<<< Date Index >>>     <<< Thread Index >>>

Esqo advisory: GeoVision Digital Video Surveillance System - Multiple authentication issues




                                   Esqo
                               www.esqo.com

                             Security Advisory

Advisory Name: GeoVision Digital Video Surveillance System – Multiple
                authentication issues
 Release Date: 10-05-2005
  Application: GeoVision Digital Video Surveillance System 6.04, 6.1
                and 7.0
     Platform: Microsoft Windows
     Severity: Sniffed credentials can be replayed or descrambled to
                view live and recorded CCTV footage, also
                unauthenticated access to still images
       Author: Tirath Rai <tirath.rai@xxxxxxxx>
Vendor Status: Vendor alerted - details below
    Reference: www.esqo.com/research/advisories/2005/100505-1.txt


Overview:

The GeoVision Digital Video Surveillance System is a PCI card based
digital video surveillance range for Microsoft Windows platforms. The
GeoVision system is expandable to support POS, Central Monitoring
Station and License Plate Recognition Systems. The GeoVision system is
in use in commercial and residential installations worldwide.

Multiple issues exist revolving around poor authentication mechanisms.
These issues allow sniffed authentication credentials to be reused as-is
or descrambled to allow the discovery of the original password. In
certain configurations still pictures from security cameras can be
viewed without providing any authentication.

GeoVision client software is used to view live and recorded video from a
GeoVision system. These clients may be used to authenticate a user over
an untrusted network, perhaps a wireless LAN in an airport lounge or
coffee shop. In such an instance GeoVision credentials can be captured
and replayed (or descrambled) to allow access to digital video
surveillance system footage.


Details:

First issue - No authentication required

When the GeoVision software is set to create JPEG images for use via the
JPEG Image Viewer it can be seen that no authentication is required to
view the JPEG images.

Using GeoVisions own demonstration as an example the following URLs can
be used to access images. This is true even for servers who specify that
a username and password is required for authentication. In the current
GeoVision demonstration only a username is required to access footage.
This method works on GeoVision 6.04 or 6.1 systems which are configured
to create JPEG images. It will also work on GeoVision 7 systems which
are not configured with the 'Enhanced Network Security' feature. This is
understood to be the default setting.

http://webcam.geovision.com.tw/cam1.jpg
http://webcam.geovision.com.tw/cam2.jpg
...
http://GeoVision/cam[1-16].jpg

Esqo was informed by GeoVision that the issue is known and that future
GeoVision documentation will make this issue plain to those wishing to
use the JPEG Image viewing facilty. In the version 7.0 documentation
this is not made plain to the user. It is our belief that some version
7.0 installations may be vulnerable due to users not being aware of
this.


Second issue - Plain text authentication

During the authentication phase using the live playback client it was
seen that the username part of the authentication component is passed in
plain text. In this partial dump taken using tcpflow the username is
seen to be 'gvUser'.

Here is a partial network dump of an authentication attempt -

--------------------- Network traffic sniffer ---------------------
192.168.105.136:01187-192.168.105.130:00514: ....
192.168.105.130:04550-192.168.105.136:01186: RDY.
192.168.105.136:01186-192.168.105.130:04550: ..7d6a6666636e.gvUser.
192.168.105.130:04550-192.168.105.136:01186: ...
192.168.105.136:01186-192.168.105.130:04550: 2.
-------------------------------------------------------------------

This testing was performed with GeoVision 6.04, 6.1 and 7.0. Version 7.0
was tested with the 'Enhanced Network Security' feature off, this is
understood to be the default.

Our research shows that a simple transformation of the password based on
hex values for ASCII characters is used to scramble the password. This
scrambling is simple to do in reverse, as seen in the example below.

Sniff from network - this dump is interpreted with tcpflow.

--------------------- Network traffic sniffer ---------------------
192.168.105.130:04550-192.168.105.136:01186: RDY.
192.168.105.136:01186-192.168.105.130:04550: ..7d6a6666636e.gvUser.
192.168.105.130:04550-192.168.105.136:01186: ...
-------------------------------------------------------------------

Here we see the username 'gvUser', still in plain text and the scrambled
password '7d6a6666636e'. In order to go to the from the scrambled string
to the original password a few simple steps are performed.

Split the string into pairs of hex strings

0x7d
0x6a
0x66
0x66
0x63
0x6e

Each pair represents one character in the original password, so this
scrambled string is for a password of 6 characters

Iterate through the pairs subtracting a number from each pair starting
with 0x6, for the first character as there are 6 characters in this
password.

0x7d - 0x6 = 77
0x6a - 0x5 = 65
0x66 - 0x4 = 62
0x66 - 0x3 = 63
0x63 - 0x2 = 61
0x6e - 0x1 = 6d

Then use an ASCII table to translate into characters

0x77 = w
0x65 = e
0x62 = b
0x63 = c
0x61 = a
0x6d = m

So the original password was 'webcam'.

This issue is encountered for all the authentication options below-

Mpeg4 Encoder Viewer
  56kMpegView0.htm
  LanMpegView0.htm
  MultiView.htm

Remote Play Back
  PlayBackX.htm

Emap
  Emap.htm

For the JPEG Image Viewer (JPGLogin.htm) the authentication credentials
are passed using the HTTP POST method completely in plain text.
Scrambling is not used - see below.

--------------------- Network traffic sniffer ---------------------
192.168.105.130:34707-192.168.105.136:80 POST /password HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, */*
Referer: http://192.168.105.136/JPGLogin.htm
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: 192.168.1.5
Content-Length: 37
Connection: Keep-Alive
Cache-Control: no-cache

id=gvUser&pwd=webcam&send=Submit
-------------------------------------------------------------------

Here the id= value is the username and the pwd= value is the
password.


Vendor Response:

After Esqo initially notified GeoVision in Dec 2004 the issues were
explained and received due care and attention. The issues were first
noticed on version 6.04 they were confirmed on version 6.1.

We were informed that version 7 would include strong authentication in
order to resolve these issues. GeoVision version 7 was released in April
2005. Upon testing this new release the issues are still seen though
they can be mitigated by using a newly added 'Enhanced Network Security'
feature. It is  understood that the 'Enhanced Network Security' feature
is not enabled by default.


Recommendation:

If you have a pre version 7.0 GeoVision installation it is recommended
to authenticate only over trusted or private networks. If you have a
version 7.0 GeoVision system it is advised to enable the 'Enhanced
Network Security' feature, newly introduced in version 7.0. This feature
is said to utilize RSA encryption. GeoVision version 7.0 documentation
does not inform system administrators of the risks they face if they do
not enable the new 'Enhanced Network Security' feature.


Company Information

Esqo is a UK based IT security firm with worldwide reach, we have
performed successful engagements across the UK, Mainland Europe and the
Middle East. Esqo provides a range of E-risk identification and
management services. We strive to minimize exposure to risks while
maximizing the business benefits of IT systems.

Esqo has been retained by TACGuard (www.tacguard.com) as its lead IT
security partner. TACGuard is a UK based digital CCTV specialist.
Together we aimed to verify the GeoVision system before it was deployed
by TACGuard in commercial installations. It was during this
collaboration that these issues were discovered.


This advisory is created in accordance with the Full Disclosure
Policy (RFPolicy) v2.0 available at
http://www.wiretrip.net/rfp/policy.html

Copyright (c) 2005 Esqo. All rights reserved worldwide.





--
Tirath Rai
Principal Security Engineer
Esqo

Infrastructure and Web Application Security