[Tfug] ?? RE: XSS vulnerability in Canon webcam I discovered

Casey Townsend CTownse1 at ci.tucson.az.us
Thu Dec 18 09:41:43 MST 2003 

Thank you for your comments.  I hadn't considered the CYA aspect.

>>> JMB <jmb at indesp.com> 12/17/2003 9:53:57 AM >>>
Hi,

I'm new to this group, and haven't really done anything in the way of 
introducing myself, but I really wanted to reply to this message. So, 
Greetings & Salutations, Everyone ;>
--
Casey Townsend wrote:

>I ran a nessus security scan against our recently purchased Canon VB-C10R Network Camera (remote controlled web-cam). It revealed the information listed below, which includes a Cross Site Scripting vulnerability in the embedded web sever.  I have verified that this affects Opera 6 & 7, Mozilla Firebird 0.6.1, Netscape 4.x, 6 & 7, and Mozilla 1.6b, but it does not effect my IE6sp1+, including NeoPlanet and Avant.
>  
>
Impressive -- If it were not for the known factor of large corporations 
_generally_ being pretty thickskulled, I'd have to say I was more 
surprised at their lack of attention to even the possibility of any 
exploit involving their products, much less the demonstrated XSS.

>I have contacted Canon several times about this but I don't think they are too concerned (and I don't have the experience to determine if this is a significant problem or not, or if other web-cams are also vulnerable). Canon did not acknowledged any of my emails or even the fax their customer support person asked me to send until finally I was able to speak with a supervisor the next week who said they had received an email and that it was going to being sent to their NY HQ, which would then send it to their engineers in Japan. He didn't think I would hear anything for at least a couple of weeks, if ever. I initially called them on Nov. 28th.
>  
>
(!)

>I would appreciate your thoughts on this issue.
>
While I know virtually zippo about that camera, just judging by what 
you've documented (operating on the assumption it's all true), that 
should qualify as a bona-fide security defect, all right.

The last time I dealt with a similar situation was ~3 months ago; I 
found some anomalous entries obfuscated in the guts of an EN5940 (aka 
SE5940) router, and was able to confirm the same back (front) door in 
another previously untouched, brand new model. In a shockingly contrary 
happening, I left a VM for some anonymous tech there, figured no one 
would notice it for the better part of a year, and got a call back from 
Efficient Networks in ~30 minutes from someone who was incredibly keen 
on finding out just how I'd come across the information I mentioned in 
the VM, and started doing the grill-over-the-phone bit. Not much for 
being grilled, I just told him I was not RE'ing their product, was just 
testing/troubleshooting it, and had called to make full disclosure to 
them before I told anyone else about it, thanks much. He became notably 
more polite after that.

In any event, I'd already conferred w/an attorney about it, and, not 
having signed any NDAs, and not being in any other way beholden to 
Efficient Networks, and provided I made the best "good faith" effort to 
provide full disclosure to them prior to publicizing it anywhere else, I 
was in the clear.

After having endured far too many exploitable HW/SW geegaws in my time, 
the opinion I'm increasingly drawn to is that companies that wish to 
make a product regardless of quality control, and then bury their 
collective heads in the sand, are dinosaurs, and as such, should become 
extinct, posthaste. I am aware of how reactionary this sounds, but I 
have my reasons for being of this opinion -- sound reasons, no less.

So FWIW, I'd advise making full disclosure to the company, going to 
every "good faith" effort, etc. If they're interested in their 
product/interested in listening to those outside the dev schema, they'll 
snap it right up & deal with it on their own, either to disprove it or 
to prove it (and in the latter case, to hopefully fix it).

Those companies uninterested in what outside sources have to say, and 
who are too busy spending 8 hours each day studiously figuring out newer 
& more ingenious ways to patently NOT implement (say) full SDLC 
methodology for their products -- or whatever -- will also tend to 
ignore the warnings issued by others. Of course, once having made full 
disclosure (and provided there's no NDA involved & a million other 
legalities) and doing whatever else you might need to do for exculpatory 
purposes -- consulting an attorney is recommended -- if it is clear the 
company in question couldn't give a tinker's cuss about the matter, just 
publish said information to the Internet. Done / Done.

Harsh? Ideally.

One oftentimes needs to use an incredibly sharp goad on the extremely 
thick-skinned; it would be nice if this were not the case, and perhaps 
in an ideal world, it would not be; as a a case in point, I cannot 
imagine Bank of America would have bothered to patch their MS SQL 
servers until they had their pants pulled down by a worm -- a worm 
exploiting something already antiquated by that time, yet they were 
uninclined to really devote proper attention to it until their ATMs 
began crashing.

This is not to be construed as my encouraging you or anyone else to do 
anything malicious, please understand: as everyone is surely already 
well familiar with the old saw about Security and Obscurity, I think 
merely publicizing the *existence* of a hole or security defect in a 
product -- not saying one has to divulge enough detail to enable anyone 
to immediately exploit it -- pushes the responsibility squarely onto the 
companies in question.

I hope this proves of some use to you.

Regards,


~J

_______________________________________________
tfug mailing list
tfug at tfug.org 
http://www.tfug.org/mailman/listinfo/tfug

More information about the tfug mailing list