漏洞标题
N/A
漏洞描述信息
Amcrest IPM-721S V2.420.AC00.16.R.20160909 设备具有一个超时策略,如果在设备上使用Web和HTTP API接口检测到30次错误的密码尝试,则需要等待5分钟。然而,如果使用相同的破解尝试(使用相同的二进制)进行尝试,则没有账户封锁或超时执行。这可以使攻击者绕过账户保护机制并尝试获取密码。如果使用binwalk工具分析固件版本V2.420.AC00.16.R 9/9/2016,则可以获得一个_user-x.squashfs.img.extracted 压缩文件,其中包含设备上设置的所有/usr文件夹中的二进制文件。二进制"sonia"具有在ONVIF规范中的脆弱功能,在二进制中执行密码检查。如果打开这个二进制在IDA-pro中,则会注意到它遵循ARMLittleEndian格式。在IDA-pro中地址00671618的函数解析WSSE安全令牌头。然后,sub_603D8进行身份验证检查,如果不正确,则传递给sub_59F4C,该函数打印值"Sender not authorized"。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
漏洞类别
N/A
漏洞标题
N/A
漏洞描述信息
Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices have a timeout policy to wait for 5 minutes in case 30 incorrect password attempts are detected using the Web and HTTP API interface provided by the device. However, if the same brute force attempt is performed using the ONVIF specification (which is supported by the same binary) then there is no account lockout or timeout executed. This can allow an attacker to circumvent the account protection mechanism and brute force the credentials. If the firmware version V2.420.AC00.16.R 9/9/2016 is dissected using binwalk tool, one obtains a _user-x.squashfs.img.extracted archive which contains the filesystem set up on the device that many of the binaries in the /usr folder. The binary "sonia" is the one that has the vulnerable function that performs the credential check in the binary for the ONVIF specification. If one opens this binary in IDA-pro one will notice that this follows a ARM little endian format. The function at address 00671618 in IDA pro is parses the WSSE security token header. The sub_ 603D8 then performs the authentication check and if it is incorrect passes to the function sub_59F4C which prints the value "Sender not authorized."
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
Amcrest IPM-721S 安全特征问题漏洞
漏洞描述信息
Amcrest IPM-721S是Amcrest公司的一款无线IP摄像头。 Amcrest IPM-721S V2.420.AC00.16.R.20160909版本中存在安全特征问题漏洞。攻击者可利用该漏洞绕过账户保护机制并暴力破解凭证。
CVSS信息
N/A
漏洞类别
授权问题