Hard-coded accounts on multiple network cameras

Hard-coded accounts on multiple network cameras
===============================================

[ADVISORY INFORMATION]
Title:        Hard-coded accounts on multiple network cameras
Discovery date: 05/06/2013
Release date:  11/07/2013


[VULNERABILITY INFORMATION]
Class:             Authentication bypass, command execution

[AFFECTED PRODUCTS]
We confirm the presence of the security vulnerability on the following
products/firmware versions:
  * 3S Vision N1072 network camera, firmware version v1.07_STD-1
  * 3S Vision N1073 network camera, firmware version v1.02_STD-1
  * 3S Vision N3071 network camera, firmware version v1.05_STD-1
  * Asante Voyager 1 network camera, firmware version v2.08
  * Asante Voyager 2 network camera, firmware version v2.08
  * ALinking ALC-9451/ALC-9452 network cameras, firmware version v1.33

Several other device manufacturers, models and firmware versions are probably
also vulnerable, but they were not checked, mainly due to time constraints.

[VULNERABILITY DETAILS]
The web server and RTSP daemon of the affected cameras include an hard-coded
user account. Different device manufacturers (and camera models) use different
hard-coded accounts. This issue can be abused by remote attackers to gain
administrative access to the affected devices.

In the following, we report the hard-coded accounts for 3S Vision and Asante
network cameras, as these are the only device manufacturers that were contacted
and replies to our inquiries.

- 3S Vision cameras
  * HTTP & RTSP account: "3sadmin:27988303"

- Asante Voyager 1 network cameras
  * HTTP account: "uniform:uic7799"
  * RTSP account: "uicrd:xu06m3"

- Asante Voyager 2 network cameras
  * HTTP & RTSP account: "uicrd:xu06m3"

As the account is hard-coded in the web server and RTSP server binary files, it
cannot be changed by end-users without upgrading the whole firmware image (or
manually patching the executable files).