How to hack surveillance cameras from 70 vendors

A security researcher has discovered that surveillance cameras sold by more than 70 vendors worldwide were vulnerable to Remote Code Execution (RCE).

According to the security researcher Rotem Kerner, surveillance cameras from 70 vendors are vulnerable to Remote Code Execution (RCE).

The researcher noticed that the vendors are selling products using the same firmware that is affected by an RCE vulnerability.

In the “white labeling” business model, various vendors simply sell the same product by applying their logo on the device, unfortunately, they never perform hardware and software qualification.

The vulnerable firmware is developed by a Chinese manufacturer TVT, Kerner that analyzed it discovered how to compromise DVR boxes of the CCTV systems.

The firmware analyzed by Kerner is used in products from an Israeli company selling CCTV systems, the code implements a vulnerable HTTP server.

c1

The security vulnerability relies in the server checking if the directory of a given language exists. If the folder doesn’t exist the software executes an extraction command opening the door to a a remote command line execution.

Below the explanation provided by the researcher:

It reads the URI, and if it contain something like the following – /language/[language]/index.html 

its going to extract the [language] in between the slashes and check
if the directory exists, if not it is going to execute this command 

tar –zxf /mnt/mtd/WebSites/language.tar.gz [language]/* -C /nfsdir/language
This basically gives us a remote command line execution. Awesome!

Kerner also published a proof-of-concept code for the vulnerability affecting the firmware.

Kerner noticed that tens of thousands of products are currently the same vulnerable implementation of the HTTP server. His affirmation is motivated by the results produced querying the Shodan search engine, however, the number of vulnerable devices not reached by Shodan could be much higher.

“A quick Shodan query, revealed their distribution; a total of over 30,000(!). Quite a lot and yet I’m sure this is only a small portion of them.” said the researchers.

Kerner tried to report the issue to the original manufacturer TVT, but he has received no response, so he decided to disclose a list of vendors selling then devices with flawed firmware.

Pierluigi Paganini

Subscribe to Cyber Defense Magazine

Join our mailing list, no strings attached. We never sell your data. We'll send you monthly e-magazines, webinar invites from us and our partners, cybersecurity trade show updates, awards, infosec news, cybersecurity tips and so much more on all things cyber defense.
Subscribe

Related News

Leading a Revolution to Provide Secure CCTV Cameras Transparency And Collaboration Between Vendors and Customers Are Key to Reducing Third-Party Security Incidents How Bad Actors Are Learning to Hack Humans in Phishing Attacks
March 30, 2016

CyberDefenseMagazine Follow 24,016 54,487

Cyber Defense Magazine - The Premier Source for IT Security and Compliance Information. https://t.co/748STKH6k0.

cyberdefensemag

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Global InfoSec Awards for 2024 are now Open! Take advantage of co-marketing packages and enter today!

Show Me!
X