |
Connection: close | |
Poor password policy - CVE-2019-7674 | |
A user, through the management interface was able to create a password of 'aaaaa'. See the below request/response: | |
POST /admin/access HTTP/1.1 | |
Host: XX.XXX.XXX.XX:8001 | |
Content-Length: 311 | |
Cache-Control: max-age=0 | |
Authorization: Basic YWRtaW46bWVpbnNt | |
Origin: http://86.182.103.99:8001 | |
Upgrade-Insecure-Requests: 1 | |
Content-Type: application/x-www-form-urlencoded | |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 | |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 | |
Referer: http://86.182.103.99:8001/admin/access | |
Accept-Encoding: gzip, deflate | |
Accept-Language: en-US,en;q=0.9,cy;q=0.8 | |
Connection: close | |
user_name_0=admin&user_group_0=admins&user_passwd_a_0=***&user_passwd_b_0=***&user_name_1=craigsand&user_group_1=admins&user_passwd_a_1=***&user_passwd_b_1=***&user_name_2=test&user_group_2=undefined&user_passwd_a_2=aaaaa&user_passwd_b_2=aaaaa&sv_passwd_a=&sv_passwd_b=&super_pin_1=&super_pin_2=&save_config=Set | |
Response | |
HTTP/1.0 200 OK | |
Content-type: text/html; charset=UTF-8 | |
Cache-Control: no-cache |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
An example of usage: