Posts

CVE-2019-7315: Genie Access WIP3BVAF IP Camera Directory Traversal

We have discovered a directory traversal vulnerability that affects Genie Access’ WIP3BVAF WISH IP 3MP IR Auto Focus Bullet Camera.  This security vulnerability can act as the first step to full device compromise and has been assigned CVE-2019-7315.

Proof of concept (PoC) of path traversal vulnerability discovered

The directory traversal vulnerability can be exploited via the web management interface for the IP camera, using a URL as follows:

http://www.example.com/../../../../../etc/shadow

Here is a screenshot showing the contents of the shadow file for a WIP3BVAF IP camera, including the root password hash:

As the WIP3BVAF IP camera makes use of a weak hashing algorithm (DES), it is relatively easy to brute force the hash and obtain the cleartext password, especially if a weak password is in use. Once the password has been recovered, it is possible to obtain a root shell on the camera via telnet:

From here, the username and plaintext password for the web interface can be retrieved by using a tool such as strings against the /mnt/mtd/flash/config.dat file. Once these have been obtained, administrative access to the management interface is possible, where the camera feeds can be viewed and disabled, or the camera configuration adjusted.

Models with the directory traversal vulnerability

All firmware versions for this particular model (3.x.x) are affected.

While a firmware version (4.2.1) has been released to address the security vulnerability in later camera models, this version is not transferable to the WIP3BVAF model. This is due to the fact that the WIP3BVAF model is based on H.264 encoding, while later models of camera manufactured by Genie Access make use of H.265 encoding.

The WIP3BVAF is no longer manufactured by Genie Access and can be considered as end of life. According to the manufacturer, no patch addressing this vulnerability will be released.

Conclusion

As demonstrated, the path traversal vulnerability can be the potential starting point for complete compromise of the WIP3BVAF camera.

Since no fix will be forthcoming due to the camera being end of life and no longer manufactured, it is advisable to refrain from using this model. If this isn’t an option, a sufficiently isolated VLAN should be considered for the camera to prevent it being easily accessible, and a strong, unique password should be set for the root user.

Genie Access Directory Traversal Vulnerability Timeline

  • Vulnerability discovered: 7 Jan 2019
  • Genie Access informed: 13 Jan 2019
  • Genie Access response detailing no fix would be forthcoming: 16 Jan 2019
  • Nettitude public disclosure: 29 May 2019

CVE-2018-10956: Unauthenticated Privileged Directory Traversal in IPConfigure Orchid Core VMS

Affected Software: IPConfigure Orchid Core VMS (All versions < 2.0.6, tested on Linux and Windows)

Vulnerability: Unauthenticated Privileged Directory Traversal

CVE: CVE-2018-10956

Impact: Arbitrary File Read Access

Metasploit module:

https://github.com/nettitude/metasploit-modules/blob/master/orchid_core_vms_directory_traversal.rb

Summary of Vulnerability

IPConfigure Orchid Core VMS is a Video Management System that is vulnerable to a directory traversal attack, which allows underlying database access, access to camera feeds and more. This allows a remote, unauthenticated attacker to send crafted GET requests to the application, which results in the ability to read arbitrary files outside of the applications web directory. This issue is further compounded as the Linux version of Orchid Core VMS application is running in context of a user in the “sudoers” group. As such, any file on the underlying system, for which the location is known, can be read.

Nettitude has performed limited testing on the Windows version of Orchid Core VMS, and has been able to read files such as ‘C:/Windows/debug/NetSetup.log’ and ‘C:/WINDOWS/System32/drivers/etc/hosts’. Reading these files does not require permissions greater than a regular user account, however, it is possible that the Orchid Core VMS web server is running in a privileged context.

Below is an image for the login page of Orchid Core VMS.

Metasploit Module

We have created a Metasploit module for this vulnerability, which can be found here:

Vulnerability Analysis and Impact

Discovery of the vulnerability involved multiple steps, such as identifying the correct URL encoding that is accepted by the application, as well as the location of files on the underlying system, the latter of which was conducted through manual and automated fuzzing techniques.

The following images will help explain the discovery and exploitation of this vulnerability. This is the first GET request that was sent through a browser.

Request: https://ip/../../../../../../../etc/shadow

The response is interesting as the error suggests that it may be possible to read resources on the underlying web server. In this request it appears that the dot-dot-slash ( ../) was removed by the application. As such, in the second request, the dot-dot-slash was URL encoded and once again submitted through the browser.

Request: https://ip/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e/etc/shadow

In this request, the URL encoding for the forward slash ( %2e) was removed. Nettitude submitted a third request, the browser was bypassed and the same request was sent to the web server using curl.

The following image demonstrates the ability to read the ‘/etc/shadow’ file on a Linux file system. This is of particular concern as it displays that the Orchid web service is running with high user privileges. With this level of access an attacker is in the position to read certain files of interest. This includes SSH private keys, VPN configuration files and all other files on the underlying system.

The following image demonstrates the ability to read the ‘C:\Windows\debug\NetSetup.log’ file on a Windows file system. This demonstrates that the vulnerability is not limited to the Linux file system and affects both Windows and Linux operating systems.

Furthermore, Nettitude was able to identify the applications structure and database location using readily available developer documentation and the online knowledge base for Orchid Core VMS (https://support.ipconfigure.com/hc/en-us/categories/200146489-Orchid-Core-VMS).

Orchid Core VMS uses a SQLite database, which is intended to be treated as a file on modern operating systems. Nettitude was able to download this database using the previously described directory traversal vulnerability. The image below represents the users which have access to the application, along with their SHA1 16-byte salted password hashes. Upon successfully cracking password hashes and obtaining the cleartext password for a user account, an attacker is placed in the position to view live-camera streams, manage user accounts and perform other application functions which are otherwise restricted to authenticated users.

Perusing through the database, Nettitude also discovered valid session ID’s for the web application and connected-camera descriptions.

Proof of Concept for Linux

curl --insecure https://IP/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e/etc/shadow

Proof of Concept for Windows

curl http://IP:PORT/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e/Windows/debug/NetSetup.log

Disclosure Timeline

  • 20 April 2018: Discovered directory traversal vulnerability in Orchid VMS 2.0 on Ubuntu 14.04 LTS.
  • 7 May 2018: Confirmation of vulnerability on other Linux OS and Windows OS across all Orchid VMS versions.
  • 7 May 2018: Initial write up of vulnerability.
  • 7 May 2018: Initial reach out to IPConfigure. Submitted request for contact details for an information security employee.
  • 8 May 2018: Verified that the correct contact has been reached.
  • 9 May 2018: Requested CVE reservation from Mitre.
  • 9 May 2018: Received CVE-2018-10956 from Mitre.
  • 9 May 2018: Sent PGP encrypted vulnerability write up to contact at IPConfigure.
  • 11 May 2018: Received confirmation of vulnerability from IPConfigure.
  • 11 May 2018: IPConfigure releases v2.0.6 for public download, resolving the identified vulnerability.
  • 20 June 2018: Nettitude publicly disclosed the vulnerability