According to the security researcher Rotem Kerner, surveillance cameras from 70 vendors are vulnerable to Remote Code Execution (RCE).
The researcher noticed that the vendors are selling products using the same firmware that is affected by an RCE vulnerability.
In the “white labeling” business model, various vendors simply sell the same product by applying their logo on the device, unfortunately, they never perform hardware and software qualification.
The vulnerable firmware is developed by a Chinese manufacturer TVT, Kerner that analyzed it discovered how to compromise DVR boxes of the CCTV systems.
The firmware analyzed by Kerner is used in products from an Israeli company selling CCTV systems, the code implements a vulnerable HTTP server.
The security vulnerability relies in the server checking if the directory of a given language exists. If the folder doesn’t exist the software executes an extraction command opening the door to a a remote command line execution.
Below the explanation provided by the researcher:
It reads the URI, and if it contain something like the following – /language/[language]/index.html
its going to extract the [language] in between the slashes and check
if the directory exists, if not it is going to execute this command
tar –zxf /mnt/mtd/WebSites/language.tar.gz [language]/* -C /nfsdir/language
This basically gives us a remote command line execution. Awesome!
Kerner also published a proof-of-concept code for the vulnerability affecting the firmware.
Kerner noticed that tens of thousands of products are currently the same vulnerable implementation of the HTTP server. His affirmation is motivated by the results produced querying the Shodan search engine, however, the number of vulnerable devices not reached by Shodan could be much higher.
“A quick Shodan query, revealed their distribution; a total of over 30,000(!). Quite a lot and yet I’m sure this is only a small portion of them.” said the researchers.
Kerner tried to report the issue to the original manufacturer TVT, but he has received no response, so he decided to disclose a list of vendors selling then devices with flawed firmware.
(Security Affairs – surveillance cameras, hacking)