Headline
CVE-2022-37681: ISnex-HC-IP9100HD.md
Hitachi Kokusai Electric Inc ISnex HC-IP9100HD Version 1.07 and below allows attackers to perform a directory traversal via a crafted GET request to the endpoint /ptippage.cgi.
ISnex HC-IP9100HD and HC-IP9050HD vulnerabilities.****Product Description:
The ISnex HC-IP9100HD from Hitachi Kokusai Electric Inc. is a LTE network-based surveillance security camera.
Affected Products:
All ISnex HC-IP9100HD camera from version 1.07 and under. Also affect all ISnex HC-IP9050HD from version 1.17 and under
Vulnerability Summary:
- Vulnerability 1 - Unauthenticated Directory Traversal.
The ISnex HC-IP9100HD security camera is affected by a directory traversal vulnerability due to an improper access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains directory traversal characters, to disclose the contents of files located outside of the server’s restricted path. This issue affects all ISnex HC-IP9100HD security cameras version 1.07 and all ISnex HC-IP9050HD from version 1.17 and under. - Vulnerability 2 - Improper Access Control.
The ISnex HC-IP9100HD security camera is affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a POST request that contains specific parameter and abuse the camera. A successful exploit could allow the attacker to reboot remotely the security camera without authentication. This issue affects all ISnex HC-IP9100HD security cameras version 1.07.
Reproduction Steps:
Unauthenticated Directory Traversal.
The endpoint /ptippage.cgi can be called remotely without user authentication as there is no authorization verification Authorization: Basic base64_str to check if the request is legitimate. The second problem is that the GET parameter nextpage can be injected with a relative file paths and access any files in the system. In the example below we create a crafted query that show us the contents of the /etc/shadow file.Improper Access Control.
The endpoint /ptipupgrade.cgi can be called remotely without user authentication as there is no authorization verification Authorization: Basic base64_str to check if the request is legitimate and let any malicious actor to remotely reboot the device.
The camera is now rebooting...
Recommendation Fixes / Remediation:
- Vulnerability 1: Use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
More information: https://cwe.mitre.org/data/definitions/23.html - Vulnerability 2: Make sure to set up a very strict policy and check the authenticity of each requests that goes to the server.
More information: https://cwe.mitre.org/data/definitions/284.html
Reference:
https://www.hitachi-kokusai.co.jp/global/en/products/camera/network/index.html
Security researchers:
- Thomas Knudsen
- Samy Younsi