Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-37681: ISnex-HC-IP9100HD.md

Hitachi Kokusai Electric Inc ISnex HC-IP9100HD Version 1.07 and below allows attackers to perform a directory traversal via a crafted GET request to the endpoint /ptippage.cgi.

CVE
Open in Source
#vulnerability#git#auth

ISnex HC-IP9100HD and HC-IP9050HD vulnerabilities.****Product Description:

The ISnex HC-IP9100HD from Hitachi Kokusai Electric Inc. is a LTE network-based surveillance security camera.

Affected Products:

All ISnex HC-IP9100HD camera from version 1.07 and under. Also affect all ISnex HC-IP9050HD from version 1.17 and under

Vulnerability Summary:

  • Vulnerability 1 - Unauthenticated Directory Traversal.
    The ISnex HC-IP9100HD security camera is affected by a directory traversal vulnerability due to an improper access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains directory traversal characters, to disclose the contents of files located outside of the server’s restricted path. This issue affects all ISnex HC-IP9100HD security cameras version 1.07 and all ISnex HC-IP9050HD from version 1.17 and under.
  • Vulnerability 2 - Improper Access Control.
    The ISnex HC-IP9100HD security camera is affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a POST request that contains specific parameter and abuse the camera. A successful exploit could allow the attacker to reboot remotely the security camera without authentication. This issue affects all ISnex HC-IP9100HD security cameras version 1.07.

Reproduction Steps:

  1. Unauthenticated Directory Traversal.
    The endpoint /ptippage.cgi can be called remotely without user authentication as there is no authorization verification Authorization: Basic base64_str to check if the request is legitimate. The second problem is that the GET parameter nextpage can be injected with a relative file paths and access any files in the system. In the example below we create a crafted query that show us the contents of the /etc/shadow file.

  2. Improper Access Control.
    The endpoint /ptipupgrade.cgi can be called remotely without user authentication as there is no authorization verification Authorization: Basic base64_str to check if the request is legitimate and let any malicious actor to remotely reboot the device.

The camera is now rebooting...

Recommendation Fixes / Remediation:

  • Vulnerability 1: Use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
    More information: https://cwe.mitre.org/data/definitions/23.html
  • Vulnerability 2: Make sure to set up a very strict policy and check the authenticity of each requests that goes to the server.
    More information: https://cwe.mitre.org/data/definitions/284.html

Reference:

https://www.hitachi-kokusai.co.jp/global/en/products/camera/network/index.html

Security researchers:

  • Thomas Knudsen
  • Samy Younsi

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE