0x00 causes

---

A foreigner reading thePOINT OF SALE MALWARE: THE FULL STORY OF THE BACKOFF TROJAN OPERATIONthis paper, on the paper inside the digital thieves of the first through the invasion of the CCTV system to identify the target belongs to the retailers, and then further invasion of POS machines to steal credit card account interest, just go online and find find find the CCTV-DVR firmware, and then through the analysis found a remote code execution vulnerability. And then I saw him out the POC, in fact, also the use of another the firmware is relatively old vulnerabilities. The following eleven said.

0x01 vulnerability analysis

---

Through the shodan search“Cross Web Server"can be found probably, 1 8 8 1 7 a device, in which the United States accounted for the majority, then China, Thailand. These devices monitor 8 1/8 2 ports mostly, but also some listening 8 0 0 0 port

! [p1](/Article/UploadPic/2016-3/2 0 1 6 3 2 5 1 3 3 7 5 1 3 7. png)figure 0

Open the web page as follows:

! [p2](/Article/UploadPic/2016-3/2 0 1 6 3 2 5 1 3 3 7 5 4 5 8. png)Figure 1

然后 通过 查看 网页 源码 找到 WebClient.html,在 查看 WebClient.html 源码 找到 script/live.js,live. js contains a logo/logo. png

! [p3](/Article/UploadPic/2016-3/2 0 1 6 3 2 5 1 3 3 7 5 1 4 7. png)Figure 2

By this logo knew it was a sales of CCTV system of the Israeli company, but by viewing the website source code in comment, found the Chinese to write the code, then the author go to the official website to download the firmware. Firmware download back is a compressed zip package, unzip can see

! [p4](/Article/UploadPic/2016-3/2 0 1 6 3 2 5 1 3 3 7 5 4 4 7. png)Figure 3

首先 查看 boot.sh that 发现 其中 执行 了 另一 个 bash 脚本 deps2.sh this script performs the 2 bin files, respectively, is XVDRStart. hisi and td3520a, by their file size to the original author first saw td3520a, the td3520a contains a symbol table, so that the analysis becomes very easy, by preview a burst of code, The original author found the following issues to compile the code

! [p5](/Article/UploadPic/2016-3/2 0 1 6 3 2 5 1 3 3 7 6 9 1 5. png)Figure 4

Through the code can be seen if the/language/[language]/index. html in the[language]directory exists, then extract it to[language], if not, then DVRSsystem will eventually execute"tar-zxf /mnt/mtd/WebSites/language.tar.gz %s/* -C /nfsdir/language/",which leads to command execution. See here the thought of the original play CTF encounters/etc/crontab file, the administrator to use tar to do a regular backup of the time, the statement is written into tar cfz /home/rene/backup/backup.tar.gz *that caused the problem, the principle can refer to the<http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt&gt;

To take advantage of also need to overcome a few problems

1. web servercannot handle spaces or Line breaks in the URL encoding
2. The command length is limited

Can by${IFS}overcome space restrictions

By request

|

1

|

GET /language/Swedish${IFS}&&echo${IFS}$USER>test&&tar${IFS}/string.js HTTP/1.1

—|—

To perform the view the current user’s command, the HTTP request will return 4 0 4

Depends on the implementation of the results, you need to use a relatively old vulnerability recursion vulnerability to view the results

1

|

GET /…/…/…/…/mnt/mtd/test

—|—

! [p6](/Article/UploadPic/2016-3/2 0 1 6 3 2 5 1 3 3 7 6 5 8 7. png)Figure 5

In fact, if you do not have a command execution vulnerability to the use of the words, but also can through a recursive exploit reads the configuration file(/etc/passwd,/config/config. dat, etc.)

! [p7](/Article/UploadPic/2016-3/2 0 1 6 3 2 5 1 3 3 7 6 6 5 9. png)Figure 6

The POC at the following address:
<https://github.com/k1p0d/h264_dvr_rce&gt;

This product real manufacturer is Shenzhen the same as the digital<http://www.tvt.net.cn/&gt;and the other manufacturers is estimated to be with labeling, which is commonly known as OEM also called OEM and OEM production, the first popular in Europe and other developed countries, it is the International big company looking for the respective comparative advantage of a game rules can reduce the production cost, improve the brand added value）

The affected vendors list:

• Ademco
• ATS Alarmes technolgy and ststems
• Area1Protection
• Avio
• Black Hawk Security
• Capture
• China security systems
• Cocktail Service
• Cpsecured
• CP PLUS
• Digital Eye’z no website
• Diote Service & Consulting
• DVR Kapta
• ELVOX
• ET Vision
• Extra Eye 4 U
• eyemotion
• EDS
• Fujitron
• Full HD 1080p
• Gazer
• Goldeye
• Goldmaster
• Grizzly
• HD IViewer
• Hi-View
• Ipcom
• IPOX
• IR
• ISC Illinois Security Cameras, Inc.
• JFL Alarmes
• Lince
• LOT
• Lux
• Lynx Security
• Magtec
• Meriva Security
• Multistar
• Navaio
• NoVus
• Optivision
• PARA Vision
• Provision-ISR
• Q-See
• Questek
• Retail Solution Inc
• RIT Huston . com
• ROD Security cameras
• Satvision
• Sav Technology
• Skilleye
• Smarteye
• Superior Electrial Systems
• TechShell
• TechSon
• Technomate
• TecVoz
• TeleEye
• Tomura
• truVue
• TVT
• Umbrella
• United Video Security System, Inc
• Universal IT Solutions
• US IT Express
• U-Spy Store
• Ventetian
• V-Gurad Security
• Vid8
• Vtek
• Vision Line
• Visar
• Vodotech.com
• Vook
• Watchman
• Xrplus
• Yansi
• Zetec
• ZoomX

0x02 reference article

---

• TVT TD-2308SS-B DVR - Directory Traversal Vulnerability
• Remote Code Execution in CCTV-DVR affecting over 7 0 different vendors