Millet smart cameras small ants there is a remote command execution vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201558737
Type myhack58
Reporter 佚名
Modified 2015-02-03T00:00:00


! t0167153064b2673d18. png

Vulnerability description:

Small ants Camera application management program the presence of a remote command execution vulnerability through the web interface with root privileges to execute arbitrary system commands without any web permissions, now the official latest version already fix this vulnerability.

Affect range:

firmware version<=1.8.3. 4F_201410221315 Note:We do not find all the firmware versions, this version is our device factory version, but also we can find the presence of the vulnerability in the latest version

The exploit: the

Through the web application vulnerability configuration parameters, perform system commands.

! t0109e7036c8125d24e. png

! t01fc20a752b698b871. png

See the system command in the current execution privilege, the execution result for the highest system privileges.

! t010cc64c5615e3a0a5. png

! t011434948b0eb42698. png

! t0173a499233bf12d8f. png

Vulnerability to harm:

The attacker can the exploit without the user name, password and other authentication methods, remote control of small ants camera, browsing video information. If you click on the hackers construct a malicious link address, hackers can also steal wifi password. This serious harm to a home's privacy and public safety. While you can use a small ant camera to the router related to the operation, the attacks within the home network with other smart devices.

Safety recommendations:

Into the small ants Camera application management program, in connected to the Internet, click Automatic upgrade. Wait after the upgrade is complete confirmation for the current latest version can be.