Hisilicon HiIpcam Directory Traversal Vulnerability Allowing ADSL Credentials Disclosure
Vulnerability
A directory traversal vulnerability has been identified in the Hisilicon HiIpcam V100R003 version. This vulnerability allows unauthenticated attackers to access sensitive configuration files by exploiting directory listing features in the cgi-bin directory. Attackers can target the getadslattr.cgi endpoint to retrieve ADSL credentials and network configuration details, including usernames, passwords, and DNS settings.
Impact
Exploitation of this vulnerability leads to unauthorized access to ADSL credentials and sensitive network configuration information.
Reproduction
The vulnerability can be reproduced by sending a request to the cgi-bin directory of the affected device. If the server responds with a directory listing, the target is vulnerable. After confirming the vulnerability, a request can be made to the getadslattr.cgi endpoint to retrieve ADSL credentials and network configuration parameters.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.