CVE-2017-13719

{"id": "CVE-2017-13719", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2019-07-03T20:15:10.337", "references": [{"url": "http://packetstormsecurity.com/files/153224/Amcrest-IPM-721S-Credential-Disclosure-Privilege-Escalation.html", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Amcrest_sec_issues.pdf", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://seclists.org/bugtraq/2019/Jun/8", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-119"}]}], "descriptions": [{"lang": "en", "value": "The Amcrest IPM-721S Amcrest_IPC-AWXX_Eng_N_V2.420.AC00.17.R.20170322 allows HTTP requests that permit enabling various functionalities of the camera by using HTTP APIs, instead of the web management interface that is provided by the application. This HTTP API receives the credentials as base64 encoded in the Authorization HTTP header. However, a missing length check in the code allows an attacker to send a string of 1024 characters in the password field, and allows an attacker to exploit a memory corruption issue. This can allow an attacker to circumvent the account protection mechanism and brute force the credentials. If the firmware version Amcrest_IPC-AWXX_Eng_N_V2.420.AC00.17.R.20170322 is dissected using the binwalk tool, one obtains a _user-x.squashfs.img.extracted archive which contains the filesystem set up on the device that has many of the binaries in the /usr folder. The binary \"sonia\" is the one that has the vulnerable function that performs the credential check in the binary for the HTTP API specification. If we open this binary in IDA Pro we will notice that this follows an ARM little-endian format. The function at address 00415364 in IDA Pro starts the HTTP authentication process. This function calls another function at sub_ 0042CCA0 at address 0041549C. This function performs a strchr operation after base64 decoding the credentials, and stores the result on the stack, which results in a stack-based buffer overflow."}, {"lang": "es", "value": "El Amcrest IPM-721S Amcrest_IPC-AWXX_Eng_N_V2.420.AC00.17.R.20170322 permite solicitudes HTTP que permiten habilitar varias funcionalidades de la c\u00e1mara mediante API HTTP, en lugar de la interfaz de administraci\u00f3n web que proporciona la aplicaci\u00f3n. Esta API HTTP recibe las credenciales como base64 codificada en el encabezado HTTP de Autorizaci\u00f3n. Sin embargo, una verificaci\u00f3n de longitud faltante en el c\u00f3digo le permite a un atacante enviar una cadena de 1024 caracteres en el campo de contrase\u00f1a, y le permite a un atacante aprovechar un problema de corrupci\u00f3n de memoria. Esto puede permitir a un atacante eludir el mecanismo de protecci\u00f3n de la cuenta y forzar las credenciales. Si la versi\u00f3n del firmware Amcrest_IPC-AWXX_Eng_N_V2.420.AC00.17.R.20170322 se diseca con la herramienta binwalk, se obtiene un archivo _user-x.squashfs.img.extracted que contiene el sistema de archivos configurado en el dispositivo que tiene muchos de Los binarios en la carpeta / usr. El \"sonia\" binario es el que tiene la funci\u00f3n vulnerable que realiza la comprobaci\u00f3n de credenciales en el binario para la especificaci\u00f3n de la API HTTP. Si abrimos este binario en IDA Pro, notaremos que esto sigue un formato ARM little-endian. La funci\u00f3n en la direcci\u00f3n 00415364 en IDA Pro inicia el proceso de autorizaci\u00f3n HTTP. Esta funci\u00f3n llama a otra funci\u00f3n en sub_ 0042CCA0 en la direcci\u00f3n 0041549C. Esta funci\u00f3n realiza una operaci\u00f3n strchr despu\u00e9s de que la base64 decodifique las credenciales, y almacena el resultado en la pila, lo que resulta en un desbordamiento de b\u00fafer stack-based."}], "lastModified": "2019-07-17T15:09:44.190", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:amcrest:ipm-721s_firmware:amcrest_ipc-awxx_eng_n_v2.420.ac00.17.r.20170322:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8C41BC1C-F4B4-4605-841B-15948F7D1F5D"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:amcrest:ipm-721s:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A8A354BD-B8FC-45D1-B8B2-5A44334CF2F8"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}