14 DAY TRIAL // Command injection vulnerabilities have been discovered in some models of IP cameras manufactured by Taiwan-based company OvisLink Corp.
Exploiting the flaws could allow an attacker to learn the login credentials of the devices and gain complete access to the surveillance product.
Credited for the discovery is Nahuel Riva from Core Security Exploit Writing Team, who also developed proof-of-concept (PoC) code that exploits the flaws.
Some cameras vulnerable with default configuration
At least five models of AirLive cameras are susceptible: AirLive BU-2015, AirLive BU-3026, AirLive MD-3025, AirLive WL-2000CAM and AirLive POE-200CAM v2.
Some firmware versions powering the first three devices in the aforementioned list of affected models contain an OS command injection (CVE-2015-2279) in the “cgi_test.cgi” binary file, exploitable when handling certain parameters.
Requesting the CGI file does not require authentication if HTTPS communication is not enabled. This configuration, however, is not available by default and many users may not have changed it.
Exploitation of the security glitch is achieved by feeding arbitrary commands to the operating system, which would not filter out the malicious requests and execute them.
Riva says that the injection is somewhat limited, but could be leveraged for running commands that would reveal sensitive information about the devices, including writing MAC address, model name, and hardware and firmware version.
Web server credentials can be decoded easily
In the case of AirLive WL-2000CAM and AirLive POE-200CAM v2, the vulnerability (CVE-2014-8389) relates to the “/cgi-bin/mft/wireless_mft.cgi” binary file and can be exploited by using the hard-coded credentials in the Boa web server built into the product.
The PoC exploit code created for this flaw copies the file with the user credentials in the web server’s root directory, allowing an attacker to retrieve them easily at a later time.
“The credentials are encoded in a string using Base64, therefore it is easy to decode them and have complete access to the device,” says the researcher.
Starting May 4, 2015, Core Security tried multiple times to report the issues responsibly, but received no answer from the manufacturer. The last communication attempt was on June 18 and explained that technical details would be published unless the company breaks silence and opts for coordinated disclosure.
This Monday, Core Security revealed the details of the flaws and published the PoCs that can be used to take advantage of the problems in AirLive IP cameras.