sricam-gsoap2.8-dos-exploit
[Sricam gSOAP2.8 DoS exploit proof of concept]
Proof of Concept code: Sricam_gSOAP_PoC_exploit.sh
CVE-2019-6973
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6973
Thanks to the CVE Assignment Team for their help structuring the following:
[Description]
Sricam IP CCTV cameras are vulnerable to denial of service via multiple incomplete HTTP requests
because the web server (based on gSOAP 2.8.x) is configured for an iterative queueing approach (aka non-threaded operation)
with a timeout of several seconds.
[Additional Information]
Sricam IP CCTV Camera's are vulnerable to denial of service with
reliably predictable downtime, exploitable by sending multiple
incomplete HTTP requests.
I have spoken with Sricam who said they do not support this. I have also spoken to gSOAP techs and the camera is vulnerable because Sricam have configured their cameras to use an iterative webserver with a long timeout of 20secs. gSOAP recommend to use a threaded web server with a maximum timeout of 5 seconds.
[Vulnerability Type]
Denial of Service
[Vendor of Product]
Sricam
[Affected Product Code Base]
Sricam gSOAP 2.8 - 2.8
[Affected Component]
Sricam IP CCTV Camera gSOAP 2.8 webserver
[Attack Type]
Remote
[Impact Denial of Service]
True
[Attack Vectors]
Send an incomplete HTTP request. For each request the Sricam
implementation of the gSOAP web server will wait 20seconds before
responding - but the camera will still accept more incoming
connections and queue them. This condition can be exploited in order
to reliably cause denial of service.
[Reference]
https://github.com/bitfu/sricam-gsoap2.8-dos-exploit
[Discoverer]
Andrew Watson
Contact: https://keybase.io/bitfu