Full Disclosure mailing list archives
From: Willem Westerhof | Secura <Willem.Westerhof () secura com>
Date: Fri, 26 Jul 2024 13:11:06 +0000
Hi all, A list of CVE’s in a bunch of IoT devices that never made it to the general public through other means, but have either been fixed, or never will be fixed, since they are a couple of years old.
[Suggested description] An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. By sending a specific request to the webserver, it is possible to enable the telnet interface on the device. The telnet interface can then be used to obtain access to the device with root privileges and a default password. This default telnet password is the same across all Siime Eye devices. In order for the attack to be exploited, an attacker must be physically close in order to connect to the device's Wi-Fi access point. ------------------------------------------ [Additional Information] The vulnerability was first discovered by Pentest Partners, later on it was also discovered by Qbit as the issues remain unaddressed by the vendor. default telnet password is the same across all Siime Eye devices and possibly even across all devices created by this developer ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Svakom ------------------------------------------ [Affected Product Code Base] Siime Eye - 14.1.00000001.3.330.0.0.3.14 ------------------------------------------ [Affected Component] Siime Eye device ------------------------------------------ [Attack Type] Physical ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] An attacker must first obtain access to the Wi-Fi access point of the device, after which the exploit can be done using simple network commands. ------------------------------------------ [Reference] https://www.pentestpartners.com/security-blog/vulnerable-wi-fi-dildo-camera-endoscope-yes-really/ N/A ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Edwin Gozeling from Qbit during an assignment for the Consumentenbond. Unknown personnel at pentest partners who did not request a CVE back then.
Use CVE-2020-11915.
[Suggested description] An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. The password for the root user is hashed using an old and deprecated hashing technique. Because of this deprecated hashing, the success probability of an attacker in an offline cracking attack is greatly increased. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Svakom ------------------------------------------ [Affected Product Code Base] Siime Eye - 14.1.00000001.3.330.0.0.3.14 ------------------------------------------ [Affected Component] Siime Eye linux password hashes ------------------------------------------ [Attack Type] Context-dependent ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] The hash can be obtained using various techniques (e.g.) through command injection. ------------------------------------------ [Reference] N/A ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Edwin Gozeling from Qbit in assignment of the Consumentenbond.
Use CVE-2020-11916.
[Suggested description] An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. It uses a default SSID value, which makes it easier for remote attackers to discover the physical locations of many Siime Eye devices, violating the privacy of users who do not wish to disclose their ownership of this type of device. (Various resources such as wigle.net can be use for mapping of SSIDs to physical locations.) ------------------------------------------ [Additional Information] The access point is only detectable when the device is turned on. As the device is turned on for limited times less devices are detected via Wigle then one might expect. Wigle.net is a site which maps SSIDs to physical locations. Using this site, it is possible to filter on specific SSIDs. When a filter is applied to find the default SSID of the Siime Eye, it is possible to find several devices across the globe. The map shown on wigle shows an approximate physical location for the device and hence makes physical or physical proximity attacks more likely. In addition it violates the user's privacy as everyone on the internet is capable of detecting where the devices are being used. ------------------------------------------ [VulnerabilityType Other] Information disclosure ------------------------------------------ [Vendor of Product] Svakom ------------------------------------------ [Affected Product Code Base] Siime Eye - 14.1.00000001.3.330.0.0.3.14 ------------------------------------------ [Affected Component] Siime Eye Wi-Fi access point ------------------------------------------ [Attack Type] Context-dependent ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] In order to exploit this issue an attacker needs to simply search for the Siime Eye SSID on wigle.net ------------------------------------------ [Reference] https://wigle.net N/A ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Edwin gozeling from Qbit cyber security in assignment of the Consumentenbond.
Use CVE-2020-11917.
[Suggested description] An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. When a backup file is created through the web interface, information on all users, including passwords, can be found in cleartext in the backup file. An attacker capable of accessing the web interface can create the backup file. ------------------------------------------ [Additional Information] Note that this means the application passwords are also stored on the device in plain text, otherwise they could not be placed in the backup file in this manner. Note that during normal functional use, the backup file is not created. and then use other vulnerabilities to obtain access to the backup file, including the user's passwords. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Svakom ------------------------------------------ [Affected Product Code Base] Siime Eye - 14.1.00000001.3.330.0.0.3.14 ------------------------------------------ [Affected Component] Siime Eye ------------------------------------------ [Attack Type] Context-dependent ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] A backup file must be found or created by an attacker in order to exploit this vulnerability. ------------------------------------------ [Reference] N/A ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Edwin Gozeling from Qbit in assignment of the Consumentenbond
Use CVE-2020-11918.
[Suggested description] An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. There is no CSRF protection. ------------------------------------------ [Additional Information] The default settings make this attack theoretical rather than practical. A lot of interaction takes place between the application and the end user. For correct functioning, it is important to verify that requests coming from the user actually represent the user's intention. The application must therefore be able to distinguish forged requests from legitimate ones. Currently no measures against Cross-Site Request Forgery have been implemented and therefore users can be tricked into submitting requests without their knowledge or consent. From the application's point of view, these requests are legitimate requests from the user and they will be processed as such. This can result in the creation of additional (administrative) user accounts, without the user’s knowledge or consent. In order to execute a CSRF attack, a user must be tricked into visiting an attacker controlled page, using the same browser that is authenticated to the Siime Eye. As mostly the Hotspot from Siime Eye will be used, users are unlikely to (be able to) access such pages simultaneously. ------------------------------------------ [Vulnerability Type] Cross Site Request Forgery (CSRF) ------------------------------------------ [Vendor of Product] Svakom ------------------------------------------ [Affected Product Code Base] Siime Eye - 14.1.00000001.3.330.0.0.3.14 ------------------------------------------ [Affected Component] Siime Eye, web interface ------------------------------------------ [Attack Type] Context-dependent ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [CVE Impact Other] Full device compromise. ------------------------------------------ [Reference] N/A ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Edwin Gozeling from Qbit in assignment of the Consumentenbond.
Use CVE-2020-11919.
[Suggested description] An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. A command injection vulnerability resides in the HOST/IP section of the record settings menu in the webserver running on the device. By injecting Bash commands here, the device executes arbitrary code with root privileges (all of the device's services are running as root). ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Svakom ------------------------------------------ [Affected Product Code Base] Siime eye - 14.1.00000001.3.330.0.0.3.14 ------------------------------------------ [Affected Component] Siime Eye, web interface ------------------------------------------ [Attack Type] Context-dependent ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] An attacker needs to be connected to the device's access point and have access to the admin panel (e.g through sniffing or bruteforcing the credentials) ------------------------------------------ [Reference] https://www.pentestpartners.com/security-blog/vulnerable-wi-fi-dildo-camera-endoscope-yes-really/ N/A ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Edwin Gozeling from Qbit cyber security in assignment for the Consumentenbond In addition, Pentest partners discovered this as well but did not request CVE's.
Use CVE-2020-11920.
[Suggested description] An issue was discovered in Lush 2 through 2020-02-25. Due to the lack of Bluetooth traffic encryption, it is possible to hijack an ongoing Bluetooth connection between the Lush 2 and a mobile phone. This allows an attacker to gain full control over the device. ------------------------------------------ [Additional Information] The victim will lose the legitimate connection and therefore will lose the ability to control the device. This attack hijacks the connection, even when someone else was actively using the device before. The original user loses control, and the attacker gains control of the device. Note that the user of the device remains capable of simply shutting it down. In order to exploit this vulnerability, the attacker must be present in a certain radius in which the Bluetooth connection can be intercepted. This attack vector also requires specific hardware like the Micro:bit. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Lovense ------------------------------------------ [Affected Product Code Base] Lush 2 - Cannot be determined. ------------------------------------------ [Affected Component] Lush 2, Bluetooth interface ------------------------------------------ [Attack Type] Local ------------------------------------------ [CVE Impact Other] Take over normal device functionality from the original owner. ------------------------------------------ [Attack Vectors] An attacker needs to be physically close (100ish meter) in order to take over control of the device. ------------------------------------------ [Reference] N/A ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Roan Engelbert, Ilona de Bruin from Qbit cyber security in assignment of the Consumentenbond.
Use CVE-2020-11921.
