From: Willem Westerhof | Secura <Willem.Westerhof () secura com>
Date: Fri, 26 Jul 2024 13:11:06 +0000
Hi all,
A list of CVE’s in a bunch of IoT devices that never made it to the general public through other means, but have either
been fixed, or never will be fixed, since they are a couple of years old.
[Suggested description]
An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14.
By sending a specific request to the webserver, it is possible to
enable the telnet interface on the device. The telnet interface can
then be used to obtain access to the device with root privileges and a
default password. This default telnet password is the same across all
Siime Eye devices.
In order for the attack to be exploited, an attacker must be physically
close in order to connect to the device's Wi-Fi access point.
------------------------------------------
[Additional Information]
The vulnerability was first discovered by Pentest Partners, later on it was also discovered by Qbit as the issues
remain unaddressed by the vendor.
default telnet password is the same across all
Siime Eye devices and possibly even across all devices created by this
developer
------------------------------------------
[Vulnerability Type]
Incorrect Access Control
------------------------------------------
[Vendor of Product]
Svakom
------------------------------------------
[Affected Product Code Base]
Siime Eye - 14.1.00000001.3.330.0.0.3.14
------------------------------------------
[Affected Component]
Siime Eye device
------------------------------------------
[Attack Type]
Physical
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Attack Vectors]
An attacker must first obtain access to the Wi-Fi access point of the device, after which the exploit can be done
using simple network commands.
------------------------------------------
[Reference]
https://www.pentestpartners.com/security-blog/vulnerable-wi-fi-dildo-camera-endoscope-yes-really/
N/A
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Willem Westerhof, Jasper Nota, Edwin Gozeling from Qbit during an assignment for the Consumentenbond. Unknown
personnel at pentest partners who did not request a CVE back then.
Use CVE-2020-11915.
[Suggested description]
An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14.
The password for the root user is hashed using an old and
deprecated hashing technique. Because of this deprecated hashing,
the success probability of an attacker in an offline cracking attack
is greatly increased.
------------------------------------------
[Vulnerability Type]
Incorrect Access Control
------------------------------------------
[Vendor of Product]
Svakom
------------------------------------------
[Affected Product Code Base]
Siime Eye - 14.1.00000001.3.330.0.0.3.14
------------------------------------------
[Affected Component]
Siime Eye linux password hashes
------------------------------------------
[Attack Type]
Context-dependent
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
The hash can be obtained using various techniques (e.g.) through command injection.
------------------------------------------
[Reference]
N/A
------------------------------------------
[Discoverer]
Willem Westerhof, Jasper Nota, Edwin Gozeling from Qbit in assignment of the Consumentenbond.
Use CVE-2020-11916.
[Suggested description]
An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14.
It uses a default SSID value, which makes it easier for remote attackers to
discover the physical locations of many Siime Eye devices, violating the
privacy of users who do not wish to disclose their ownership of this type of device.
(Various resources such as wigle.net can be use for mapping of SSIDs to physical locations.)
------------------------------------------
[Additional Information]
The access point is only detectable when the device is turned on. As the device is turned on for limited times less
devices are detected via Wigle then one might expect.
Wigle.net is a site which maps SSIDs to physical locations. Using this
site, it is possible to filter on specific SSIDs. When a filter is
applied to find the default SSID of the Siime Eye, it is possible to
find several devices across the globe. The map shown on wigle shows an
approximate physical location for the device and hence makes physical
or physical proximity attacks more likely.
In addition it violates the user's privacy as everyone on the internet
is capable of detecting where the devices are being used.
------------------------------------------
[VulnerabilityType Other]
Information disclosure
------------------------------------------
[Vendor of Product]
Svakom
------------------------------------------
[Affected Product Code Base]
Siime Eye - 14.1.00000001.3.330.0.0.3.14
------------------------------------------
[Affected Component]
Siime Eye Wi-Fi access point
------------------------------------------
[Attack Type]
Context-dependent
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
In order to exploit this issue an attacker needs to simply search for the Siime Eye SSID on wigle.net
------------------------------------------
[Reference]
https://wigle.net
N/A
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Willem Westerhof, Jasper Nota, Edwin gozeling from Qbit cyber security in assignment of the Consumentenbond.
