i3 International Annexxus Cameras Ax-n 5.2.0 Application Logic Flaw

Title: i3 International Annexxus Cameras Ax-n 5.2.0 Application Logic Flaw
Advisory ID: ZSL-2021-5688
Type: Local/Remote
Impact: Logic Flaw
Risk: (1/5)
Release Date: 01.11.2021
The Annexxus camera 6MP provides 4 simultaneous, independently controlled digital pan-tilt-zoom (ePTZ) video streams, which may be recorded or viewed live as well as a built-in microphone and speaker allowing two way communication.
The application doesn't allow creation of more than one administrator account on the system. This also applies for deletion of the administrative account. The logic behind this restriction can be bypassed by parameter manipulation using dangerous verbs like PUT and DELETE and improper server-side validation. Once a normal account with 'viewer' or 'operator' permissions has been added by the default admin user 'i3admin', a PUT request can be issued calling the 'UserPermission' endpoint with the ID of created account and set it to 'admin' userType, successfully adding a second administrative account.
i3 International Inc. - https://www.i3international.com
Affected Version
V5.2.0 build 150317 (Ax46)
V5.0.9 build 151106 (Ax68)
V5.0.9 build 150615 (Ax78)
Tested On
Vendor Status
[27.10.2021] Vulnerability discovered.
[27.10.2021] Vendor contacted.
[31.10.2021] No response from the vendor.
[01.11.2021] Public security advisory released.
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
[1] https://www.exploit-db.com/exploits/50473
[2] https://packetstormsecurity.com/files/164752/
[3] https://cxsecurity.com/issue/WLB-2021110012
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/212660
[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43442
[01.11.2021] - Initial release
[02.11.2021] - Added reference [1], [2] and [3]
[03.11.2021] - Added reference [4]
[11.04.2022] - Added reference [5]
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk