CVE-2023-31594 PoC — IC Realtime ICIP-P2012T 访问控制错误漏洞

Source

https://github.com/Yozarseef95/CVE-2023-31594

Associated Vulnerability

Title:IC Realtime ICIP-P2012T 访问控制错误漏洞 (CVE-2023-31594)
Description:IC Realtime ICIP-P2012T是IC Realtime公司的一款 200 万像素的相机。 IC Realtime ICIP-P2012T 2.420版本存在安全漏洞，该漏洞源于容易受到不正确访问控制的影响。

Description

IC Realtime ICIP-P2012T 2.420 is vulnerable to Incorrect Access Control

Readme

# CVE-2023-31594
IC Realtime ICIP-P2012T is vulnerable to Incorrect Access Control

Unauthenticated Streaming Channel in IC Realtime IP PTZ Dome Camera ICIP-P2012 software version:  2.420

The live feed (MJPEG) can be streamed via an exposed HTTP channel using VLC network stream. This vulnerability critically affects confidentiality of customers and could be used in reconnaissance phase (identify people, assets, passwords etc.).

# Proof of Concept (POC)

If HTTP streaming is allowed, a URL path could be used to allow user to
MJPEG stream camera without any required authentication.

The path:
``` http://ip:port/cgi-bin/mjpg/video.cgi?[channel=1]&subtype=1```

![image](https://github.com/Yozarseef95/CVE-2023-31594/assets/128100303/7ef322ff-9861-4cdc-8972-9e99b2bb0de8)

[Discoverer]
> Youssef Mohamed - Cloud Consultancy for Digitalization & Security

File Snapshot


 [4.0K]  /data/pocs/9ee079200823dbcffa704747425b3e7f4da1fec6
└── [ 860]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!