XML Injection – Bosch Security Systems

A few months ago I did an assessment in a web application from Bosch Security Systems, which is basically a front end for a surveillance camera. The system is pretty simple and straight forward, you can view the live feed of the camera and also do some recording.

The problem is that most people set these kind of systems with the default options, and almost every time, these options aren’t enough for a secure set up. This time was no different, so here’s the deal:

XML Injection Vulnerability – Bosch Security Systems

  • Camera Model – Dinion NBN-498-P IVA

Vulnerability was found in the web interface used to monitor the live feed of the camera, which also can be published to the web. By injecting any XML or HTML commands in the field “idstring”, the web application does not properly sanitize the input. This vulnerability was only found at this specific component.

  • Vulnerable component:
    “camera address”/rcp.xml?idstring=

Figure 1 – Web Camera Interface

The image above represents the web interface of the camera. As you can see, pretty simple and easygoing. Also, it’s an administrative with restricted functions interface, which was set up with default security settings without any passwords.


Figure 2 – POC – Command injection at “idstring”

The command injection can be done by sending the command at the “idstring” field, anything that you type there were being accepted by the system. The lack of background knowledge of this system made me run out of tests here, by the time I did this testing I didn’t know anything about the camera’s backend system and by that I wasn’t able to make any elaborated attacks.


Figure 3 – Cont. Command Injection

This last image is the proof of concept, as you can see the function “tagnode” was inserted in the “idstring” parameter. As I stated before, this isn’t an elaborated attack and I wasn’t able to compromise the system due my lack of time by the date I was testing but this is a proof that the system is vulnerable for XML commands injection.

I’m looking forward to extend my testing in this system for something more practical.

Here’s the timeline for this finding:

  • First contact: 09/17/2015- no answer
  • Second contact: 09/21/2015- no answer
  • Disclosure: 03/27/2016