Pierluigi Paganini
July 07, 2015
A number of IP-enabled AirLive cameras manufactured by OvisLink Corp are affected by command injection vulnerabilities that could be exploited by attackers to decode user credentials and completely control the devices.
According to the experts at security firm Core Security, at least five different models of AirLive cameras are vulnerable. The following builds are at risk:
The researcher Nahuel Riva explained that the AirLive cameras MD-3025, BU-3026 and the BU-2015 are affected by a command injection vulnerability in the cgi_test.cgi binary file.
If the owner of the camera hasn’t changed the default configuration by forcing the use of HTTPs, the attackers can request the file without authentication by injecting arbitrary commands into the operating system. With such kind of attack hackers can access information managed by AirLive camera, including the MAC address, model, hardware and firmware version, along with aìother sensitive details.
“[CVE-2015-2279] There is an OS Command Injection in the cgi_test.cgi binary file in the AirLive MD-3025, BU-3026 and BU-2015 cameras when handling certain parameters. That specific CGI file can be requested without authentication, unless the user specified in the configuration of the camera that every communication should be performed over HTTPS (not enabled by default).
The vulnerable parameters are the following: write_mac, write_pid, write_msn, write_tan, write_hdv.” states the post.
The other two cameras, WL-2000CAM and POE-200CAM, also suffer similar flaws in CGI files that could allow to run a command injection flaw. Both models of AirLive cameras have hardcoded credentials that can be easily retrieved and decoded with this attack.
“[CVE-2014-8389] The AirLive WL-2000CAM anf POE-200CAM “/cgi-bin/mft/wireless_mft.cgi” binary file, has an OS command injection in the parameter ap that can be exploited using the hard-coded credentials the embedded Boa web server has inside its configuration file:
username: manufacturepassword: erutcafunamThe following proof of concept copies the file where the user credentials are stored in the web server root directory:
<a href="http://<Camera-IP>/cgi-bin/mft/wireless_mft?ap=testname;cp%20/var/www/secret.passwd%20/web/html/credentials">http://<Camera-IP>/cgi-bin/mft/wireless_mft?ap=testname;cp%20/var/www/...</a>
<a href="http://<Camera-IP>/credentials">http://<Camera-IP>/credentials</a>“I found these vulnerabilities by looking at the firmware,” Riva said Monday of her research, “I found that I could invoke some CGIs without authentication, and some backdoor accounts allowed me to execute arbitrary OS commands on the device.”
Core Security tried multiple times to get in touch with the manufacturer to fix the issues in the AirLive cameras, but never received a response.
(Security Affairs – Core Security, AirLive cameras)
