A number of IP-enabled AirLive cameras manufactured by OvisLink Corp are affected by command injection vulnerabilities that could be exploited by attackers to decode user credentials and completely control the devices.
According to the experts at security firm Core Security, at least five different models of AirLive cameras are vulnerable. The following builds are at risk:
The researcher Nahuel Riva explained that the AirLive cameras MD-3025, BU-3026 and the BU-2015 are affected by a command injection vulnerability in the cgi_test.cgi binary file.
If the owner of the camera hasn’t changed the default configuration by forcing the use of HTTPs, the attackers can request the file without authentication by injecting arbitrary commands into the operating system. With such kind of attack hackers can access information managed by AirLive camera, including the MAC address, model, hardware and firmware version, along with aìother sensitive details.
“[CVE-2015-2279] There is an OS Command Injection in the cgi_test.cgi binary file in the AirLive MD-3025, BU-3026 and BU-2015 cameras when handling certain parameters. That specific CGI file can be requested without authentication, unless the user specified in the configuration of the camera that every communication should be performed over HTTPS (not enabled by default).
The vulnerable parameters are the following: write_mac, write_pid, write_msn, write_tan, write_hdv.” states the post.
The other two cameras, WL-2000CAM and POE-200CAM, also suffer similar flaws in CGI files that could allow to run a command injection flaw. Both models of AirLive cameras have hardcoded credentials that can be easily retrieved and decoded with this attack.
“[CVE-2014-8389] The AirLive WL-2000CAM anf POE-200CAM “/cgi-bin/mft/wireless_mft.cgi” binary file, has an OS command injection in the parameter ap that can be exploited using the hard-coded credentials the embedded Boa web server has inside its configuration file:
The following proof of concept copies the file where the user credentials are stored in the web server root directory:
“I found these vulnerabilities by looking at the firmware,” Riva said Monday of her research, “I found that I could invoke some CGIs without authentication, and some backdoor accounts allowed me to execute arbitrary OS commands on the device.”
Core Security tried multiple times to get in touch with the manufacturer to fix the issues in the AirLive cameras, but never received a response.
(Security Affairs – Core Security, AirLive cameras)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.