XML Injection – Bosch Security Systems

A few months ago I did an assessment in a web application from Bosch Security Systems, which is basically a front end for a surveillance camera. The system is pretty simple and straight forward, you can view the live feed of the camera and also do some recording.

The problem is that most people set these kind of systems with the default options, and almost every time, these options aren’t enough for a secure set up. This time was no different, so here’s the deal:

XML Injection Vulnerability – Bosch Security Systems

  • Camera Model – Dinion NBN-498-P IVA

Vulnerability was found in the web interface used to monitor the live feed of the camera, which also can be published to the web. By injecting any XML or HTML commands in the field “idstring”, the web application does not properly sanitize the input. This vulnerability was only found at this specific component.

  • Vulnerable component:
    “camera address”/rcp.xml?idstring=
Untitled.png

Figure 1 – Web Camera Interface

The image above represents the web interface of the camera. As you can see, pretty simple and easygoing. Also, it’s an administrative with restricted functions interface, which was set up with default security settings without any passwords.

Untitled02.png

Figure 2 – POC – Command injection at “idstring”

The command injection can be done by sending the command at the “idstring” field, anything that you type there were being accepted by the system. The lack of background knowledge of this system made me run out of tests here, by the time I did this testing I didn’t know anything about the camera’s backend system and by that I wasn’t able to make any elaborated attacks.

Untitled03

Figure 3 – Cont. Command Injection

This last image is the proof of concept, as you can see the function “tagnode” was inserted in the “idstring” parameter. As I stated before, this isn’t an elaborated attack and I wasn’t able to compromise the system due my lack of time by the date I was testing but this is a proof that the system is vulnerable for XML commands injection.

I’m looking forward to extend my testing in this system for something more practical.

Here’s the timeline for this finding:

  • First contact: 09/17/2015- no answer
  • Second contact: 09/21/2015- no answer
  • Disclosure: 03/27/2016
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s