Tuesday, January 14, 2020

[Amcrest] 2.520.AC00.18.R Login Bypass (CVE-2020-7222)

Amcrest is a brand of security cams, CCTV, IP.

The web server used, version (and firmware 2.520.AC00.18.R) is vulnerable to a Login Bypass. Commonly the web server is hosted in the 8080 port. When you try to log-in with admin account and any password, you will not log-in obviously due to incorrect credentials.

The interesting part is the response body of the Web Server. If we use BurpSuite to check what the server is responding, we’ll notice that is a simple Javascript. And the most interesting parameter is the “result”.

So, what will happen if we try to change that result parameter to true?
Lets create a Match and Replace string in Burp.

Let’s try again and log in.

We can see that response was modified correctly by Burp, and the consequence is we have access now.

The access is limited, we cannot modify parameters but we are not anonymous. We have full access to all options available.




0 comentarios:

Post a Comment