MOBOTIX Video Security Cameras CSRF Add Admin Exploit
Title: MOBOTIX Video Security Cameras CSRF Add Admin Exploit
Advisory ID: ZSL-2016-5312
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 30.03.2016
[Model]: Q24M-Secure, [HW]: T2r3.1, 806 MHz, [SW]: MX-V4.1.10.28
[Model]: D14D-Secure, [HW]: T2r4.2b, 806 MHz, 256 MByte RAM, [SW]: MX-V4.1.4.70
[Model]: M15D-Secure, [HW]: T3r4.4, 806 MHz, [SW]: MX-V4.3.4.50
thttpd/2.19-MX
[25.02.2016] Vendor contacted.
[26.02.2016] Vendor responds asking more details.
[26.02.2016] Sent details to the vendor.
[01.03.2016] Asked vendor for status update.
[02.03.2016] Vendor currently evaluating the issue.
[10.03.2016] Asked vendor for status update.
[15.03.2016] No response from the vendor.
[16.03.2016] Asked vendor for status update.
[16.03.2016] Vendor replies asking if some mitigation tricks work?
[16.03.2016] Explained to vendor about the issue and asked for patch release date.
[29.03.2016] No response from the vendor.
[30.03.2016] Public security advisory released.
[2] https://cxsecurity.com/issue/WLB-2016030163
[3] https://www.exploit-db.com/exploits/39641/
[4] https://secunia.com/advisories/69810/
[31.03.2016] - Added reference [1], [2] and [3]
[25.06.2016] - Added reference [4]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2016-5312
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 30.03.2016
Summary
MOBOTIX is a German System Manufacturer of Professional Video Management (VMS) and Smart IP Cameras. These cameras support all standard features of MOBOTIX IP cameras like automatic object detection, messaging via network and onboard or network recording. The dual lens thermal system supports additionally a second optical video sensor with 6-megapixel resolution.Description
The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.Vendor
MOBOTIX AG - https://www.mobotix.comAffected Version
[Model]: D22M-Secure, [HW]: T2r1.1.AA, 520 MHz, 128 MByte RAM, [SW]: MX-V3.5.2.23.r3[Model]: Q24M-Secure, [HW]: T2r3.1, 806 MHz, [SW]: MX-V4.1.10.28
[Model]: D14D-Secure, [HW]: T2r4.2b, 806 MHz, 256 MByte RAM, [SW]: MX-V4.1.4.70
[Model]: M15D-Secure, [HW]: T3r4.4, 806 MHz, [SW]: MX-V4.3.4.50
Tested On
Linux 2.6.37.6+thttpd/2.19-MX
Vendor Status
[25.02.2016] Vulnerability discovered.[25.02.2016] Vendor contacted.
[26.02.2016] Vendor responds asking more details.
[26.02.2016] Sent details to the vendor.
[01.03.2016] Asked vendor for status update.
[02.03.2016] Vendor currently evaluating the issue.
[10.03.2016] Asked vendor for status update.
[15.03.2016] No response from the vendor.
[16.03.2016] Asked vendor for status update.
[16.03.2016] Vendor replies asking if some mitigation tricks work?
[16.03.2016] Explained to vendor about the issue and asked for patch release date.
[29.03.2016] No response from the vendor.
[30.03.2016] Public security advisory released.
PoC
mobotix_csrf.htmlCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://packetstormsecurity.com/files/136485[2] https://cxsecurity.com/issue/WLB-2016030163
[3] https://www.exploit-db.com/exploits/39641/
[4] https://secunia.com/advisories/69810/
Changelog
[30.03.2016] - Initial release[31.03.2016] - Added reference [1], [2] and [3]
[25.06.2016] - Added reference [4]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
