AirLive IP Surveillance Camera there is a command injection vulnerability, a large number of products affected-vulnerability warning-the black bar safety net

ID MYHACK58:62201564503
Type myhack58
Reporter 佚名
Modified 2015-07-10T00:00:00


A large number of AirLive IP Surveillance Camera is exposed there is a command injection vulnerability, an attacker can use this vulnerability to steal user login credentials and control equipment. The vulnerability principle and scope of impact OvisLink company manufactured a large number of AirLive IP Surveillance Camera there are command injection vulnerabilities by the vulnerability a network attacker can decode the user login credentials, and can completely control the monitor device. According to Core security company of the experts of the message, at least 5 different models of AirLive surveillance cameras are affected by this vulnerability. This 5 models of surveillance cameras are as follows: 1, The AirLive BU-2 0 1 5, firmware version 1. 0 3. 1 8 16.06.20142, the AirLive BU-3 0 2 6, firmware version 1. 4 3 21.08.20143, the AirLive MD-3 0 2 5, firmware version 1. 8 1 21.08.20144, the AirLive WL-2000CAM, firmware version LM. 1. 6. 1 8 14.10.20115, the AirLive POE-200CAM v2, firmware version LM. 1. 6. 1 7. 0 1 Researchers Nahuel Riva explains, AirLive camera MD-3 0 2 5, BU-3 0 2 6 and BU-2 0 1 5 are taking orders injection vulnerability, the vulnerability exists in a binary file cgi_test. cgi. If the camera owner and is not the default configuration is changed to force the use of HTTPS, then the attacker will be without the authentication request in the case of the file and its implementation is by injecting arbitrary commands to theoperating system. Through this attack, a hacker can access by AirLive camera management of all information, including MAC address, model, hardware and firmware version as well as aiother sensitive details. Publish the blog post stated: “In dealing with certain specific parameters, the AirLive MD-3 0 2 5, BU-3 0 2 6 and BU-2 0 1 5 inside a binary file cgi_test. the cgi in the presence of anoperating systemcommand injection Vulnerability[CVE-2 0 1 5-2 2 7 9], which will result in without authentication in the case can request that a particular CGI file, unless the user has modified a particular camera configuration, so that the camera of each communication link must be via HTTPS manner, which by default is not turned on. The affected parameters include the following: the write_mac, a write_pid, the write_msn, the write_tan, the write_hdv it.” The other two camera WL-2000CAM and POE-2 0 0 CAM, the presence of the same CGI file in the similar vulnerability that allows to run a command injection operation. And AirLive camera of both models are the login credentials are hard-coded, which makes the attacker can easily retrieve and decode the credentials. AirLive WL-2000CAM and POE-2 0 0 CAM binary/cgi-bin/mft/wireless_mft. cgi contains anoperating systemcommand injection Vulnerability, CVE-2 0 1 4-8 3 8 9 by using a hard-coded certificate to save can take advantage of the vulnerability, the certificate present in the Embeddedweb serverBoa configuration file: username: manufacture password: erutcafunam Vulnerability POC The following POC to copy theweb serverunder the root directory of the file, the file contains a hard-coded user credentials: /cgi-bin/mft/wireless_mft? ap=testname;cp%2 0/var/www/secret. the passwd%2 0/web/html/credentials">http:///cgi-bin/mft/wireless_mft?ap=testname;cp%2 0/var/www/... Then, you can pass the following request to get the user credentials: /credentials" >http:///credentials Core security company have tried many times with the manufacturers to contact, a desired solution AirLive Surveillance Camera this problem, but has not been the other replies.