Use CVE-2020-11917.
[Suggested description]
An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14.
When a backup file is created through the web interface, information on
all users, including passwords, can be found in cleartext in the
backup file. An attacker capable of accessing the web interface
can create the backup file.
------------------------------------------
[Additional Information]
Note that this means the application passwords are also stored on the device in plain text, otherwise they could not
be placed in the backup file in this manner.
Note that during normal functional use, the backup file is
not created.
and then use other vulnerabilities
to obtain access to the backup file, including the user's passwords.
------------------------------------------
[Vulnerability Type]
Incorrect Access Control
------------------------------------------
[Vendor of Product]
Svakom
------------------------------------------
[Affected Product Code Base]
Siime Eye - 14.1.00000001.3.330.0.0.3.14
------------------------------------------
[Affected Component]
Siime Eye
------------------------------------------
[Attack Type]
Context-dependent
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
A backup file must be found or created by an attacker in order to exploit this vulnerability.
------------------------------------------
[Reference]
N/A
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Willem Westerhof, Jasper Nota, Edwin Gozeling from Qbit in assignment of the Consumentenbond
Use CVE-2020-11918.
[Suggested description]
An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14.
There is no CSRF protection.
------------------------------------------
[Additional Information]
The default settings make this attack theoretical rather than practical.
A lot of interaction takes place between the application and the end
user. For correct functioning, it is important to verify that requests
coming from the user actually represent the user's intention. The
application must therefore be able to distinguish forged requests from
legitimate ones. Currently no measures against Cross-Site Request
Forgery have been implemented and therefore users can be tricked into
submitting requests without their knowledge or consent. From the
application's point of view, these requests are legitimate requests
from the user and they will be processed as such. This can result in
the creation of additional (administrative) user accounts, without the
user’s knowledge or consent.
In order to execute a CSRF attack, a user must be tricked into visiting
an attacker controlled page, using the same browser that is
authenticated to the Siime Eye. As mostly the Hotspot from Siime Eye
will be used, users are unlikely to (be able to) access such pages
simultaneously.
------------------------------------------
[Vulnerability Type]
Cross Site Request Forgery (CSRF)
------------------------------------------
[Vendor of Product]
Svakom
------------------------------------------
[Affected Product Code Base]
Siime Eye - 14.1.00000001.3.330.0.0.3.14
------------------------------------------
[Affected Component]
Siime Eye, web interface
------------------------------------------
[Attack Type]
Context-dependent
------------------------------------------
[Impact Escalation of Privileges]
true
------------------------------------------
[CVE Impact Other]
Full device compromise.
------------------------------------------
[Reference]
N/A
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Willem Westerhof, Jasper Nota, Edwin Gozeling from Qbit in assignment of the Consumentenbond.
Use CVE-2020-11919.
[Suggested description]
An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14.
A command injection vulnerability resides in the HOST/IP section of the
record settings menu in the webserver running on the device. By
injecting Bash commands here, the device executes arbitrary code with
root privileges (all of the device's services are running as root).
------------------------------------------
[Vulnerability Type]
Incorrect Access Control
------------------------------------------
[Vendor of Product]
Svakom
------------------------------------------
[Affected Product Code Base]
Siime eye - 14.1.00000001.3.330.0.0.3.14
------------------------------------------
[Affected Component]
Siime Eye, web interface
------------------------------------------
[Attack Type]
Context-dependent
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Attack Vectors]
An attacker needs to be connected to the device's access point and have access to the admin panel (e.g through
sniffing or bruteforcing the credentials)
------------------------------------------
[Reference]
https://www.pentestpartners.com/security-blog/vulnerable-wi-fi-dildo-camera-endoscope-yes-really/
N/A
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Willem Westerhof, Jasper Nota, Edwin Gozeling from Qbit cyber security in assignment for the Consumentenbond In
addition, Pentest partners discovered this as well but did not request CVE's.
Use CVE-2020-11920.
[Suggested description]
An issue was discovered in Lush 2 through 2020-02-25.
Due to the lack of Bluetooth traffic encryption, it is possible to
hijack an ongoing Bluetooth connection between the Lush 2 and a mobile
phone. This allows an attacker to gain full control over the device.
------------------------------------------
[Additional Information]
The victim will lose the legitimate connection and therefore will lose
the ability to control the device. This attack hijacks the connection,
even when someone else was actively using the device before. The
original user loses control, and the attacker gains control of the
device. Note that the user of the device remains capable of simply
shutting it down. In order to exploit this vulnerability, the attacker
must be present in a certain radius in which the Bluetooth connection
can be intercepted. This attack vector also requires specific hardware
like the Micro:bit.
------------------------------------------
[Vulnerability Type]
Incorrect Access Control
------------------------------------------
[Vendor of Product]
Lovense
------------------------------------------
[Affected Product Code Base]
Lush 2 - Cannot be determined.
------------------------------------------
[Affected Component]
Lush 2, Bluetooth interface
------------------------------------------
[Attack Type]
Local
------------------------------------------
[CVE Impact Other]
Take over normal device functionality from the original owner.
------------------------------------------
[Attack Vectors]
An attacker needs to be physically close (100ish meter) in order to take over control of the device.
------------------------------------------
[Reference]
N/A
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Willem Westerhof, Jasper Nota, Roan Engelbert, Ilona de Bruin from Qbit cyber security in assignment of the
Consumentenbond.
Use CVE-2020-11921.
[Suggested description]
An issue was discovered in WiZ Colors A60 1.14.0.
The device sends unnecessary information to the cloud controller
server. Although this information is sent encrypted and has low risk in isolation,
it decreases the privacy of the end user.
The information sent includes the local IP address being used and the SSID
of the Wi-Fi network the device is connected to.
(Various resources such as wigle.net can be use for mapping of SSIDs to physical locations.)
------------------------------------------
[VulnerabilityType Other]
Information disclosure
------------------------------------------
[Vendor of Product]
WiZ Connected
------------------------------------------
[Affected Product Code Base]
WiZ Colors A60 - 1.14.0
------------------------------------------
[Affected Component]
WiZ Colors A60
------------------------------------------
[Attack Type]
Context-dependent
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
None. The Lightbulb by default transmits privacy sensitive info to the cloud system.
------------------------------------------
[Reference]
N/A
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Willem Westerhof, Wouter Wessels, Jim Blankendaal, Jasper Nota from Qbit in assignment of the Consumentenbond.
Use CVE-2020-11922.
[Suggested description]
An issue was discovered in WiZ Colors A60 1.14.0.
API credentials are locally logged.
------------------------------------------
[Additional Information]
An issue was discovered in WiZ Colors A60 1.14.0.
Applications use general logs to reflect all kind of information to the
terminal. The WIZ application does also use logs, however instead of
only generic information also API credentials are submitted to the
android log. The information that is reflected in the logging can be
used to perform authorised requests in behalf of the user and therefore
controlling the lights just as the user can do using the application.
In order to obtain the information access to the device logs is
required. This can most easily be done via local access and also by
other apps on rooted devices.
------------------------------------------
[Vulnerability Type]
Incorrect Access Control
------------------------------------------
[Vendor of Product]
WiZ Connected
------------------------------------------
[Affected Product Code Base]
WiZ Colors A60 - 1.14.0
------------------------------------------
[Affected Component]
Wiz Android Application 1.15.0
------------------------------------------
[Attack Type]
Physical
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
Physical access or local root access on the mobile phone is required in order to exploit this issue.
------------------------------------------
[Reference]
N/A
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Wouter Wessels, Willem Westerhof, Jasper Nota, Jim Blankendaal
Use CVE-2020-11923.
[Suggested description]
An issue was discovered in WiZ Colors A60 1.14.0.
Wi-Fi credentials are stored in cleartext in flash memory, which
presents an information-disclosure risk for a discarded or resold device.
------------------------------------------
[Additional Information]
Wi-Fi credentials are stored in plain-text on the light bulb. These
credentials can be obtained by reading the flash memory directly using
a logic analyzer. This means the Wi-Fi login credentials of the
previous owner can be found in the memory capture when the device is
bought second-hand, or retrieved from a trashcan.
------------------------------------------
[VulnerabilityType Other]
Information disclosure
------------------------------------------
[Vendor of Product]
WiZ Connected
------------------------------------------
[Affected Product Code Base]
WiZ Colors A60 - 1.14.0
------------------------------------------
[Affected Component]
WiZ Colors A60
------------------------------------------
[Attack Type]
Physical
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
Physical, access to the chip is required.
------------------------------------------
[Reference]
N/A
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Jasper Nota, Willem Westerhof, Wouter Wessels, Jim Blankendaal from Qbit in assignment of the Consumentenbond.
Use CVE-2020-11924.
[Suggested description]
An issue was discovered in Luvion Grand Elite 3 Connect through 2020-02-25.
Authentication to the device is based on a username and password. The
root credentials are the same across all devices of this model.
------------------------------------------
[Vulnerability Type]
Incorrect Access Control
------------------------------------------
[Vendor of Product]
Luvion
------------------------------------------
[Affected Product Code Base]
Luvion Grand Elite 3 Connect - Could not be determined
------------------------------------------
[Affected Component]
Underlying linux system.
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Attack Vectors]
Any attacker with network access can exploit this vulnerability.
------------------------------------------
[Discoverer]
Willem Westerhof, Jasper Nota, Jim Blankendaal, Martijn Baalman from Qbit in assignment of Consumentenbond.
------------------------------------------
[Reference]
N/A
Use CVE-2020-11925.
[Suggested description]
An issue was discovered in Luvion Grand Elite 3 Connect through 2020-02-25.
Clients can authenticate themselves to the device using a username and
password. These credentials can be obtained through an unauthenticated
web request, e.g., for a JavaScript file. Also, the
disclosed information includes
the SSID and WPA2 key for the Wi-Fi
network the device is connected to.
------------------------------------------
[Additional Information]
The disclosed information can be functionally used by an attacker to remotely gain access to normal camera
functionality. (e.g. watch in someone's room over the internet)
------------------------------------------
[Vulnerability Type]
Incorrect Access Control
------------------------------------------
[Vendor of Product]
Luvion
------------------------------------------
[Affected Product Code Base]
Luvion Grand elite 3 connect - Cannot be determined
------------------------------------------
[Affected Component]
Webserver running on the device.
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[CVE Impact Other]
Authentication bypass
------------------------------------------
[Attack Vectors]
An attacker can simply browse to the device and retrieve the passwords.
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Willem Westerhof, Jasper Nota, Jim Blankendaal, Martijn Baalman from Qbit in assignment of the Consumentenbond
------------------------------------------
[Reference]
N/A
Use CVE-2020-11926.
[Suggested description]
An issue was discovered on Brother MFC-J491DW C1806180757 devices.
The printer's web-interface password hash can be retrieved without
authentication, because
the response header of any failed login attempt returns an incomplete
authorization cookie. The value of the authorization cookie is the MD5
hash of the password in hexadecimal. An attacker can easily
derive the true MD5 hash from this, and use offline cracking attacks to
obtain administrative access to the device.
------------------------------------------
[Vulnerability Type]
Incorrect Access Control
------------------------------------------
[Vendor of Product]
Brother
------------------------------------------
[Affected Product Code Base]
MFC-J491DW - C1806180757
------------------------------------------
[Affected Component]
Web admin panel
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Escalation of Privileges]
true
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
An attacker needs to have access to the web interface running on TCP/80 on the device.
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Konrad Leszcynski, intern at Qbit in cooperation with the Dutch Consumer Organisation
------------------------------------------
[Reference]
https://global.brother
Use CVE-2019-20457.
[Suggested description]
An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices.
By default, the device comes (and functions) without a password. The
user is at no point prompted to set up a password on the device
(leaving a number of devices without a password). In this case, anyone connecting to
the web admin panel is capable of becoming admin without using any
credentials.
------------------------------------------
[Vulnerability Type]
Incorrect Access Control
------------------------------------------
[Vendor of Product]
Epson
------------------------------------------
[Affected Product Code Base]
Expression Home XP255 - 20.08.FM10I8
------------------------------------------
[Affected Component]
Web admin panel
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Escalation of Privileges]
true
------------------------------------------
[Attack Vectors]
The attacker needs to have access to port 80/TCP (the webserver) of the device.
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Konrad Leszczynski, intern at Qbit in collaboration with the Dutch consumer organisation.
