CVE-2020-16205

Using a specially crafted URL command, a remote authenticated user can execute commands as root on the G-Cam and G-Code (Firmware Versions 1.12.0.25 and prior as well as the limited Versions 1.12.13.2 and 1.12.14.5).

Recent assessments:

gwillcox-r7 at November 25, 2020 5:11pm UTC reported:

The server GET parameter of the /uapi-cgi/testaction.cgi page of Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices running firmware versions <= 1.12.0.25 as well as firmware versions 1.12.13.2 and 1.12.14.5 is vulnerable to command injection when the type GET parameter is set to ntp. Attackers who successfully exploit this vulnerability can gain remote code execution as the root user, meaning that this a perfect vulnerability for attackers looking to gain an initial foothold into a network.

Additionally as these are security cameras, I imagine there are a lot of nasty things one could potentially do with these devices related to spying on companies and operations that could pave the way to more crimes down the line. So the effects of this attack on an enterprise could potentially go beyond just a network breach.

Fortunately this is an authenticated attack and it requires valid login credentials to exploit. Unfortunately though, these are the types of devices that people tend to set up and then forget about until its needed, so I wouldn’t be surprised if people were still running these cameras with the default credentials of root and admin.

Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 5