[Suggested description] An issue was discovered in WiZ Colors A60 1.14.0. The device sends unnecessary information to the cloud controller server. Although this information is sent encrypted and has low risk in isolation, it decreases the privacy of the end user. The information sent includes the local IP address being used and the SSID of the Wi-Fi network the device is connected to. (Various resources such as wigle.net can be use for mapping of SSIDs to physical locations.) ------------------------------------------ [VulnerabilityType Other] Information disclosure ------------------------------------------ [Vendor of Product] WiZ Connected ------------------------------------------ [Affected Product Code Base] WiZ Colors A60 - 1.14.0 ------------------------------------------ [Affected Component] WiZ Colors A60 ------------------------------------------ [Attack Type] Context-dependent ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] None. The Lightbulb by default transmits privacy sensitive info to the cloud system. ------------------------------------------ [Reference] N/A ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Wouter Wessels, Jim Blankendaal, Jasper Nota from Qbit in assignment of the Consumentenbond.
Use CVE-2020-11922.
[Suggested description] An issue was discovered in WiZ Colors A60 1.14.0. API credentials are locally logged. ------------------------------------------ [Additional Information] An issue was discovered in WiZ Colors A60 1.14.0. Applications use general logs to reflect all kind of information to the terminal. The WIZ application does also use logs, however instead of only generic information also API credentials are submitted to the android log. The information that is reflected in the logging can be used to perform authorised requests in behalf of the user and therefore controlling the lights just as the user can do using the application. In order to obtain the information access to the device logs is required. This can most easily be done via local access and also by other apps on rooted devices. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] WiZ Connected ------------------------------------------ [Affected Product Code Base] WiZ Colors A60 - 1.14.0 ------------------------------------------ [Affected Component] Wiz Android Application 1.15.0 ------------------------------------------ [Attack Type] Physical ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] Physical access or local root access on the mobile phone is required in order to exploit this issue. ------------------------------------------ [Reference] N/A ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Wouter Wessels, Willem Westerhof, Jasper Nota, Jim Blankendaal
Use CVE-2020-11923.
[Suggested description] An issue was discovered in WiZ Colors A60 1.14.0. Wi-Fi credentials are stored in cleartext in flash memory, which presents an information-disclosure risk for a discarded or resold device. ------------------------------------------ [Additional Information] Wi-Fi credentials are stored in plain-text on the light bulb. These credentials can be obtained by reading the flash memory directly using a logic analyzer. This means the Wi-Fi login credentials of the previous owner can be found in the memory capture when the device is bought second-hand, or retrieved from a trashcan. ------------------------------------------ [VulnerabilityType Other] Information disclosure ------------------------------------------ [Vendor of Product] WiZ Connected ------------------------------------------ [Affected Product Code Base] WiZ Colors A60 - 1.14.0 ------------------------------------------ [Affected Component] WiZ Colors A60 ------------------------------------------ [Attack Type] Physical ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] Physical, access to the chip is required. ------------------------------------------ [Reference] N/A ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Jasper Nota, Willem Westerhof, Wouter Wessels, Jim Blankendaal from Qbit in assignment of the Consumentenbond.
Use CVE-2020-11924.
[Suggested description] An issue was discovered in Luvion Grand Elite 3 Connect through 2020-02-25. Authentication to the device is based on a username and password. The root credentials are the same across all devices of this model. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Luvion ------------------------------------------ [Affected Product Code Base] Luvion Grand Elite 3 Connect - Could not be determined ------------------------------------------ [Affected Component] Underlying linux system. ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] Any attacker with network access can exploit this vulnerability. ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Jim Blankendaal, Martijn Baalman from Qbit in assignment of Consumentenbond. ------------------------------------------ [Reference] N/A
Use CVE-2020-11925.
