Skip to main content

Lorex IP Camera Authentication Bypass (CVE-2012-6451)

February 05, 2013

Continuing my security testing of popular consumer electronics, I found a rather trivial authentication bypass vulnerability in the new Lorex LNC116 VANTAGE Stream and LNC104 LIVE Ping IP cameras available at and local electronics stores. Unlike my previous write-up on the D-Link DCS-9xx password disclosure vulnerability where the attacker could only compromise the camera from the same network, this authentication bypass vulnerability can be exploited over the Internet to view the live video feed and/or change all configurable settings anonymously.

Lorex IP 1

The camera’s web interface uses HTTP Basic for authentication, but the username and password are only validated on the home login page. By forced browsing, or navigating directly to any valid URL on the camera other than the homepage, it is possible to bypass authentication. I wrote a simple python script to illustrate this. The script takes a file containing a list of supported URLs, which were gathered by spidering the camera’s webpages, and then prompts for a username and password. These credentials are then used to sequentially request each of the listed URLs and output the URL and HTTP response code. A ‘200’ response code means the webpage was accessible and a ‘401’ means unauthorized. So first, let me display the results of the script using the actual admin account which is ‘admin’ with a blank password:

Lorex IP 2

As you can see, all web pages are accessible using the correct credentials – no surprise. However, now let’s run the script again with invalid credentials:

Lorex IP 3

This is a bit strange – we can still access most of the web pages with an invalid password, except for the homepage where we received the ‘401’ (unauthorized) response. This tells us the camera only validates the user’s credentials when accessing the homepage, but all other pages are accessible. So what can we do with this? Well, everything, but navigating to the display.cgi page may be the biggest concern. This feature-rich camera also supports two-way audio ;)

Lorex IP 4

Additional details:

Product: Lorex LNC116 and LNC104 IP Cameras

Vendor: LOREX Technology Inc.

Vulnerability Type: Authentication Bypass

Vulnerable Firmware Version(s): 030312 and earlier

Tested Firmware Version: 030312

Fixed Firmware Version: 030405

Solution Status: Fixed by Vendor

Vendor Notification: December 22, 2012

Public Disclosure: February 5, 2013

CVE Reference: CVE-2012-6451

Related Blogs

June 07, 2018

Quick Tips for Building an Effective AppSec Program – Part 3

This is the last post in my series on creating an effective AppSec program within your organization. In my last post, we discussed the importance of t...

See Details

May 10, 2018

Observations on Smoke Tests – Part 3

While attending one of our technology partner’s security training courses, the instructor presented on their product’s various features and capabiliti...

See Details

May 03, 2018

Getting Started with Postman for API Security Testing: Part 1

Postman is a useful tool used by many developers to document, test and interact with Application Programming Interfaces (APIs). With the ubiquity of A...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.