MERCURY MIPC252W IP Camera Improper Authentication Vulnerability in RTSP Service

An improper authentication vulnerability has been identified in the MERCURY MIPC252W IP camera, specifically in the RTSP service of firmware version 1.0.5 Build 230306 Rel.79931n. After a successful Digest authentication during an initial DESCRIBE request, the camera fails to verify the Digest response parameter in subsequent RTSP requests within the same session. This oversight allows RTSP methods such as SETUP, PLAY, and TEARDOWN to be executed, even when the Authorization header contains an empty or invalid response value, as long as the nonce and session identifier match those of a previously authenticated session. Consequently, an attacker with network access can reuse session parameters to issue unauthorized RTSP control commands without generating a valid Digest response.

Impact

Exploitation of this vulnerability allows unauthorized RTSP control commands to be sent and executed within an established RTSP session, bypassing the requirement for valid per-request authentication. This could disrupt or manipulate RTSP streaming behavior, undermining the security of the device's authentication mechanism.

Reproduction

The vulnerability can be reproduced by sending a sequence of RTSP requests that exploit the lack of authentication verification. After establishing a connection and completing the initial Digest authentication with a valid DESCRIBE request, subsequent RTSP requests such as SETUP, PLAY, and TEARDOWN can be sent with an empty Digest response in the Authorization header. The camera accepts and processes these requests as normal, demonstrating the flaw in the authentication validation.