Ningyuanda TC155 IP Camera Unauthenticated Hard Reset Vulnerability via ONVIF Device Management Service
Vulnerability
A vulnerability exists in the Ningyuanda TC155 IP Camera running firmware version 57.0.2.0. The issue arises in the ONVIF Device Management Service, specifically within the '/onvif/device_service' file. The vulnerability allows for improper access control, as the 'SetSystemFactoryDefault' action can be invoked without authentication. By sending the 'FactoryDefault' argument with the value 'Hard', an attacker on the local network can perform a full factory reset of the device. This reset wipes all configuration settings, including Wi-Fi details and ONVIF/RTSP credentials, and temporarily disrupts the camera's availability until it is manually reconfigured.
Impact
Exploitation of this vulnerability leads to a complete factory reset of the device, erasing all configuration settings and causing a temporary loss of functionality until the device is manually set up again.
Reproduction
To reproduce this vulnerability, connect to the same local area network as the TC155 IP Camera. Once connected, identify the camera's IP address. After locating the device, send an unauthenticated SOAP request to the '/onvif/device_service' endpoint, using the 'SetSystemFactoryDefault' action and specifying 'FactoryDefault=Hard'. After the request is sent, power-cycle the camera by unplugging it and then plugging it back in. The camera will reboot into setup mode, confirming that the factory reset was successful.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.
