Tenable found multiple vulnerabilities in exacqVision Server Bundle 21.06.11.0. This bundle includes exacqVision Client 21.06.4.0, exacqVision Server 21.06.5.0 and exacqVision Web Service 21.06.2.0.
1) exacqVision Web Service Passthrough Account Security Issue
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
The exacqVision web service allows users to use a web/mobile browser to retrieve video and other server data from exacqVision servers. The web service connects to the exacqVision server as a client and acts as an intermediary for the web client to control the exacqVision server.
When adding an exacqVision server in the web service UI, a passthrough account can be configured for the exacqVision server. When a web user wants to connect to an exacqVision server through the exacqVision web service, the user either manually enters the credentials for the exacqVision server or uses the passthrough credentials configured for the server.
If a passthrough account is configured, the web service can use the passthrough account to authenticate to the exacqVision server. The user does not need to authenticate to the web service. He or she simply visits URL /advanced.web on the web service host, goes to Configuration -> Systems -> Edit System to select an exacqVision server and checks the "Use passthrough credentials" radio button.
This means an unauthenticated remote attacker can access the exacqVision server with the privileges of the passthrough account.
If the passthrough account has high privileges (i.e., Full Admin role), the attacker can have more access to the exacqVision server, including adding a user with Full Admin role.
Even if the passthrough account has low privileges (i.e., Restricted role), the attacker can still see more privileged information. For example, only a user in the Full Admin or Power User role can configure video archiving, but a lower privileged user can see the Direct Search username and password that is part of the archiving configuration.
The following PoC shows an unauthenticated remote attacker is able to see the Direct Search username and password through an exacqVision web service host configured with an exacqVision server that has an associated passthrough account in Restricted role (i.e., low privileges).
The exacqVision Web Service Configuration manual mentions "A passthrough account is accessible at all times to all the systems users. If you configure a passthrough account, clients are automatically logged on as a user."
The passthrough configuration page says "The passthrough account is an always-on account that is publicly accessible. If configured, clients will be automatically logged in as this user."
Nevertheless, a passthrough account should not expose the Direct Search username and password to an unauthenticated remote attacker.
2) exacqVision Server Message 0x205 Integer Overflow Remote DoS
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
A 32-bit integer overflow condition exists in streampi.dll loaded into the process space of the exacqVision Server (core.exe). An unauthenticated, remote attacker can exploit this to crash the server.
The vulnerability is triggered by sending a specially crafted type 0x205 message to the exacqVision Server listening on default TCP port 22609.
The type 0x205 message appears to be used to perform password-authenticated key exchange and both the client and server can send this type of message.
The first 0x205 message sent by the client has the following format:
struct msg_205
{
int8 neg; byte unk;
byte unk;
byte unk;
le32 UserPublicKeyLen;
le32 UsernameLen;
byte unk[4]
byte UserPublicKey[UserPublicKeyLen];
byte Username[UsernameLen];
};
Here is an example of a client-sent type 0x205 message:
The following code snippet shows the vulnerability:
.text:157F57A4 mov eax, [edi+MSG205_BODY.UsernameLen] ; attacker-controlled
.text:157F57A7 mov edx, [edi+MSG205_BODY.UserPublicKeyLen] ; attacker-controlled
.text:157F57AA add eax, 10h ; Msg data header len
.text:157F57AD add eax, edx ; int32 overflow !!!
.text:157F57AF chk if UserPublicKeyLen + UsernameLen + 0x10 == MsgLen
.text:157F57AF cmp ecx, eax
.text:157F57B1 jnz err_152860A3
Here the code makes sure UserPublicKeyLen + UsernameLen + 0x10 = MsgLen. In the above message, the check passes as 0x38 (UserPublicKeyLen) + 0x05 (UsernameLen) + 0x10 = 0x4d (MsgLen)
Because of the int32 overflow, the following malformed 0x205 message can pass the check as (int32)(0x01000000 + 0xff00003d + 0x10) = 0x4d:
In this case, the server sees the UserPublicKey field has 0x01000000 bytes (where it indeed has 0x38) and the Username field has 0xff00003d (where it indeed has 5) bytes. Later, when the server allocates a buffer and copies the UserPublicKey field to the buffer, a buffer over-read condition occurs as the source data doesn't have that many bytes. This can cause an access violation resulting in process termination:
Note that this vulnerability only exists for the exacqVision Server running on 32-bit systems.