Feeds

Cameras leak credentials, live video

D-Link scrambles upgrade, Vivotek silent says Core Sec

Beginner's guide to SSL certificates

D-Link and Vivotek have submitted their entries for “dumbest security vulnerability of 2013”, with Core Security turning up a variety of daft bugs in their IP cameras, including hard-coded backdoor passwords.

The advisories are here for Vivotek and here for D-Link. D-Link has told Core Security it is preparing a fix, but the researchers were unable to elicit a response from Vivotek.

The D-Link vulnerabilities include:

  • Operating system command injection: The cameras' Web interface parses incoming CGI scripts in a way that allows arbitrary commands to be passed to the operating system.
  • Authentication bypass: Appending /upnp/asf-mp4.asf to the camera's root URL accesses the video stream without authentication.
  • Video leaks as ASCII: An ASCII stream of the video luminance is accessible without authentication using the path /md/lums.cgi.
  • RTSP authentication bypass: This also allows unauthenticated access to the video stream.
  • Hard-coded RTSP credentials: *? is a hard-coded backdoor into the cameras.

Vivotek's blunders include:

  • Plaintext password storage: Sensitive information is stored in files accessible with the URL paths /cgi-bin/admin/getparam.cgi and /setup/parafile.html.
  • Remote buffer overflow: There's a buffer overrun in the RTSP service.
  • RTSP authentication bypass: A crafted URL sent to the Vivotek PT7135 camera provides unauthenticated access to the video stream.
  • User credential leaks: Firmware version 0300a on Vivotek cameras allows remote attackers to dump the camera's memory and extract user credentials. The juicy stuff is kept in the Linux virtual file system object /proc/kcore.
  • Command injection: A binary file in the camera has a flaw allowing remote command injection.

Unless users get busy with upgrading their firmware, The Register imagines all kinds of unwanted “private” videos will start turning up. More seriously, however, it's also likely – knowing the bad habits not just of users, but of many sysadmins – that leaked credentials will be replicated on other bits of network infrastructure.

Core Security's advisories include a full list of devices confirmed as vulnerable.®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
SMASH the Bash bug! Red Hat, Apple scramble for patch batches
'Applying multiple security updates is extremely difficult'
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
Desperate VXers enslave FREEZERS in DDoS bot
Updated Spike malware targets Asia
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.