SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Embedded Server/Appliance)  >   Canon Network Camera Vendors:   Canon
Canon VB-C10R Network Camera Input Validation Flaw Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1008579
SecurityTracker URL:  http://securitytracker.com/id/1008579
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 31 2003
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): VB-C10R; Firmware 1.0 Rev. 21
Description:   An input validation vulnerability was reported in the Canon VB-C10R Network Camera. A remote user can conduct cross-site scripting attacks.

It is reported that the built-in web server does not filter user-supplied HTML from HTTP requests before displaying the user-supplied request URL when an invalid page is requested. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the Network Camera and will run in the security context of the camera. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://198.182.xxx.xxx:80/<SCRIPT>alert('Vulnerable')</SCRIPT>.jsp

The vendor was reportedly notified on November 28, 2003.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the network camera, access data recently submitted by the target user via web form to the camera, or take actions on the camera acting as the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.canon.com/wvw/product/vbc10/index.htm (Links to External Site)
Cause:   Input validation error

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] XSS vulnerability in Canon webcam


I ran a nessus security scan against our recently purchased Canon VB-C10R Network 
Camera (remote controlled web-cam). It revealed the information listed below, which 
includes a Cross Site Scripting vulnerability in the embedded web sever.  I have 
verified that this affects Opera 6 & 7, Mozilla Firebird 0.6.1, Netscape 4.x, 6 & 7, and 
Mozilla 1.6b, but it does not effect my IE6sp1+, including NeoPlanet and Avant.

I have contacted Canon several times about this but I don't think they are too 
concerned (and I don't have the experience to determine if this is a significant problem 
or not; or if other web-cams are also vulnerable). Canon did not acknowledged any of 
my emails or even the fax their customer support person asked me to send until finally 
I was able to speak with a supervisor the next week who said they had received an 
email and that it was going to being sent to their NY HQ, which would then send it to 
their engineers in Japan. He didn't think I would hear anything for at least a couple of 
weeks, if ever. I initially called them on Nov. 28th.

I would appreciate any comments on this issue.


<snip from Email to Canon>

...The Flash ROM Firmware for the camera was upgraded to the latest - ver. 1.0 Rev. 
21 prior to the scan. The camera's s/n is 2510320297.  Of these issues, item three is 
of the most concern to me. Perhaps an upgrade to boa 0.94.13 <http://www.boa.org/> 
may solve this problem? (I have not taken the time yet to further research this.)

Please let me know the status of this issue and your time line for resolution.


1)  Service: http (80/tcp)
Severity: Low - The following directories were discovered:

/sample

The following directories require authentication:
/admin, /cgi-bin, /java, /support

2)  Service: http (80/tcp)
Severity: Low
The remote web server type is :

Boa/0.92o

This web server was fingerprinted as Boa/0.92o
which is consistent with the displayed banner

Solution : We recommend that you configure (if possible) your web server to return
a bogus Server header in order to not leak information.


3)   The remote web server seems to be vulnerable to the Cross Site Scripting 
vulnerability (XSS). The vulnerability is caused by the result returned to the user when 
a non-existing file is requested (e.g. the result contains the JavaScript provided in the 
request).
The vulnerability would allow an attacker to make the server present the user with the 
attacker's JavaScript/HTML code.
Since the content is presented by the server, the user will give it the trust level of the 
server (for example, the trust level of banks, shopping centers, etc. would usually be 
high).

Sample url : http://198.182.xxx.xxx:80/<SCRIPT>alert('Vulnerable')</SCRIPT>.jsp

Risk factor : Medium

</snip>


Casey Townsend
System Administrator
Department of Transportation
City of Tucson
520-791-5100

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC