A security researcher has discovered that surveillance cameras sold by more than 70 vendors worldwide were vulnerable to Remote Code Execution (RCE).
According to the security researcher Rotem Kerner, surveillance cameras from 70 vendors are vulnerable to Remote Code Execution (RCE).
The researcher noticed that the vendors are selling products using the same firmware that is affected by an RCE vulnerability.
In the “white labeling” business model, various vendors simply sell the same product by applying their logo on the device, unfortunately, they never perform hardware and software qualification.
The vulnerable firmware is developed by a Chinese manufacturer TVT, Kerner that analyzed it discovered how to compromise DVR boxes of the CCTV systems.
The firmware analyzed by Kerner is used in products from an Israeli company selling CCTV systems, the code implements a vulnerable HTTP server.
The security vulnerability relies in the server checking if the directory of a given language exists. If the folder doesn’t exist the software executes an extraction command opening the door to a a remote command line execution.
It reads the URI, and if it contain something like the following – /language/[language]/index.html
its going to extract the [language] in between the slashes and check
if the directory exists, if not it is going to execute this command
tar –zxf /mnt/mtd/WebSites/language.tar.gz [language]/* -C /nfsdir/language This basically gives us a remote command line execution. Awesome!
Kerner also published a proof-of-concept code for the vulnerability affecting the firmware.
Kerner noticed that tens of thousands of products are currently the same vulnerable implementation of the HTTP server. His affirmation is motivated by the results produced querying the Shodan search engine, however, the number of vulnerable devices not reached by Shodan could be much higher.
“A quick Shodan query, revealed their distribution; a total of over 30,000(!). Quite a lot and yet I’m sure this is only a small portion of them.” said the researchers.
Kerner tried to report the issue to the original manufacturer TVT, but he has received no response, so he decided to disclose a list of vendors selling then devices with flawed firmware.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.