Lorex IP Camera Authentication Bypass (CVE-2012-6451)

By Jason Doyle ·

Continuing my security testing of popular consumer electronics, I found a rather trivial authentication bypass vulnerability in the new Lorex LNC116 VANTAGE Stream and LNC104 LIVE Ping IP cameras available at Amazon.com and local electronics stores. Unlike my previous write-up on the D-Link DCS-9xx password disclosure vulnerability where the attacker could only compromise the camera from the same network, this authentication bypass vulnerability can be exploited over the Internet to view the live video feed and/or change all configurable settings anonymously.

The camera’s web interface uses HTTP Basic for authentication, but the username and password are only validated on the home login page. By forced browsing, or navigating directly to any valid URL on the camera other than the homepage, it is possible to bypass authentication. I wrote a simple python script to illustrate this. The script takes a file containing a list of supported URLs, which were gathered by spidering the camera’s webpages, and then prompts for a username and password. These credentials are then used to sequentially request each of the listed URLs and output the URL and HTTP response code. A ‘200’ response code means the webpage was accessible and a ‘401’ means unauthorized. So first, let me display the results of the script using the actual admin account which is ‘admin’ with a blank password:

As you can see, all web pages are accessible using the correct credentials – no surprise. However, now let’s run the script again with invalid credentials:

This is a bit strange – we can still access most of the web pages with an invalid password, except for the homepage where we received the ‘401’ (unauthorized) response. This tells us the camera only validates the user’s credentials when accessing the homepage, but all other pages are accessible. So what can we do with this? Well, everything, but navigating to the display.cgi page may be the biggest concern. This feature-rich camera also supports two-way audio ;)

Additional details:

Product: Lorex LNC116 and LNC104 IP Cameras

Vendor: LOREX Technology Inc.

Vulnerability Type: Authentication Bypass

Vulnerable Firmware Version(s): 030312 and earlier

Tested Firmware Version: 030312

Fixed Firmware Version: 030405

Solution Status: Fixed by Vendor

Vendor Notification: December 22, 2012

Public Disclosure: February 5, 2013

CVE Reference: CVE-2012-6451