Cameras leak credentials, live video
D-Link and Vivotek have submitted their entries for “dumbest security vulnerability of 2013”, with Core Security turning up a variety of daft bugs in their IP cameras, including hard-coded backdoor passwords.
The D-Link vulnerabilities include:
- Operating system command injection: The cameras’ Web interface parses incoming CGI scripts in a way that allows arbitrary commands to be passed to the operating system.
- Authentication bypass: Appending /upnp/asf-mp4.asf to the camera’s root URL accesses the video stream without authentication.
- Video leaks as ASCII: An ASCII stream of the video luminance is accessible without authentication using the path /md/lums.cgi.
- RTSP authentication bypass: This also allows unauthenticated access to the video stream.
- Hard-coded RTSP credentials: *? is a hard-coded backdoor into the cameras.
Vivotek’s blunders include:
- Plaintext password storage: Sensitive information is stored in files accessible with the URL paths /cgi-bin/admin/getparam.cgi and /setup/parafile.html.
- Remote buffer overflow: There’s a buffer overrun in the RTSP service.
- RTSP authentication bypass: A crafted URL sent to the Vivotek PT7135 camera provides unauthenticated access to the video stream.
- User credential leaks: Firmware version 0300a on Vivotek cameras allows remote attackers to dump the camera’s memory and extract user credentials. The juicy stuff is kept in the Linux virtual file system object /proc/kcore.
- Command injection: A binary file in the camera has a flaw allowing remote command injection.
Unless users get busy with upgrading their firmware, The Register imagines all kinds of unwanted “private” videos will start turning up. More seriously, however, it’s also likely – knowing the bad habits not just of users, but of many sysadmins – that leaked credentials will be replicated on other bits of network infrastructure.
Core Security’s advisories include a full list of devices confirmed as vulnerable.®