Detailed analysis of a remote code execution vulnerability that affects more than 70 different CCTV-DVR vendors

Detailed analysis of a remote code execution vulnerability that affects more than 70 different CCTV-DVR vendors

0x00 cause

After reading THE paper point of sale malware: the full story of the backoff trojan operation, a foreigner first intruded into the cctv system to identify THE target retailer, then further intrusion poser, theft of credit card accounts more interested, went online to find the CCTV-DVR firmware, and then found a remote code execution vulnerability through analysis. Then I saw him release the POC, but he also used another old vulnerability of the firmware. Let's talk about it one by one.

0x01 Vulnerability Analysis

Through shodan's search for "Cross Web Server", we can find that there are about 18817 devices, with the majority in the United States, followed by China and Thailand. Most of these devices listen to port 81/82, and some listen to port 8000,

Figure 0

The web page is displayed as follows:

Figure 1

Then, you can find webclient.html through the source code of the ghost web page. Find script/live. js in the source code of ghost webclient.html. The live. js contains the logo/logo.png.

Figure 2

The logo tells us that this is an Israeli company selling CCTV systems. However, by looking at the comments in the website source code, we found that the code was written by Chinese people, and then the author downloaded the firmware from the official website. The downloaded firmware is a zip package.

Figure 3

First, check the boot. sh. Another bash script, deps2.sh, is executed. The script runs two binfiles, XVDRStart. the size of the hisi and td3520a files. The original author first read td3520a, and td3520a contains the symbol table, which makes the analysis easy. By previewing a piece of code, the original author found the following problematic assembly code

Figure 4

The Code shows that if the [language] Directory in/language/[language]/index.html exists, extract it to [language]. If it does not exist, then DVRSsystem will eventually execute "tar-zxf/mnt/mtd/WebSites/language.tar.gz % s/*-C/nfsdir/language/", which leads to command execution. When the administrator in the/etc/crontab file used tar for regular backup in CTF, the statement was written as tar cfz/home/rene/backup/backup.tar.gz *, the problem, the principle can refer to the http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt

Several problems need to be overcome before exploitation

The web server cannot process URL encoding commands with spaces or line breaks with limited length

Space restrictions can be overcome through $ {IFS}

Request

#!bashGET /language/Swedish${IFS}&&echo${IFS}$USER>test&&tar${IFS}/string.js HTTP/1.1

To view the current user's command. This HTTP request will return 404

Depending on the execution results, you need to use an old vulnerability recursion vulnerability to view the results

#!bashGET /../../../../mnt/mtd/test

Figure 5

In fact, if you do not need to use the command execution vulnerability, you can also read the configuration file (/etc/passwd,/config. dat, etc.) through the recursive vulnerability)

Figure 6

The POC address is as follows:
Https://github.com/k1p0d/h264_dvr_rce

The real manufacturer of this product is Shenzhen's same as digital (http://www.tvt.net.cn/), other manufacturers are estimated to be with labels, that is, commonly known as OEM (also called OEM production and OEM production, it was first popular in developed countries such as Europe and America. It is a game rule for large international companies to find their respective advantages, which can reduce production costs and increase brand value-added)

List of affected vendors:

Alibaba Alarmes upgrade lgy and upgrade Hawk kernel security systemsCocktail upgrade PLUSDigital Eye 'z no longer Service & Manual manual ET Vision Extra Eye 4 Ueyemotion EDS Fujitsu Itron Full HD 1080 pGazer Goldeye daytime HD IViewerHi-View IpcomIPOX IRISC illinois Security Cameras, inc. JFL Alarmes Lince LOTLux Lynx Security Magtec Meriva Security Multistar NavaioNoVus Optivision PARA VisionProvision-isr q-See Questek Retail Solution IncRIT Huston. com ROD Security cameras Satvision Sav policyskilleye Smarteye Superior Electrial SystemsTechShell techson=mate TecVoz TeleEye TomuratruVueTVT Umbrella United Video Security System, incUniversal IT SolutionsUS IT ExpressU-Spy StoreVentetian V-Gurad SecurityVid8 VtekVision LineVisarVodotech.com Vook Watchman Xrplus Yansi ZetecZoomX0x02 references TVT TD-2308SS-B DVR-Directory Traversal VulnerabilityRemote Code Execution in CCTV-DVR affecting over 70 different vendors