#============================================================= # Unauthorized Access vulnerability in FlexWATCH camera Server # Second Assault ! #============================================================= Author: SLAIZER mail: slaizer[at]phreaker.net Vendor : SEYEON Technology System : FlexWATCH Network Video Server url : http://www.flexwatch.com/ Mail: sytech@seyeon.co.kr Protuct Version : FlexWATCH-50 Web Ver 2.2 tested Build Nov 18 2003 #==================== # Introduction #==================== A few months ago I published another document , explaining how to obtain entire access to the system of easy and fast form. The same document was sent to SEYEON before being published , since I did not obtain response of them , I decided to publish it. Two months after having being published , SEYEON got in touch with me. They asked me that test a new system already patched to the bug , in order that I was saying to them that bugs had found . They demanded me that it should remove the name of the company of my previus document and thet he should not publish any more... In addition to realizing a work to the company with many economic benefits of completely free form , thing that I do not accept . I will always be ready to help to whom I needed it from free form where as I'm not demanded anything and much less I use propietary software. I'm sorry that it seems to be exagerate but nobody lives of the air. #=================== # Description #=================== ·To examining the new system! slaizer@Necora:~$ echo -e "HEAD / HTTP/1.0\n\n" | nc victim 80 HTTP/1.0 302 Redirect Server: FlexWATCH-Webs <---------- :) the same everlasting banner Date: Mon Dec 1 01:01:26 2003 Pragma: no-cache Cache-Control: no-cache Content-Type: text/html Location: http://victim/index.htm Age: 1 ·In another version do not examine the services use , becouse I did not need it :P. root@Necora:~$ nmap -sS -P0 victim Interesting ports on victim (censured :P): PORT STATE SERVICE 21/tcp open ftp <------- 23/tcp open telnet <------- Default user/pass are root/root :P 80/tcp open http <------- They are not also very interesting right now , 1024/tcp open kdm <------- but with the nice thing that is to use ssl :P. 1755/tcp open wms <------- ·It's time to see web application : ·Sailing along the web we think that the system has changed a bit as for the tree of directories , but for the rest it seems to be equal . The first thing what we meet is a bug in the application entrusted to notify to us that url to which we eant to accede doesn't exist ( 404 error ) , a piece of XSS :P . Cross-Site Scripting . Example : mozilla http://victim/hehe.html

Results : Access Error: Page not found when trying to obtain /hehe.html cannot open URL /hehe.html ( The code is executed perfectly even two times are executed .. hehe . Turning out be of that time two windows alerting us with the message -Security ? ). View source : Document Error: Page not found

Access Error: Page not found

when trying to obtain /hehe.html

Cannot open URL /hehe.html

Note: This type of methods is well-known to gain access to the system by means of links malicious to do with the identification of some user . document.write / document.cookie / document.location.. I expose different methods of injection Javascript extracted of Globbes Security Advisory #33:
[IE] [IE] [IE] & &{[code]}; [N4] [N4]