exploit the possibilities

Visual Tools DVR Command Injection / Password Disclosure

Visual Tools DVR Command Injection / Password Disclosure
Posted Oct 16, 2012
Authored by Andrea Fabrizi | Site andreafabrizi.it

Visual Tools DVR VS Series versions 3.0.6.16 and below and VX Series versions 4.2.19.2 and below suffer from administrative password disclosure, default administrative password, log file disclosure, command injection, and insecure permission vulnerabilities.

tags | exploit, vulnerability, info disclosure
MD5 | a03003360258fa2e36f5e932144fb30a

Visual Tools DVR Command Injection / Password Disclosure

Change Mirror Download
**************************************************************
Title: Visual Tools DVR multiple vulnerabilities
Version affected: VS Series <= 3.0.6.16, VX Series <= 4.2.19.2
Vendor: http://www.visual-tools.com/
Discovered By: Andrea Fabrizi
Email: andrea.fabrizi@gmail.com
Web: http://www.andreafabrizi.it
Status: unpatched
**************************************************************

Visual Tools develops, manufactures and commercializes video
surveillance and video observations systems under the global brand
name VideoSafe Technology or under other companies’ brand names.

The DVR systems are based on x86 Debian GNU Linux embedded (aka
emdebian) and the entire framework and software are written using
Python.

After a full reverse engineering of the firmware i discovered some
interesting vulnerabilities, that allow an unauthorized user to access
the DVR web interface and gain a root shell on the system. At the time
i write this advisory, all DVR products commercialized by Visual
Tools, based on this firmware, are vulnerable.

1]======== Administration password disclosure ========
The system expose an hidden cgi that disclose the
Operator/Supervisor/Administrator password if invoked during the first
ten minutes after system boot.

- http://DVR_ADDRESS/cgi-bin/util/passwords.py

Is possible to write a simple script that check the cgi, every five
minutes for example, waiting for the device reboot, that sooner or
later, will happen :)

2]======== Default Administration password ========
As the previous vulnerability, also in this case is possible to access
any DVR system, during the first ten minutes after system boot, using
an hard-coded password.

The default password is: elefante (valid for
Operator/Supervisor/Administrator account)

3]======== Log files disclosure ========
The system expose an hidden cgi that allow any unauthenticated user to
get the system log files. By default the script does not works,
because the zip file is generated into the cgi-bin directory.
But... taking advantage of a directory traversal vulnerability that
affect the same script, is possible to write the zip file into the
apache root directory, and download it directly via browser.

- http://DVR_ADDRESS/cgi-bin/util/ziplogs.py?filename=../../html/logs
- http://DVR_ADDRESS/logs.zip (the zip file generated)

Moreover, the file "service.log" contains the Session ID of the
authenticated user, that can be used to hijack an existing session.

4]======== recv_ip_filtering.py command injection ========
Is possible, for authenticated users, to exploit a command injection
vulnerability that affects the script
/cgi-bin/conf/recv_ip_filtering.py.
This script, used to add or remove ip addresses from the local
iptables, accept one parameter that contains a list of IPs separated
by space, so is not possible to execute directly a command that
contains a space char. A workaround can be done passing the command
through an http header (user-agent for example), and invoking the
corresponding environment variable.

This is a sample request:
#####################################
POST http://DVR_ADDRESS/cgi-bin/conf/recv_ip_filtering.py HTTP/1.1
User-Agent: [COMMAND]
Cookie: language=en; session=VALID_SESSION_ID; user=administrator;
current_page=main/400_Mconf/200_Mnetwork
Content-Type: application/x-www-form-urlencoded
Content-Length: 90

iplistFields=192.168.0.1+192.168.0.2%3b$HTTP_USER_AGENT%3b
#####################################

The command will be executed with the privilege of the apache user.

5]======== init_diskmgr insecure permissions ========
The script "/home/apache/DiskManager/cron/init_diskmgr", writable by
the apache user, is executed by crontab every 15 minutes, with root
privileges. So, editing the script and waiting the scheduled
execution, is possible to run command on the system with root
privileges.

By default the ssh access is denied because the /etc/shadow don't
contains the root password shadow, but exploiting this vulnerability
is possible to add it and gain ssh access to the system.

**************************************************************
TIME-LINE

- 21/09/2012: Vendor contact. No response.
- 15/10/2012: Disclosure.
**************************************************************


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    2 Files
  • 19
    May 19th
    1 Files
  • 20
    May 20th
    11 Files
  • 21
    May 21st
    21 Files
  • 22
    May 22nd
    20 Files
  • 23
    May 23rd
    36 Files
  • 24
    May 24th
    2 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close