[Suggested description] An issue was discovered in Luvion Grand Elite 3 Connect through 2020-02-25. Clients can authenticate themselves to the device using a username and password. These credentials can be obtained through an unauthenticated web request, e.g., for a JavaScript file. Also, the disclosed information includes the SSID and WPA2 key for the Wi-Fi network the device is connected to. ------------------------------------------ [Additional Information] The disclosed information can be functionally used by an attacker to remotely gain access to normal camera functionality. (e.g. watch in someone's room over the internet) ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Luvion ------------------------------------------ [Affected Product Code Base] Luvion Grand elite 3 connect - Cannot be determined ------------------------------------------ [Affected Component] Webserver running on the device. ------------------------------------------ [Attack Type] Remote ------------------------------------------ [CVE Impact Other] Authentication bypass ------------------------------------------ [Attack Vectors] An attacker can simply browse to the device and retrieve the passwords. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Jim Blankendaal, Martijn Baalman from Qbit in assignment of the Consumentenbond ------------------------------------------ [Reference] N/A
Use CVE-2020-11926.
[Suggested description] An issue was discovered on Brother MFC-J491DW C1806180757 devices. The printer's web-interface password hash can be retrieved without authentication, because the response header of any failed login attempt returns an incomplete authorization cookie. The value of the authorization cookie is the MD5 hash of the password in hexadecimal. An attacker can easily derive the true MD5 hash from this, and use offline cracking attacks to obtain administrative access to the device. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Brother ------------------------------------------ [Affected Product Code Base] MFC-J491DW - C1806180757 ------------------------------------------ [Affected Component] Web admin panel ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker needs to have access to the web interface running on TCP/80 on the device. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Konrad Leszcynski, intern at Qbit in cooperation with the Dutch Consumer Organisation ------------------------------------------ [Reference] https://global.brotherUse CVE-2019-20457.[Suggested description] An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices. By default, the device comes (and functions) without a password. The user is at no point prompted to set up a password on the device (leaving a number of devices without a password). In this case, anyone connecting to the web admin panel is capable of becoming admin without using any credentials. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Epson ------------------------------------------ [Affected Product Code Base] Expression Home XP255 - 20.08.FM10I8 ------------------------------------------ [Affected Component] Web admin panel ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [Attack Vectors] The attacker needs to have access to port 80/TCP (the webserver) of the device. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Konrad Leszczynski, intern at Qbit in collaboration with the Dutch consumer organisation. ------------------------------------------ [Reference] https://epson.com/Support/sl/sUse CVE-2019-20458.[Suggested description] An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices. With the SNMPv1 public community, all values can be read, and with the epson community, all the changeable values can be written/updated, as demonstrated by permanently disabling the network card or changing the DNS servers. ------------------------------------------ [Vulnerability Type] Insecure Permissions ------------------------------------------ [Vendor of Product] Epson ------------------------------------------ [Affected Product Code Base] Expression Home XP255 - 20.08.FM10I8 ------------------------------------------ [Affected Component] SNMP agent ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Denial of Service] true ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] The attacker must be able to connect to the devices on port 515/UDP. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Konrad Leszczynski, intern at Qbit in collaboration with the Dutch consumer organisation. ------------------------------------------ [Reference] https://epson.com/Support/sl/sUse CVE-2019-20459.[Suggested description] An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices. POST requests don't require (anti-)CSRF tokens or other mechanisms for validating that the request is from a legitimate source. In addition, CSRF attacks can be used to send text directly to the RAW printer interface. For example, an attack could deliver a worrisome printout to an end user. ------------------------------------------ [Vulnerability Type] Cross Site Request Forgery (CSRF) ------------------------------------------ [Vendor of Product] Epson ------------------------------------------ [Affected Product Code Base] Expression Home XP255 - 20.08.FM10I8 ------------------------------------------ [Affected Component] Web admin panel, RAW printing protocol ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [Attack Vectors] Using a CSRF attack, the web admin panel is attacked. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Konrad Leszczynski, intern at Qbit in collaboration with the Dutch consumer organisation. ------------------------------------------ [Reference] https://epson.com/Support/sl/sUse CVE-2019-20460.