A few months ago during a pentest, with Nicolas Mattiocco of Greenlock, we came across high-end IP cameras made by Geutebruck, a “leading German manufacturer and developer of high-quality, intelligent video security solutions” and found 3 RCE, a blind SQL Injection, a SSRF, a CSRF and a stored XSS affecting version 184.108.40.206 and prior versions. We’ve choose to “responsible disclose” these 0day vulnerabilities, directly to Geutebruck and the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team). Since then a new firmware has been released (220.127.116.11) to fix that, ICS-CERT has released an advisory and 6 CVE (CVE-2018-7532 – CVE-2018-7528 – CVE-2018-7524 – CVE-2018-7520 – CVE-2018-7516 – CVE-2018-7512) have been assigned.
« Successful exploitation of these vulnerabilities could lead to proxy network scans, access to a database, adding an unauthorized user to the system, full configuration download including passwords, and remote code execution. (…) ».
Since the updated firmware (18.104.22.168) has been released approximatively two month ago (28/02/2018) to Geutebruck customers and the advisory has been published one month ago (20/03/2018) it’s time to release the exploit vectors for the Remote Code Execution vulnerabilities to let you check by yourself.
Vector #1 (not authenticated):
Vector #1bis (authenticated):
Vector #3 (not authenticated, CVE-2017-5173 update):
Vector #3bis (authenticated, CVE-2017-5173 update):
To get a reverse shell using this vector:
- launch netcat on b.b.b.b host: nc -l 4444
- click on the following link after updating a.a.a.a by the IP of your camera and b.b.b.b by the IP of the netcat listening host:
Screenshot showing the reverse shell access after the RCE exploitation:
A metasploit module should be prepared soon.
Geutebruck has released a new software version, Version 22.214.171.124, to address the identified vulnerability, which is available at the following location (registration needed):
If an update is not possible right now in between users can disable the “Enable anonymous access” option to mitigate the risk. The RCEs will remain but will only be reachable by authenticated users.
In the wild
Many brands use the same firmware (and are vulnerable too):
- UDP Technology (which is also the supplier of the firmware for the other vendors)
- THRIVE Intelligence