Backdoor check for Sony IP cameras

[af001]

Backdoor check for Sony IP cameras.

Template / PR Information

• Add CVE-2016-7834
• References:
• https://jvn.jp/en/vu/JVNVU96435227/index.html
• https://sec-consult.com/vulnerability-lab/advisory/backdoor-vulnerability-in-sony-ipela-engine-ip-cameras/
• https://www.bleepingcomputer.com/news/security/backdoor-found-in-80-sony-surveillance-camera-models/

Template Validation

I've validated this template locally?

• [x] YES
• [ ] NO

Additional Details (leave it blank if not applicable)

[2022-04-11 09:56:16] [sony-camera-backdoor] [http] [medium] http://172.16.0.2/command/prima-factory.cgi [2022-04-11 09:56:16] [sony-camera-backdoor] [http] [medium] http://172.16.0.5/command/prima-factory.cgi [2022-04-11 09:56:16] [sony-camera-backdoor] [http] [medium] http://172.16.0.101/command/prima-factory.cgi

There is basic auth implemented on the vulnerable endpoint. The hardcoded credential is primana: primana. Without the basic auth, the server will always respond with a 401 status code, and a 'Server' header is added in the response that contains 'gen5th' or 'gen6th'. There also a string in the header containing the word 'Sony'. I have another template that auto-enables the Telnet backdoor, but I'll keep that in my local repo.

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server

[af001]

We should be able to. I'll check my burp output to see if the headers/response changes

[af001]

Looks like it could be changed to check for a 204 response and only look for gen5th or gen6th and it will work. 204 is also what is returned when turning on/off the backdoor.

[princechaddha]

Hello @af001, Sorry for the delay. Please let me know if the changes made look good to you, then we can merge this PR.

[princechaddha]

Hello @af001, thank you so much for sharing this template with the community and contributing to this project 🍻