------------------------------------------
[Reference]
https://epson.com/Support/sl/s
Use CVE-2019-20458.
[Suggested description]
An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices.
With the SNMPv1 public community,
all values can be read, and with the epson community, all the
changeable values can be written/updated, as demonstrated by
permanently disabling the network card or changing the DNS servers.
------------------------------------------
[Vulnerability Type]
Insecure Permissions
------------------------------------------
[Vendor of Product]
Epson
------------------------------------------
[Affected Product Code Base]
Expression Home XP255 - 20.08.FM10I8
------------------------------------------
[Affected Component]
SNMP agent
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Denial of Service]
true
------------------------------------------
[Impact Escalation of Privileges]
true
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
The attacker must be able to connect to the devices on port 515/UDP.
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Konrad Leszczynski, intern at Qbit in collaboration with the Dutch consumer organisation.
------------------------------------------
[Reference]
https://epson.com/Support/sl/s
Use CVE-2019-20459.
[Suggested description]
An issue was discovered on Epson Expression Home XP255 20.08.FM10I8 devices.
POST requests don't require (anti-)CSRF tokens or other
mechanisms for validating that the request is from a legitimate
source.
In addition, CSRF attacks can be used to send text directly to the RAW
printer interface. For example, an attack could deliver a worrisome printout to an end user.
------------------------------------------
[Vulnerability Type]
Cross Site Request Forgery (CSRF)
------------------------------------------
[Vendor of Product]
Epson
------------------------------------------
[Affected Product Code Base]
Expression Home XP255 - 20.08.FM10I8
------------------------------------------
[Affected Component]
Web admin panel, RAW printing protocol
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Escalation of Privileges]
true
------------------------------------------
[Attack Vectors]
Using a CSRF attack, the web admin panel is attacked.
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Konrad Leszczynski, intern at Qbit in collaboration with the Dutch consumer organisation.
------------------------------------------
[Reference]
https://epson.com/Support/sl/s
Use CVE-2019-20460.
[Suggested description]
An issue was discovered on Alecto IVM-100 2019-11-12 devices.
The device uses a custom UDP protocol to start and control video and
audio services. The protocol has been partially reverse engineered.
Based upon the reverse engineering, no password or username is ever
transferred over this protocol. Thus, one can
set up the camera connection feed with only the encoded UID. It
is possible to set up sessions with the camera over the Internet by using the encoded UID
and the custom UDP protocol, because authentication happens at the client
side.
------------------------------------------
[Vulnerability Type]
Incorrect Access Control
------------------------------------------
[Vendor of Product]
Alecto
------------------------------------------
[Affected Product Code Base]
Alecto-IVM-100 - Exact version unknown
------------------------------------------
[Affected Component]
Video and audio stream of the camera.
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
An attacker requires knowledge of the encoded UID (can be obtained by
sniffing or enumerating). Once this knowledge has been obtained, the
attacker can set up a video/audio system from anywhere.
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Willem Westerhof, Jasper Nota, Martijn Baalman from Qbit cyber security in cooperation with The Dutch consumer
organisation
------------------------------------------
[Reference]
https://www.alecto.nl
Use CVE-2019-20461.
[Suggested description]
An issue was discovered on Alecto IVM-100 2019-11-12 devices.
The device comes with a serial interface at the board level. By
attaching to this serial interface and rebooting the device, a large
amount of information is disclosed. This includes the view password
and the password of the Wi-Fi access point that the device used.
------------------------------------------
[Vulnerability Type]
Incorrect Access Control
------------------------------------------
[Vendor of Product]
Alecto
------------------------------------------
[Affected Product Code Base]
Alecto IVM-100 - unknown.
------------------------------------------
[Affected Component]
Serial interface.
------------------------------------------
[Attack Type]
Physical
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
An attacker needs to open up the device and physically attach wires as well as reboot the device.
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Willem Westerhof, Jasper Nota, Martijn Baalman from Qbit cyber security in cooperation with The Dutch consumer
organisation
------------------------------------------
[Reference]
https://www.alecto.nl
Use CVE-2019-20462.
[Suggested description]
An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices.
A crash and reboot can be triggered by crafted IP traffic, as demonstrated by the Nikto vulnerability scanner.
