Lorex IP Camera Authentication Bypass (CVE-2012-6451)
Continuing my security testing of popular consumer electronics, I found a rather trivial authentication bypass vulnerability in the new Lorex LNC116 VANTAGE Stream and LNC104 LIVE Ping IP cameras available at Amazon.com and local electronics stores. Unlike my previous write-up on the D-Link DCS-9xx password disclosure vulnerability where the attacker could only compromise the camera from the same network, this authentication bypass vulnerability can be exploited over the Internet to view the live video feed and/or change all configurable settings anonymously.
The camera’s web interface uses HTTP Basic for authentication, but the username and password are only validated on the home login page. By forced browsing, or navigating directly to any valid URL on the camera other than the homepage, it is possible to bypass authentication. I wrote a simple python script to illustrate this. The script takes a file containing a list of supported URLs, which were gathered by spidering the camera’s webpages, and then prompts for a username and password. These credentials are then used to sequentially request each of the listed URLs and output the URL and HTTP response code. A ‘200’ response code means the webpage was accessible and a ‘401’ means unauthorized. So first, let me display the results of the script using the actual admin account which is ‘admin’ with a blank password:
As you can see, all web pages are accessible using the correct credentials – no surprise. However, now let’s run the script again with invalid credentials:
This is a bit strange – we can still access most of the web pages with an invalid password, except for the homepage where we received the ‘401’ (unauthorized) response. This tells us the camera only validates the user’s credentials when accessing the homepage, but all other pages are accessible. So what can we do with this? Well, everything, but navigating to the display.cgi page may be the biggest concern. This feature-rich camera also supports two-way audio ;)
Product: Lorex LNC116 and LNC104 IP Cameras
Vendor: LOREX Technology Inc.
Vulnerability Type: Authentication Bypass
Vulnerable Firmware Version(s): 030312 and earlier
Tested Firmware Version: 030312
Fixed Firmware Version: 030405
Solution Status: Fixed by Vendor
Vendor Notification: December 22, 2012
Public Disclosure: February 5, 2013
CVE Reference: CVE-2012-6451