NJHYST HY511 POE Core and Plugins Insufficient Cookie Verification Vulnerability Allowing Unauthorized Backend Access

A vulnerability exists in NJHYST HY511 POE core versions prior to 2.1 and plugins prior to 0.1. The issue arises from inadequate cookie verification, enabling an attacker to directly request and download the core configuration file from the device without logging into the management backend. The configuration file contains the username and a self-decrypted MD5 password, which can be used to log into the backend, bypassing the frontend login page.

Impact

Exploitation of this vulnerability allows for unauthorized access to the backend management system, where an attacker can steal information and manage the camera remotely.

Reproduction

To reproduce this vulnerability, access a device running NJHYST HY511 POE core prior to version 2.1 and plugins prior to 0.1. Without logging into the backend, send a request to the configuration file address. This can be done by capturing a packet with Burp Suite and sending it to the server. The response will include the core configuration file, which can be downloaded directly due to the lack of cookie verification. Once the file is obtained, decrypt the MD5 password to gain access to the backend management system.