Getshell, a smart camera server in ZTE's home network, can leak private data such as videos and photos of millions of users on the cloud)

Getshell, a smart camera server in ZTE's home network, can leak private data such as videos and photos of millions of users on the cloud)

Xiaoxing looks at getshell caused by improper configuration of a backend server of the smart camera. There is a risk of leakage of private data such as videos and photos of millions of users stored on the cloud.

Detailed description:

1. Unauthorized Database Access

183.136.140.60: 10086 unauthorized access to mongodb

183.136.140.60: 6380 unauthorized access to redis (getshell can also be used, for fear of affecting the business of the manufacturer, without in-depth access)

2. unlimited access to internal systems (Arbitrary File Reading/getshell)

Use the leaked management password to log on to the Management System on some servers. Other background management system vendors can perform self-testing.

1) Homecare Management Background

The following two management backend functions are similar, which may be different internal versions. The main functions include app, firmware release, recharge card, and camera management.

Background address: https://mgr.ztehome.com.cn 58.240.65.91 admin/12 qwaszx

Background address: http: // 183.136.140.60: 8080 Homecare OA admin/12 qwaszx

The log view function has the Arbitrary File Reading Vulnerability, which can cause system sensitive information leakage.

The data packet is as follows:

POST http: // 183.136.140.60: 8080/logs/log-tail.do HTTP/1.1

Host: 183.136.140.60: 8080

Connection: keep-alive

Content-Length: 25

Accept :*/*

Line = 200 & path =/etc/shadow

Modify the submitted path parameter to read any server file. The web service has the root permission.

2) Zen management system Background

Background address: http://pms.ztehome.com.cn

This version of the logon management system has the Arbitrary File Read and getshell vulnerability. We recommend that you upgrade it.

Vulnerability details: You can refer to WooYun: Zen road vulnerability 2. read and write arbitrary files in the background/getshell

Proof of vulnerability: shell address http://pms.ztehome.com.cn/data/upload/shell.php (please delete after test)

3. key Information Leakage for cloud storage

Xiaoxing looks at the cloud backup space used by the camera as qiniu cloud storage, and its key access_key and secret_key are leaked, as a result, users can access and operate on their cloud video photos at Will (qiniu SDK does not find an interface to retrieve the total amount of data, and simply traverses and finds that the number of videos is more than 150 million ).