Ningyuanda TC155 IP Camera Unauthenticated ONVIF PTZ Control Interface Access Control Vulnerability

A vulnerability exists in the Ningyuanda TC155 IP camera running firmware version 57.0.2.0, specifically within the ONVIF PTZ control interface. The issue arises because the camera's PTZ service endpoint accepts movement commands without requiring authentication. This flaw allows an unauthenticated attacker on the same local network to manipulate the camera's PTZ functions, such as panning and tilting, potentially disrupting surveillance coverage or redirecting the camera's view to unintended areas. The vulnerability stems from the firmware's failure to validate the identity of requesters or enforce necessary capability checks before processing PTZ commands.

Impact

Exploitation of this vulnerability allows for unauthorized control of the camera's pan-tilt-zoom functions, enabling real-world manipulation of the camera's field of view. This could be used to bypass surveillance coverage, disrupt monitoring by pointing the camera at obstructed areas, or create persistent disorientation of the camera's orientation.

Reproduction

To reproduce this vulnerability, connect to the same local network segment as the TC155 IP camera. Identify the camera's ONVIF service endpoint and issue an unauthenticated PTZ command, such as a 'ContinuousMove' action, via a SOAP request. The camera will execute the movement command immediately, without requiring any credentials.