Vatilon IP Cameras Plaintext Credential Exposure Vulnerability

A vulnerability exists in Vatilon IP camera firmware version 1.12.37-20240124, allowing for authentication bypass and exposure of user credentials in plaintext. The issue arises in the web interface's '/cgi-bin/web.cgi' API, which processes requests with 'username' and 'password' parameters without proper authentication or session validation. This flaw enables unauthenticated attackers to access sensitive device information and administrative data remotely.

Impact

The vulnerability allows plaintext administrator credentials to be exposed to unauthenticated attackers, who can then access device configurations and sensitive information remotely. This unauthorized access could lead to a full compromise of the device.

Reproduction

The vulnerability can be reproduced by sending an HTTP GET request to the '/cgi-bin/web.cgi' endpoint with 'username' and 'password' parameters. This can be done without a valid login session, as the endpoint does not enforce authentication or session validation. Direct access to '/view/player.html' can also trigger unauthenticated API requests to '/cgi-bin/web.cgi', bypassing the need for a login.

Remediation

To address this vulnerability, it is recommended to enforce server-side authentication and session validation for all requests to '/cgi-bin/web.cgi'. Additionally, stop accepting plaintext credentials in URL parameters and ensure that all web interface components require a valid authenticated session. Remove sensitive information from API responses and apply any available firmware updates from the vendor.