CVE-2022-37109
published 2022-11-14CVE-2022-37109: patrickfuller camp up to and including commit bbd53a256ed70e79bd8758080936afbf6d738767 is vulnerable to Incorrect Access Control. Access to the password.txt…
PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
49.20%
98.7th percentile
patrickfuller camp up to and including commit bbd53a256ed70e79bd8758080936afbf6d738767 is vulnerable to Incorrect Access Control. Access to the password.txt file is not properly restricted as it is in the root directory served by StaticFileHandler and the Tornado rule to throw a 403 error when password.txt is accessed can be bypassed. Furthermore, it is not necessary to crack the password hash to authenticate with the application because the password hash is also used as the cookie secret, so an attacker can generate his own authentication cookie.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| camp_project | camp | < 2022-07-21 | 2022-07-21 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect path traversal / URL encoding bypass attempts targeting password.txt via the /static/ endpoint. Monitor for requests matching patterns: /static/password.tx%74, /static/./password.txt, or /static/../camp/password.txt ↗
- →The Tornado 403 block on password.txt can be bypassed via URL encoding (%74 for 't') or path traversal sequences (./ or ../camp/). Ensure WAF/IDS rules normalise URLs before matching against blocklists. ↗
- →Alert on forged 'camp' session cookies: because the SHA-512 password hash doubles as the Tornado cookie_secret, a valid signed cookie can be crafted without knowing the plaintext password. Inspect 'camp' cookie values for Tornado signed-value format on unauthenticated or anomalous sessions. ↗
- →Flag use of tornado.web.create_signed_value against the 'camp' key in process/script activity, which is the mechanism used to forge authentication cookies in this exploit. ↗
- ·The vulnerable commit range is up to and including bbd53a256ed70e79bd8758080936afbf6d738767; the fix is present from commit bf6af5c2e5cf713e4050c11c52dd4c55e89880b1 onward. Detections are only relevant against unpatched deployments. ↗
- ·The bypass only applies when the server is started with the --require-login flag; instances without authentication enabled are unaffected by this specific bypass chain. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/171478/Raspberry-Pi-Camera-Server-1.0-Authentication-Bypass.htmlhttps://github.com/ehtec/camp-exploithttps://github.com/patrickfuller/camp/commit/bf6af5c2e5cf713e4050c11c52dd4c55e89880b1https://medium.com/%40elias.hohl/authentication-bypass-vulnerability-in-camp-a-raspberry-pi-camera-server-477e5d270904http://packetstormsecurity.com/files/171478/Raspberry-Pi-Camera-Server-1.0-Authentication-Bypass.htmlhttps://github.com/ehtec/camp-exploithttps://github.com/patrickfuller/camp/commit/bf6af5c2e5cf713e4050c11c52dd4c55e89880b1https://medium.com/%40elias.hohl/authentication-bypass-vulnerability-in-camp-a-raspberry-pi-camera-server-477e5d270904
2022-11-14
Published