For example, sending the 111111 string to UDP port 20188 causes a reboot. To deny service for a long time period,
the crafted IP traffic may be sent periodically.
------------------------------------------
[VulnerabilityType Other]
Denial of Service due to incorrect error handling
------------------------------------------
[Vendor of Product]
Sannce
------------------------------------------
[Affected Product Code Base]
Sannce Smart HD Wifi Security Camera - EAN nr: 2 950004 595317
------------------------------------------
[Affected Component]
Webserver, custom UDP handling binary.
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Denial of Service]
true
------------------------------------------
[Attack Vectors]
Any attacker capable of reaching the device with a network packet is capable of causing a DoS.
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Willem Westerhof, Jasper Nota, Martijn Baalman from Qbit cyber security in cooperation with the Dutch Consumer
organisation.
------------------------------------------
[Reference]
https://www.sannce.com
Use CVE-2019-20463.
[Suggested description]
An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices.
By default, a mobile application is used to stream over UDP.
However, the device offers many more services
that also enable streaming. Although the service used by the mobile
application requires a password, the other streaming services do not. By
initiating communication on the RTSP port, an attacker can
obtain access to the video feed without authenticating.
------------------------------------------
[Vulnerability Type]
Incorrect Access Control
------------------------------------------
[Vendor of Product]
Sannce
------------------------------------------
[Affected Product Code Base]
Sannce Smart HD Wifi Security Camera - EAN nr: 2 950004 595317
------------------------------------------
[Affected Component]
Videostream of camera
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Escalation of Privileges]
true
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
An attacker simply needs to be able to connect to the device over the network.
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Willem Westerhof, Jasper Nota, Martijn Baalman from Qbit cyber security in cooperation with the Dutch Consumer
organisation.
------------------------------------------
[Reference]
https://www.sannce.com
Use CVE-2019-20464.
[Suggested description]
An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices.
It is possible (using TELNET without a password) to control the camera's
pan/zoom/tilt functionality.
------------------------------------------
[Vulnerability Type]
Incorrect Access Control
------------------------------------------
[Vendor of Product]
Sannce
------------------------------------------
[Affected Product Code Base]
Sannce Smart HD Wifi Security Camera - EAN nr: 2 950004 595317
------------------------------------------
[Affected Component]
Videostream of camera
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Escalation of Privileges]
true
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
An attacker simply needs to be able to connect to the device over the network.
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Willem Westerhof, Jasper Nota, Martijn Baalman from Qbit cyber security in cooperation with the Dutch Consumer
organisation.
------------------------------------------
[Reference]
https://www.sannce.com
Use CVE-2019-20465.
[Suggested description]
An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices.
A local attacker with the "default" account is capable of reading the
/etc/passwd file, which contains a weakly hashed root password.
By taking this hash and cracking it, the attacker
can obtain root rights on the device.
------------------------------------------
[Vulnerability Type]
Insecure Permissions
------------------------------------------
[Vendor of Product]
Sannce
------------------------------------------
[Affected Product Code Base]
Sannce Smart HD Wifi Security Camera - EAN nr: 2 950004 595317
------------------------------------------
[Affected Component]
Root user through file /etc/passwd
------------------------------------------
[Attack Type]
Local
------------------------------------------
[Impact Escalation of Privileges]
true
------------------------------------------
[Attack Vectors]
To exploit the vulnerability, someone must be able to get local
presence on the device. e.g. through command injection or by using the
telnet interface as a low-privileged user.
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Willem Westerhof, Jasper Nota, Martijn Baalman from Qbit cyber security in cooperation with the Dutch Consumer
organisation.
------------------------------------------
[Reference]
https://www.sannce.com
Use CVE-2019-20466.
[Suggested description]
An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices.
The device by default has a TELNET interface available (which is not
advertised or functionally used, but is nevertheless available). Two
backdoor accounts (root and default) exist that can be used on this
interface. The usernames and passwords of the backdoor accounts are the
same on all devices. Attackers can use these backdoor accounts to
obtain access and execute code as root within the device.
