Vulnerabilities > CVE-2015-2279 - OS Command Injection vulnerability in Airlive products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
airlive
CWE-78
critical
exploit available

Summary

cgi_test.cgi in AirLive BU-2015 with firmware 1.03.18, BU-3026 with firmware 1.43, and MD-3025 with firmware 1.81 allows remote attackers to execute arbitrary OS commands via shell metacharacters after an "&" (ampersand) in the write_mac write_pid, write_msn, write_tan, or write_hdv parameter.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
  • Command Delimiters
    An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
  • Exploiting Multiple Input Interpretation Layers
    An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
  • Argument Injection
    An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
  • OS Command Injection
    In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.

Exploit-Db

descriptionAirLive Multiple Products OS Command Injection. CVE-2015-2279. Webapps exploit for hardware platform
fileexploits/hardware/webapps/37532.txt
idEDB-ID:37532
last seen2016-02-04
modified2015-07-08
platformhardware
port8080
published2015-07-08
reporterCore Security
sourcehttps://www.exploit-db.com/download/37532/
titleAirLive Multiple Products OS Command Injection
typewebapps

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/132585/CORE-2015-0012.txt
idPACKETSTORM:132585
last seen2016-12-05
published2015-07-06
reporterCore Security Technologies
sourcehttps://packetstormsecurity.com/files/132585/AirLive-Remote-Command-Injection.html
titleAirLive Remote Command Injection

Seebug

bulletinFamilyexploit
description<p>大量AirLive IP监控摄像机被曝存在命令注入漏洞,攻击者可利用该漏洞窃取用户登录凭证并控制设备。</p><p>漏洞原理及影响范围</p><p>OvisLink公司制造的大量AirLive IP监控摄像机中都存在着命令注入漏洞,通过该漏洞,网络攻击者可以解码用户登录凭证,并可以完全控制监控设备。根据Core安全公司的专家们的消息,至少5种不同型号的AirLive监控摄像机都受此漏洞的影响。这5种型号的监控摄像机分别如下:</p><p>1、AirLive&nbsp;BU-2015,固件版本1.03.18&nbsp;16.06.2014<br>2、AirLive&nbsp;BU-3026,固件版本1.43&nbsp;21.08.2014<br>3、AirLive&nbsp;MD-3025,固件版本1.81&nbsp;21.08.2014<br>4、AirLive&nbsp;WL-2000CAM,固件版本LM.1.6.18&nbsp;14.10.2011<br>5、AirLive&nbsp;POE-200CAM&nbsp;v2&nbsp;,固件版本LM.1.6.17.01</p><p>研究人员Nahuel Riva<a href="http://www.coresecurity.com/advisories/airlive-multiple-products-os-command-injection" target="_blank">解释</a>道,AirLive摄像机MD-3025、BU-3026和BU-2015都受命令注入漏洞的影响,该漏洞存在于二进制文件cgi_test.cgi中。如果摄相机主人并没有将默认配置改变为强制使用HTTPS,那么攻击者将可以在未经身份认证的情况下请求该文件,而其实现方式就是通过注入任意命令到操作系统中。通过这种攻击,黑客可以访问由AirLive相机管理的所有信息,包括MAC地址、模型、硬件和固件版本以及aiother敏感细节。发布的博文中陈述道:</p><blockquote><p>“在处理某些特定参数时,AirLive&nbsp;MD-3025、BU-3026和BU-2015内的二进制文件cgi_test.cgi中存在一个操作系统命令注入漏洞[CVE-2015-2279],这将导致在未经身份认证的情况下可以请求这一特定CGI文件,除非用户修改了特定相机的配置情况,使该相机的每一个通信连接都必须通过HTTPS方式进行(默认未开启)。受影响的参数包括如下几个:write_mac、write_pid、write_msn、write_tan、&nbsp;write_hdv。”</p></blockquote><p>另外两种相机WL-2000CAM和POE-200 CAM,同样存在CGI文件中类似的漏洞,该漏洞允许运行一个命令注入操作。而AirLive相机的这两种型号中都对登录凭证进行了硬编码,这就使得攻击者可以很容易地检索并解码该凭证。</p><blockquote><p>AirLive&nbsp;WL-2000CAM和POE-200&nbsp;CAM中的二进制文件/cgi-bin/mft/wireless_mft.cgi中包含一个操作系统命令注入漏洞(CVE-2014-8389),通过使用硬编码的证书救可以利用该漏洞,该证书存在于嵌入式web服务器Boa的配置文件中:</p><p>username:&nbsp;manufacture<br>password:&nbsp;erutcafunam</p></blockquote><p><br></p><p>内容来自于<a href="http://www.freebuf.com/news/71870.html" rel="nofollow">http://www.freebuf.com/news/71870.html</a></p><p>原文<a href="http://securityaffairs.co/wordpress/38381/hacking/ip-airlive-cameras-flaws.html" rel="nofollow">http://securityaffairs.co/wordpress/38381/hacking/ip-airlive-cameras-flaws.html</a></p>
idSSV:89239
last seen2017-11-19
modified2015-07-08
published2015-07-08
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-89239
titleAirLive 系列 IP 摄像头命令注入漏洞