Authentication bypass #1
Video player plugins are stored as .cab files in the web root, which can be accessed and downloaded without authentication. The cab file request verification in the streamd web server is performed with the strstr function, which means that a request should not be authenticated if it contains the ô.cabö string anywhere in the URL. We note that some of the models contain an additional check in the CgiDaemon, which allows unauthenticated cgi access only under the /cgi-bin/nobody folder.
POC:
http://<device_ip>/cgi-bin/user/Config.cgi?.cab&action=get&category=Account.*
Authentication bypass #2
Cgi scripts in the /cgi-bin/nobody folder can be accessed without authentication (e.g. for login). The streamd web server verifies whether the request can be performed without authentication by searching for the ô/nobodyö string in the URL with the strstr function. Thus, if a request contains the “/nobody” string anywhere in the URL, it does not have to be authenticated. We note that some of the models contain an additional check in the CgiDaemon, which allows unauthenticated cgi access only under the /cgi-bin/nobody folder.
POC:
http://<device_ip>/cgi-bin/user/Config.cgi?/nobody&action=get&category=Account.*
Chi tiết: Exploit-DB
Keep up the excellent job and generating the group!|
Wow, beautiful website. Thnx …|
thank so considerably for your site it assists a whole lot.|
You’ve impressive stuff in this case.|
Wow because this is great work! Congrats and keep it up.|
Passion the website– really user friendly and great deals to see!|