------------------------------------------
[Vulnerability Type]
Incorrect Access Control
------------------------------------------
[Vendor of Product]
Sannce
------------------------------------------
[Affected Product Code Base]
Sannce Smart HD Wifi Security Camera - EAN nr: 2 950004 595317
------------------------------------------
[Affected Component]
Telnet daemon
------------------------------------------
[Attack Type]
Local
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Attack Vectors]
Anyone with network access to the device can trigger this vulnerability.
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Willem Westerhof, Jasper Nota, Martijn Baalman from Qbit cyber security in cooperation with the Dutch Consumer
organisation.
------------------------------------------
[Reference]
https://www.sannce.com
Use CVE-2019-20467.
[Suggested description]
An issue was discovered in SeTracker2 for TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. It has unnecessary
permissions such as READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE, and READ_CONTACTS.
------------------------------------------
[Additional Information]
The manifest of Q90 declares the use of permissions. However some of
the declared functions are not required for proper functioning of the
application. The following application permissions are not required:
android.permission.SYSTEM_ALERT_WINDOW: Allows an app to create windows
using the type WindowManager.LayoutParams.TYPE_APPLICATION_OVERLAY,
shown on top of all other apps.
android.permission.WRITE_EXTERNAL_STORAGE: Declaring these permissions
for debugging purposes is common practice, but they should not be
carried over to production releases of the app.
android.permission.READ_EXTERNAL_STORAGE.
android.permission.CHANGE_WIFI_STATE: Allows applications to change
Wi-Fi connectivity state. android.permission.CHANGE_CONFIGURATION:
Allows access to the list of accounts (including usernames) in the
Accounts Service. android.permission.READ_CONTACTS: Allows an
application to read the user's contacts data.
android.permission.MANAGE_ACCOUNTS: The application can request create
or access accounts stored locally in the AccountManager.
android.permission.GET_ACCOUNTS: Allows access to the list of accounts
(including usernames) in the Accounts Service.
android.permission.BLUETOOTH: Allows applications to connect to paired
bluetooth devices. android.permission.BLUETOOTH_ADMIN: Allows
applications to discover and pair bluetooth devices.
android.permission.GET_TASKS: Allows the app to retrieve information
about currently and recently running tasks. This may allow the app to
discover information about which applications are used on the device.
The backup element (android:allowBackup) is manually set to true.
The sheer amount of unnecessary permissions, with potential high
security impact, (e.g. reading all contact information, retrieving
usernames, passwords and other personal information stored on the
device, changing system settings, connecting to other devices) provides
the application with an unnecessarily large amount of sensitive
information and (potential) control over older (API 16-22) mobile
devices and raises numerous questions regarding the intentions behind
this application.
------------------------------------------
[Vulnerability Type]
Insecure Permissions
------------------------------------------
[Vendor of Product]
TK-star
------------------------------------------
[Affected Product Code Base]
TK-Star Q90 Junior GPS horloge - 3.1042.9.8656
------------------------------------------
[Affected Component]
Q90 SeTracker2
------------------------------------------
[Attack Type]
Local
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[CVE Impact Other]
Excessive permissions can enable malicious behaviour.
------------------------------------------
[Attack Vectors]
to exploit the vulnerability, the application code must be updated with malicious intent.
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Dennis van Warmerdam, Jasper Nota, Jim Blankendaal
------------------------------------------
[Reference]
https://www.tk-star.com
Use CVE-2019-20468.
[Suggested description]
An issue was discovered on One2Track 2019-12-08 devices.
Confidential information is needlessly stored on the smartwatch. Audio
files are stored in .amr format, in the audior directory. An
attacker who has physical access can
retrieve all audio files by connecting via a USB cable.
------------------------------------------
[VulnerabilityType Other]
Voice conversations leaked to physical attackers.
------------------------------------------
[Vendor of Product]
One2Track
------------------------------------------
[Affected Product Code Base]
one2track - up to-date version as of 12-8-2019 (no exact version number)
------------------------------------------
[Affected Component]
Local smartwatch storage
------------------------------------------
[Attack Type]
Physical
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
An attacker must physically have access to the One2track software.
Once this access has been obtained audio messages send to the
smartwatch can be retrieved from the local storage.
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Dennis van Warmerdam, Jasper Nota, Jim Blankendaal
------------------------------------------
[Reference]
https://www.one2track.nl
Use CVE-2019-20469.
[Suggested description]
An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices.
