← Advisories

i3 International Annexxus Cameras Ax-n 5.2.0 Application Logic Flaw

Low
Advisory ID
ZSL-2021-5688
Release Date
01 November 2021
Vendor
i3 International Inc. - https://www.i3international.com
Affected Version
V5.2.0 build 150317 (Ax46), V5.0.9 build 151106 (Ax68), V5.0.9 build 150615 (Ax78)
CVE
CVE-2021-43442
Tested On
App-webs/
Summary

The Annexxus camera 6MP provides 4 simultaneous, independently controlled digital pan-tilt-zoom (ePTZ) video streams, which may be recorded or viewed live as well as a built-in microphone and speaker allowing two way communication.

Description

The application doesn't allow creation of more than one administrator account on the system. This also applies for deletion of the administrative account. The logic behind this restriction can be bypassed by parameter manipulation using dangerous verbs like PUT and DELETE and improper server-side validation. Once a normal account with 'viewer' or 'operator' permissions has been added by the default admin user 'i3admin', a PUT request can be issued calling the 'UserPermission' endpoint with the ID of created account and set it to 'admin' userType, successfully adding a second administrative account.

Proof of Concept
annexxus_logicflaw.txtTXT
Disclosure Timeline
27.10.2021Vulnerability discovered.
27.10.2021Vendor contacted.
31.10.2021No response from the vendor.
01.11.2021Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.exploit-db.com/exploits/50473
[2]https://packetstormsecurity.com/files/164752/
[3]https://cxsecurity.com/issue/WLB-2021110012
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/212660
[5]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43442
Changelog
01.11.2021Initial release
02.11.2021Added reference [1], [2] and [3]
03.11.2021Added reference [4]
11.04.2022Added reference [5]