| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20130325125650.GA15418@kludge.henri.nerv.fi>
Date: Mon, 25 Mar 2013 14:56:50 +0200
From: Henri Salo <henri@...v.fi>
To: Eric Urban <hydrogen18@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Fwd: Remote command injection vulnerability
in Rosewill RSVA11001 (Hi3515 based)
On Sun, Mar 24, 2013 at 05:43:43PM -0400, Eric Urban wrote:
> I have been hacking on a Rosewill RSVA11001 for a while now, something to
> suck up my free time. I had pulled apart the firmware previously but did
> not succeed in finding a way to get a shell on the device. The box is
> Hi3515 based, I found an exploit for another similar box (Ray Sharp) but it
> did not work. The Rosewill firmware seems to use an executable that listens
> on two ports rather one when communicating with the Windows-based control
> software. Port 8000 is now the command port rather 9000, 9000 is used for
> video only. After playing with the included Windows application I
> eventually did a strings on the 'hi_dvr' exectuable that is the user space
> program that controls the interface to thing. I found this gem:
>
> /mnt/ntpdate -q %s > /tmp/tmpfs/ntptmp
>
> So I used the windows software to set the NTP host to
>
> a;/usr/bin/nc -l -p 5555 -e /bin/sh&
Did you report this to the vendor?
--
Henri Salo
Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists