Hacking Linksys IP Cameras (pt 3)

This article is a continuation of the following GNUCITIZEN articles, which include an introduction to the topic and also some initial observations: Hacking Linksys IP Cameras (pt 1), Hacking Linksys IP Cameras (pt 2).

Unlike the previous two vulnerabilities I released, the vulnerabilities I’m releasing in this post are perhaps not so useful to break into the device as you need access to the admin account to exploit them. [...]

more | comments | comments rss | posted by

Hacking Linksys IP Cameras (pt 1)

During the easter break, I was playing with my my wireless Linksys IP camera which, although I bought several months ago, I hadn’t taken my time to give the attention this beauty deserves until now! :)

The model in particular is the WVC54GCA, which I would say is one of the most affordable Wi-Fi IP cameras out there (about GBP 80 in the UK), making it a great toy to tinker with. [...]

more | comments | comments rss | posted by

Holes in Embedded Devices: Authentication bypass (pt 3)

We move on with the 3rd kind of authentication bypass bug. You may want to familiarize yourself with the previous two entries here and here, before you continue.

Unchecked HTTP methods

A device that is vulnerable to this issue, only performs an authentication check (i.e.: is the password being submitted with a request via basic authentication?) when the request is performed using a certain HTTP method. [...]

more | comments | comments rss | posted by

Holes in Embedded Devices: Authentication bypass (pt 2)

Usually, when accessing a web interface of an appliance, the user is prompted to enter a password if not authenticated already. This could be done via a HTML form on the login page or a basic HTTP authentication prompt (among other methods).

Let’s call the authentication stage: A. Once, the admin user enters a username/password combination, the device checks the provided combination against credentials stored in its internal configuration. [...]

more | comments | comments rss | posted by

Holes in Embedded Devices: Authentication bypass (pt 1)

Finding authentication bypass bugs is an obvious choice for attackers, since such bugs allow administrative changes to be made without knowledge of the admin password. In other words, compromising the target device without requiring a password is of course something attackers are interested in! You bet! [...]

more | comments | comments rss | posted by

Holes in Embedded Devices: IP-based session management

Devices that implement IP address-based session management follow the algorithm described by the pseudocode shown below:

The implications are obvious: devices located in environments in which different users share the same proxy are vulnerable to administrative session hijacking attacks. Please note that this session hijacking attack has nothing to do with the classic TCP hijacking attack in which sequence numbers are predicted by the attacker. [...]

more | comments | comments rss | posted by