Vilar Multiple IP Camera Multiple Vulnerabilities

The Vilar IP Camera model IP-001A is probably the Monacor VWC-300PT camera under different branding. Even the manual uses the VWC-300PT header but refers to as the Vilar elsewhere! The Vilar IP-001A running firmware 1.1.0.32 has default administrative credentials:

After that click [ok] and then enter the administrator’s username as “admin” and the administrator password as “123456”.

There is also a stored cross-site scripting vulnerability in the /setup/user_account.html page. If you create a user (even with guest privileges) and use an XSS payload for the name, it will save ti and render it on subsequent loads (after it reboots the camera). The URL of this page is http://%5Btarget%5D/cgi-bin/action?action=loadpage&page=/setup/user_account.html&lang=eng but once you input the information it actually gets updated using the http://%5Btarget%5D/cgi-bin/action script. Example payload:

action=write&cfg_content=useraccount&lang=eng&Account_Name1=admin&Account_passwd1=**********&Account_access1=4&Account_Name2=user&Account_passwd2=**********&Account_access2=2&Account_Name3=roger&Account_passwd3=**********&Account_access3=2&Account_Name4=guest&Account_passwd4=**********&Account_access4=1&Account_Name5=df”><script>alert(‘DF’)</script>&Account_passwd5=df&Account_access5=1&Account_access6=0&Account_access7=0&Account_access8=0&Account_allowVisit=0&submit=Apply

vilar-xss1

Advertisements

Tags: , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: