Skip to main content

Posts

Showing posts from May, 2019

Besder - An Investigative Journey Part 2

RECAP
DoS Part 2 While we do have an already working DoS exploit, there is a lot to be learned in further potential fuzzing. Working with Radamsa was a snap, and helped me find two new vulnerabilities, the "Message Quotes" and "Options Wrong Type" vulnerabilities.

Message Quotes DoS This one takes advantage of some error made in JSON processing, when given a message that consists entirely of two quotes, the camera crashes. Not really too much to say about it. Like the size int problem, this one works on all commands.
Options Wrong Type DoS This takes advantage of another issue in the JSON processing the camera's server does. This one only works on specific commands; OPTalk, OPMonitor, and OPRecordSnap. When these commands are sent, the have the option of including a hash of options under the root as the same name of command.

Example:
{ "Name": "OPMonitor", "OPMonitor":  { "Action": "Claim", "Action1":  &quo…