It performs actions based on certain SMS commands. This
can be used to set up a voice communication channel from the watch to
any telephone number, initiated by sending a specific SMS and using the
default password, e.g., pw,<password>,call,<mobile_number> triggers an outbound call
from the watch.
The password is sometimes available because of CVE-2019-20471.
------------------------------------------
[VulnerabilityType Other]
Remote audio connection without explicit approval
------------------------------------------
[Vendor of Product]
TK-star
------------------------------------------
[Affected Product Code Base]
TK-Star Q90 Junior GPS horloge - 3.1042.9.8656
------------------------------------------
[Affected Component]
Smartwatch
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
An attacker needs to send an SMS to the device's mobile number. Knowledge of the mobile number is required before
this vulnerability can be exploited.
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Dennis van Warmerdam, Jasper Nota, Jim Blankendaal
------------------------------------------
[Reference]
https://www.tk-star.com
Use CVE-2019-20470.
[Suggested description]
An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices.
When using the device at initial setup, a default password is used
(123456) for administrative purposes. There is no prompt to change this password.
Note that this password can be used in combination with CVE-2019-20470.
------------------------------------------
[Vulnerability Type]
Incorrect Access Control
------------------------------------------
[Vendor of Product]
TK-star
------------------------------------------
[Affected Product Code Base]
TK-Star Q90 Junior GPS horloge - 3.1042.9.8656
------------------------------------------
[Affected Component]
Smartwatch
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
An attacker needs to send an SMS to the device's mobile number.
Knowledge of the mobile number is required before this vulnerability
can be exploited.
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Dennis van Warmerdam, Jasper Nota, Jim Blankendaal
------------------------------------------
[Reference]
https://www.tk-star.com
Use CVE-2019-20471.
[Suggested description]
An issue was discovered on One2Track 2019-12-08 devices.
Any SIM card used with the device
cannot have a PIN configured. If a PIN is configured, the device simply produces a
"Remove PIN and restart!" message, and cannot be used. This makes it easier for
an attacker to use the SIM card by stealing the device.
------------------------------------------
[VulnerabilityType Other]
recommendation to disable common security measures
------------------------------------------
[Vendor of Product]
One2Track
------------------------------------------
[Affected Product Code Base]
One2Track - up to-date version as of 12-8-2019 (no exact version number)
------------------------------------------
[Affected Component]
SIM card security PIN
------------------------------------------
[Attack Type]
Physical
------------------------------------------
[CVE Impact Other]
recommendation to disable common security measures
------------------------------------------
[Attack Vectors]
Local
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Dennis van Warmerdam, Jim Blankendaal, Jasper Nota
------------------------------------------
[Reference]
https://www.one2track.nl
Use CVE-2019-20472.
[Suggested description]
An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices.
Any SIM card used with the device
cannot have a PIN configured. If a PIN is configured, the device simply produces a
"Remove PIN and restart!" message, and cannot be used. This makes it easier for
an attacker to use the SIM card by stealing the device.
------------------------------------------
[VulnerabilityType Other]
recommendation to disable common security measures
------------------------------------------
[Vendor of Product]
TK-star
------------------------------------------
[Affected Product Code Base]
TK-Star Q90 Junior GPS horloge - 3.1042.9.8656
------------------------------------------
[Affected Component]
Sim card & PIN
------------------------------------------
[Attack Vectors]
Local
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Dennis van Warmerdam, Jasper Nota, Jim Blankendaal
------------------------------------------
[Reference]
https://www.tk-star.com
Use CVE-2019-20473.
With kind regards / Met vriendelijke groet,
Willem Westerhof | Senior Security Specialist & Public speaker
[Logo, company name Description automatically generated]
Raising Your Cyber Resilience
E: willem.westerhof () secura com<mailto:willem.westerhof () secura com>
T: +31 6 488 594 22
W: secura.com<https://www.secura.com/>
Follow us on:
[signature_192587247]<https://www.linkedin.com/company/securabv/> [signature_493676802] <https://twitter.com/SecuraBV>
[signature_235860830] <https://www.youtube.com/c/SecuraBV>
[signature_4021970036]<https://www.secura.com/>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- Bunch of IoT CVEs Willem Westerhof | Secura (Jul 29)