Qualys Security Advisory QSA-2017-02-22
February 22, 2017
Insecure CrossDomain.XML in D-Link DCS Series Cameras
Synopsis
D-Link DCS series network cameras have a weak/insecure CrossDomain.XML file which allows sites hosting malicious flash object to access and/or change device's settings.
Reference: http://us.dlink.com/product-category/home-solutions/view/network-cameras/
CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7852
Vendor Response: In 2016 D-Link phased in CSRF mitigation on all CGI on the cameras so an injection like this would not be allowed authenticated or unauthenticated. Please refer to the tracking table at the bottom of this report which includes the H/W Revision and firmware when this CSRF mitigation was enabled.
Vulnerability Details
Lab Setup:
- Target Camera: DCS-933L with firmware version 1.03
- Target IP Address: 10X.X.X.X
- Site Hosting Malicious Flash Object: http://Maliciousxxxx.com
- Camera settings sent to: http://MyMaliciousSite.com
Vulnerable/Tested Version:
DCS-933L running firmware version 1.03 is affected. However, the latest firmware for this device and as well as other devices like DCS-5030L, DCS-5020L, DCS-2530L, DCS-2630L, DCS-930L, DCS-932L, DCS-932LB1 etc. have same file containing weak or improper configurations.
Note: It seems that all DCS series network cameras have same file containing weak or improper configurations but this has not been checked on all models.
Vulnerability: Insecure CrossDomain.XML file vulnerability
An unauthenticated, remote attacker could host a malicious Flash file on his website that makes requests to the victim's device without having credentials.
Risk Factor: High
Impact:
If a victim is logged in to the camera's web console and visits a malicious site hosting a malicious Flash file from another tab in the same browser, the malicious flash file can send requests to the victim's DCS series Camera without knowing the credentials. An attacker can host a malicious Flash file which can retrieve Live Feeds or information from victims DCS series Camera, add new admin users or make other changes to the device.
CVSS Score: AV: N/AC: L/AU: N/C:C/I: N/A:C
Proof-of-Concept
The following steps outline a proof-of-concept for exploiting this vulnerability:
- Build a Flash file using Flex SDK which would access
Advance.htmfrom the target device and send the response to an attacker's site. - Download this file and copy it to the WebRoot of http://Maliciousxxxx.com.
- Log into the Camera's web admin console and then visit http://Maliciousxxxx.com/FlashMe2.swf.
The process involves:
- A Flash object sending a GET request to
http://CameraIP/advanced.htm. - The Flash object then sending the received response from the Camera to the attacker's site.
This allows requesting other pages and retrieving sensitive information, such as Live Video feeds. It can also be used to add an admin user to the device. A publically available CrossDomain.XML Hacking Proof-of-Concept tool was used for this demonstration.
The following screenshots illustrate the process:
- Screenshots show there are no other users on the device initially.
- Demonstration of a request to add user 'admin1'.
- Confirmation that user 'admin1' was added successfully.
Tracking Table
| D-Link Model | H/W version | FW version |
|---|---|---|
| DCS-2132L | B | v2.12.00 |
| DCS-2330L | A | v1.13.00 |
| DCS-2310L | B | v2.03.00 |
| DCS-5029L | A | v1.12.00 |
| DCS-5222L | B | v2.12.00 |
| DCS-6212L | A | v1.00.12 |
| DCS-7000L | A | v1.04.00 |
| DCS-2132L | A | v1.08.01 |
| DCS-2136L | A | v1.04.01 |
| DCS-2210L | A | v1.03.01 |
| DCS-2230L | A | v1.03.01 |
| DCS-2310L | A | v1.08.01 |
| DCS-2332L | A | v1.08.01 |
| DCS-6010L | A | v1.15.01 |
| DCS-7010L | A | v1.08.01 |
| DCS-2530L | A | v1.00.21 |
| DCS-930L | A | v1.15.04 |
| DCS-930L | B | v2.13.15 |
| DCS-932L | A | v1.13.04 |
| DCS-932L | B | v2.13.15 |
| DCS-934L | A | v1.04.15 |
| DCS-942L | A | v1.27 |
| DCS-942L | B | v2.11.03 |
| DCS-931L | A | v1.13.05 |
| DCS-933L | A | v1.13.05 |
| DCS-5009L | A | v1.07.05 |
| DCS-5010L | A | v1.13.05 |
| DCS-5020L | A | v1.13.05 |
| DCS-5000L | A | v1.02.02 |
| DCS-5025L | A | v1.02.10 |
| DCS-5030L | A | v1.01.06 |
Potential Mitigation per CWE
Avoid using wildcards (*) in the cross-domain.xml policy file. Any domain matching a wildcard expression is implicitly trusted and can perform two-way interaction with the target server.
For Flash, modify crossdomain.xml to use meta-policy options such as 'master-only' or 'none' to reduce the possibility of an attacker planting extraneous cross-domain policy files on a server.
Adobe Recommendation: http://www.adobe.com/devnet/flashplayer/articles/cross_domain_policy.html
Credits
The discovery and documentation of this vulnerability were conducted by Kapil Khot, Qualys Vulnerability Signature/Research Team.
Contact
For more information about the Qualys Security Research Team, visit their website at http://www.qualys.com or send email to research@qualys.com.
Legal Notice
The information contained within this advisory is Copyright (C) 2017 Qualys Inc. It may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way.