[Suggested description] An issue was discovered on Alecto IVM-100 2019-11-12 devices. The device uses a custom UDP protocol to start and control video and audio services. The protocol has been partially reverse engineered. Based upon the reverse engineering, no password or username is ever transferred over this protocol. Thus, one can set up the camera connection feed with only the encoded UID. It is possible to set up sessions with the camera over the Internet by using the encoded UID and the custom UDP protocol, because authentication happens at the client side. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Alecto ------------------------------------------ [Affected Product Code Base] Alecto-IVM-100 - Exact version unknown ------------------------------------------ [Affected Component] Video and audio stream of the camera. ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker requires knowledge of the encoded UID (can be obtained by sniffing or enumerating). Once this knowledge has been obtained, the attacker can set up a video/audio system from anywhere. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Martijn Baalman from Qbit cyber security in cooperation with The Dutch consumer organisation ------------------------------------------ [Reference] https://www.alecto.nlUse CVE-2019-20461.[Suggested description] An issue was discovered on Alecto IVM-100 2019-11-12 devices. The device comes with a serial interface at the board level. By attaching to this serial interface and rebooting the device, a large amount of information is disclosed. This includes the view password and the password of the Wi-Fi access point that the device used. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Alecto ------------------------------------------ [Affected Product Code Base] Alecto IVM-100 - unknown. ------------------------------------------ [Affected Component] Serial interface. ------------------------------------------ [Attack Type] Physical ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker needs to open up the device and physically attach wires as well as reboot the device. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Martijn Baalman from Qbit cyber security in cooperation with The Dutch consumer organisation ------------------------------------------ [Reference] https://www.alecto.nlUse CVE-2019-20462.[Suggested description] An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices. A crash and reboot can be triggered by crafted IP traffic, as demonstrated by the Nikto vulnerability scanner. For example, sending the 111111 string to UDP port 20188 causes a reboot. To deny service for a long time period, the crafted IP traffic may be sent periodically. ------------------------------------------ [VulnerabilityType Other] Denial of Service due to incorrect error handling ------------------------------------------ [Vendor of Product] Sannce ------------------------------------------ [Affected Product Code Base] Sannce Smart HD Wifi Security Camera - EAN nr: 2 950004 595317 ------------------------------------------ [Affected Component] Webserver, custom UDP handling binary. ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Denial of Service] true ------------------------------------------ [Attack Vectors] Any attacker capable of reaching the device with a network packet is capable of causing a DoS. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Martijn Baalman from Qbit cyber security in cooperation with the Dutch Consumer organisation. ------------------------------------------ [Reference] https://www.sannce.comUse CVE-2019-20463.[Suggested description] An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices. By default, a mobile application is used to stream over UDP. However, the device offers many more services that also enable streaming. Although the service used by the mobile application requires a password, the other streaming services do not. By initiating communication on the RTSP port, an attacker can obtain access to the video feed without authenticating. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Sannce ------------------------------------------ [Affected Product Code Base] Sannce Smart HD Wifi Security Camera - EAN nr: 2 950004 595317 ------------------------------------------ [Affected Component] Videostream of camera ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker simply needs to be able to connect to the device over the network. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Martijn Baalman from Qbit cyber security in cooperation with the Dutch Consumer organisation. ------------------------------------------ [Reference] https://www.sannce.comUse CVE-2019-20464.[Suggested description] An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices. It is possible (using TELNET without a password) to control the camera's pan/zoom/tilt functionality. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Sannce ------------------------------------------ [Affected Product Code Base] Sannce Smart HD Wifi Security Camera - EAN nr: 2 950004 595317 ------------------------------------------ [Affected Component] Videostream of camera ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker simply needs to be able to connect to the device over the network. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Martijn Baalman from Qbit cyber security in cooperation with the Dutch Consumer organisation. ------------------------------------------ [Reference] https://www.sannce.comUse CVE-2019-20465.[Suggested description] An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices. A local attacker with the "default" account is capable of reading the /etc/passwd file, which contains a weakly hashed root password. By taking this hash and cracking it, the attacker can obtain root rights on the device. ------------------------------------------ [Vulnerability Type] Insecure Permissions ------------------------------------------ [Vendor of Product] Sannce ------------------------------------------ [Affected Product Code Base] Sannce Smart HD Wifi Security Camera - EAN nr: 2 950004 595317 ------------------------------------------ [Affected Component] Root user through file /etc/passwd ------------------------------------------ [Attack Type] Local ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [Attack Vectors] To exploit the vulnerability, someone must be able to get local presence on the device. e.g. through command injection or by using the telnet interface as a low-privileged user. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Martijn Baalman from Qbit cyber security in cooperation with the Dutch Consumer organisation. ------------------------------------------ [Reference] https://www.sannce.comUse CVE-2019-20466.[Suggested description] An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices. The device by default has a TELNET interface available (which is not advertised or functionally used, but is nevertheless available). Two backdoor accounts (root and default) exist that can be used on this interface. The usernames and passwords of the backdoor accounts are the same on all devices. Attackers can use these backdoor accounts to obtain access and execute code as root within the device. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Sannce ------------------------------------------ [Affected Product Code Base] Sannce Smart HD Wifi Security Camera - EAN nr: 2 950004 595317 ------------------------------------------ [Affected Component] Telnet daemon ------------------------------------------ [Attack Type] Local ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] Anyone with network access to the device can trigger this vulnerability. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Martijn Baalman from Qbit cyber security in cooperation with the Dutch Consumer organisation. ------------------------------------------ [Reference] https://www.sannce.comUse CVE-2019-20467.[Suggested description] An issue was discovered in SeTracker2 for TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. It has unnecessary permissions such as READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE, and READ_CONTACTS. ------------------------------------------ [Additional Information] The manifest of Q90 declares the use of permissions. However some of the declared functions are not required for proper functioning of the application. The following application permissions are not required: android.permission.SYSTEM_ALERT_WINDOW: Allows an app to create windows using the type WindowManager.LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.WRITE_EXTERNAL_STORAGE: Declaring these permissions for debugging purposes is common practice, but they should not be carried over to production releases of the app. android.permission.READ_EXTERNAL_STORAGE. android.permission.CHANGE_WIFI_STATE: Allows applications to change Wi-Fi connectivity state. android.permission.CHANGE_CONFIGURATION: Allows access to the list of accounts (including usernames) in the Accounts Service. android.permission.READ_CONTACTS: Allows an application to read the user's contacts data. android.permission.MANAGE_ACCOUNTS: The application can request create or access accounts stored locally in the AccountManager. android.permission.GET_ACCOUNTS: Allows access to the list of accounts (including usernames) in the Accounts Service. android.permission.BLUETOOTH: Allows applications to connect to paired bluetooth devices. android.permission.BLUETOOTH_ADMIN: Allows applications to discover and pair bluetooth devices. android.permission.GET_TASKS: Allows the app to retrieve information about currently and recently running tasks. This may allow the app to discover information about which applications are used on the device. The backup element (android:allowBackup) is manually set to true. The sheer amount of unnecessary permissions, with potential high security impact, (e.g. reading all contact information, retrieving usernames, passwords and other personal information stored on the device, changing system settings, connecting to other devices) provides the application with an unnecessarily large amount of sensitive information and (potential) control over older (API 16-22) mobile devices and raises numerous questions regarding the intentions behind this application. ------------------------------------------ [Vulnerability Type] Insecure Permissions ------------------------------------------ [Vendor of Product] TK-star ------------------------------------------ [Affected Product Code Base] TK-Star Q90 Junior GPS horloge - 3.1042.9.8656 ------------------------------------------ [Affected Component] Q90 SeTracker2 ------------------------------------------ [Attack Type] Local ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [CVE Impact Other] Excessive permissions can enable malicious behaviour. ------------------------------------------ [Attack Vectors] to exploit the vulnerability, the application code must be updated with malicious intent. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Dennis van Warmerdam, Jasper Nota, Jim Blankendaal ------------------------------------------ [Reference] https://www.tk-star.comUse CVE-2019-20468.[Suggested description] An issue was discovered on One2Track 2019-12-08 devices. Confidential information is needlessly stored on the smartwatch. Audio files are stored in .amr format, in the audior directory. An attacker who has physical access can retrieve all audio files by connecting via a USB cable. ------------------------------------------ [VulnerabilityType Other] Voice conversations leaked to physical attackers. ------------------------------------------ [Vendor of Product] One2Track ------------------------------------------ [Affected Product Code Base] one2track - up to-date version as of 12-8-2019 (no exact version number) ------------------------------------------ [Affected Component] Local smartwatch storage ------------------------------------------ [Attack Type] Physical ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker must physically have access to the One2track software. Once this access has been obtained audio messages send to the smartwatch can be retrieved from the local storage. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Dennis van Warmerdam, Jasper Nota, Jim Blankendaal ------------------------------------------ [Reference] https://www.one2track.nlUse CVE-2019-20469.[Suggested description] An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. It performs actions based on certain SMS commands. This can be used to set up a voice communication channel from the watch to any telephone number, initiated by sending a specific SMS and using the default password, e.g., pw,<password>,call,<mobile_number> triggers an outbound call from the watch. The password is sometimes available because of CVE-2019-20471. ------------------------------------------ [VulnerabilityType Other] Remote audio connection without explicit approval ------------------------------------------ [Vendor of Product] TK-star ------------------------------------------ [Affected Product Code Base] TK-Star Q90 Junior GPS horloge - 3.1042.9.8656 ------------------------------------------ [Affected Component] Smartwatch ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker needs to send an SMS to the device's mobile number. Knowledge of the mobile number is required before this vulnerability can be exploited. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Dennis van Warmerdam, Jasper Nota, Jim Blankendaal ------------------------------------------ [Reference] https://www.tk-star.comUse CVE-2019-20470.[Suggested description] An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. When using the device at initial setup, a default password is used (123456) for administrative purposes. There is no prompt to change this password. Note that this password can be used in combination with CVE-2019-20470. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] TK-star ------------------------------------------ [Affected Product Code Base] TK-Star Q90 Junior GPS horloge - 3.1042.9.8656 ------------------------------------------ [Affected Component] Smartwatch ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker needs to send an SMS to the device's mobile number. Knowledge of the mobile number is required before this vulnerability can be exploited. ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Dennis van Warmerdam, Jasper Nota, Jim Blankendaal ------------------------------------------ [Reference] https://www.tk-star.comUse CVE-2019-20471.[Suggested description] An issue was discovered on One2Track 2019-12-08 devices. Any SIM card used with the device cannot have a PIN configured. If a PIN is configured, the device simply produces a "Remove PIN and restart!" message, and cannot be used. This makes it easier for an attacker to use the SIM card by stealing the device. ------------------------------------------ [VulnerabilityType Other] recommendation to disable common security measures ------------------------------------------ [Vendor of Product] One2Track ------------------------------------------ [Affected Product Code Base] One2Track - up to-date version as of 12-8-2019 (no exact version number) ------------------------------------------ [Affected Component] SIM card security PIN ------------------------------------------ [Attack Type] Physical ------------------------------------------ [CVE Impact Other] recommendation to disable common security measures ------------------------------------------ [Attack Vectors] Local ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Dennis van Warmerdam, Jim Blankendaal, Jasper Nota ------------------------------------------ [Reference] https://www.one2track.nlUse CVE-2019-20472.[Suggested description] An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. Any SIM card used with the device cannot have a PIN configured. If a PIN is configured, the device simply produces a "Remove PIN and restart!" message, and cannot be used. This makes it easier for an attacker to use the SIM card by stealing the device. ------------------------------------------ [VulnerabilityType Other] recommendation to disable common security measures ------------------------------------------ [Vendor of Product] TK-star ------------------------------------------ [Affected Product Code Base] TK-Star Q90 Junior GPS horloge - 3.1042.9.8656 ------------------------------------------ [Affected Component] Sim card & PIN ------------------------------------------ [Attack Vectors] Local ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Dennis van Warmerdam, Jasper Nota, Jim Blankendaal ------------------------------------------ [Reference] https://www.tk-star.comUse CVE-2019-20473.
With kind regards / Met vriendelijke groet, Willem Westerhof | Senior Security Specialist & Public speaker [Logo, company name Description automatically generated] Raising Your Cyber Resilience E: willem.westerhof () secura com<mailto:willem.westerhof () secura com> T: +31 6 488 594 22 W: secura.com<https://www.secura.com/> Follow us on: [signature_192587247]<https://www.linkedin.com/company/securabv/> [signature_493676802] <https://twitter.com/SecuraBV> [signature_235860830] <https://www.youtube.com/c/SecuraBV> [signature_4021970036]<https://www.secura.com/>
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- Bunch of IoT CVEs Willem Westerhof | Secura (Jul 29)
文章来源: https://seclists.org/fulldisclosure/2024/Jul/14
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh