Visual Tools DVR Multiple Vulnerabilities

Command injection, password and file disclosure.

Posted by Andrea Fabrizi on October 15, 2012

Visual Tools develops, manufactures and commercializes video surveillance and video observations systems under the global brand name VideoSafe Technology or under other companies’ brand names.

The DVR systems are based on x86 Debian GNU Linux embedded (aka emdebian) and the entire framework and software are written using Python.

After a full reverse engineering of the firmware I found some interesting vulnerabilities, which allow an unauthorized user to access the DVR web interface and gain a root shell on the system. At the time I write this advisory, all DVR products commercialized by Visual Tools, based on this firmware, are vulnerable.

The version affected is VS Series <= 3.0.6.16 and VX Series <= 4.2.19.2

Administration password disclosure

The system expose an hidden cgi which disclose the Operator/Supervisor/Administrator password if requested during the first ten minutes after system boot.

http://DVR_ADDRESS/cgi-bin/util/passwords.py

It’s possible to write a simple script which check the cgi, every five minutes for example, waiting for the device reboot, which sooner or later, it will happen.

Default Administration password

As the previous vulnerability, also in this case is possible to access any DVR system, during the first ten minutes after system boot, using an hard-coded password.

The default password is: elefante (valid for Operator/Supervisor/Administrator account)

Log files disclosure

The system expose an hidden cgi which allow any unauthenticated user to get the system log files. By default the script does not works, because the zip file is generated into the cgi-bin directory. But… taking advantage of a directory traversal vulnerability which affect the same script, it’s possible to write the zip file into the apache root directory, and download it directly via browser.

http://DVR_ADDRESS/cgi-bin/util/ziplogs.py?filename=../../html/logs
http://DVR_ADDRESS/logs.zip (the zip file generated)

Moreover, the file service.log contains the Session ID of the authenticated user, which can be used to hijack an existing session.

recv_ip_filtering.py command injection

It’s possible, for authenticated users, to exploit a command injection vulnerability which affects the script /cgi-bin/conf/recv_ip_filtering.py. This script, used to add or remove ip addresses from the local iptables, take one parameter which contains a list of IPs separated by space, so is not possible to execute directly a command which contains a space char. A workaround can be done passing the command through an http header (user-agent for example).

POST http://DVR_ADDRESS/cgi-bin/conf/recv_ip_filtering.py HTTP/1.1
User-Agent: [COMMAND]
Cookie: language=en; session=VALID_SESSION_ID; user=administrator;
current_page=main/400_Mconf/200_Mnetwork
Content-Type: application/x-www-form-urlencoded
Content-Length: 90

iplistFields=192.168.0.1+192.168.0.2%3b$HTTP_USER_AGENT%3b

The command will be executed with the privilege of the apache user.

init_diskmgr insecure permissions

The script /home/apache/DiskManager/cron/init_diskmgr, writable by the apache user, is executed by crontab every 15 minutes, with root privileges. So, editing the script and waiting the scheduled execution, it’s possible to run command on the system with root privileges.

By default the ssh access is denied because the /etc/shadow don’t contains the root password shadow, but exploiting this vulnerability it’s possible to add it and gain ssh access to the system.

Timeline

  • 21/09/2012: Vendor contact. No response.
  • 15/10/2012: Disclosure.