Multiple Vulnerabilities in Infiray IRAY-A8Z3 thermal camera

Title

Multiple Vulnerabilities

Product

Infiray IRAY-A8Z3 thermal camera

Vulnerable Version

V1.0.957

Fixed Version

None

CVE Number

CVE-2022-31208, CVE-2022-31209, CVE-2022-31210, CVE-2022-31211

Impact

critical

Found

01.02.2021

By

S. Robertz (Office Vienna), F. Lienhart | SEC Consult Vulnerability Lab

The IRAY A8Z3 thermal camera for industrial application, manufactured by Infiray/IRay Technologies is affected by multiple vulnerabilities. These are a direct consequence of insecure coding practices, insecure configuration and outdated software components within the embedded firmware. Multiple attack vectors were found that will result in remote code execution (RCE). The vendor did not reply anymore to our communication attempts, hence it is unclear whether patches are available.

Vendor description

"IRay Technology Co., Ltd. is a wholly-owned subsidiary of Raytron Technology Co., Ltd. (SSE: 688002). As a high-tech enterprise, IRay Technology develops and manufactures infrared FPA detectors, thermal imaging modules, and other products, with completely independent intellectual property rights. We are committed to providing global customers with professional thermal imaging products and solutions. The main products include IRFPA detectors, thermal imaging cores, and terminal products for application." 

Source: http://www.infiray.com/about.html

Business recommendation

The vendor was unresponsive during the disclosure process. Hence it is unclear whether patches are available. Customers are urged to approach their vendor contact and request security reviews and updates. 

SEC Consult recommends to perform a thorough security review of these products conducted by security professionals to identify and resolve all security issues. 

Vulnerability overview/description

1) Hardcoded Web Credentials (CVE-2022-31210) 

The binary file "/usr/local/sbin/webproject/set_param.cgi" contains hardcoded credentials to the web application. As these accounts cannot be deactivated or change their passwords, they are considered to be backdoor accounts. 

2) Authenticated Remote Code Execution (CVE-2022-31208) 

The webserver contains an endpoint that can execute arbitrary commands by manipulating the "cmd_string" URL parameter. The user can login using one of the backdoor accounts from issue 1. 

3) Potential Buffer Overflow (CVE-2022-31209) 

The firmware contains a potential buffer overflow by calling strcpy() without checking the string length beforehand. 

4) Telnet Root Shell without Password (CVE-2022-31211) 

The camera offers a shell through a telnet connection. The root user does not require a password per default. Thus, anyone on the local network can execute arbitrary commands as root on the camera. 

5) Multiple Outdated Software Components 

Multiple outdated software components containing vulnerabilities were found by the IoT Inspector (ONEKEY) firmware analysis platform.  

Proof of concept

1) Hardcoded Web Credentials (CVE-2022-31210) 

The following cgi program will be executed during the login process: 

http ://<my_ip>:8080/set_param.cgi?&group_tag=hash_param_bridge&set_cmd=loading&length=35&name=<user>&password=<password>&access=0&0.3543773172371312 

The following de-compilation shows the code flow with the hardcoded passwords: 

[ PoC removed ] 

The authentication works by comparing the URL supplied username with the string "[removed]". Afterwards it will compare the password parameter to "[removed]" as well. If both string parameters match, a message will be removed from the messaging queue. Otherwise the function will just return. The same comparison holds for the admin account. 

Furthermore, string comparisons are made without checking the case. Hence, drastically improving the chances of brute-force attacks. 

2) Authenticated Remote Code Execution (CVE-2022-31208) 

The web application offers an option to view the device log. Opening following URL while logged in as admin (e.g. with hardcoded password from section 1) will trigger the request: 

http ://<my_ip>:8080/cmd.cgi?cmd_tag=cmd_passthrough&cmd_string=[removed]

By changing the "cmd_string" parameter, arbitrary commands can be executed with the rights of the webserver (www-data). The de-compiled code can be seen in following snippet: 

[ PoC removed ] 

The "cmd_string" parameter is directly passed into popen() and hence executed. 

3) Potential Buffer-Overflow (CVE-2022-31209) 

The firmware contains a potential buffer overflow vulnerability: 

[ PoC removed ] 

A pointer to the "next_url" parameter is supplied. A buffer of 64 bytes is allocated and the parameter value copied to it without checking the string length. Hence, a "next_url" parameter with more than 64 bytes could be supplied in order to overflow the buffer. Please note that this vulnerability is only based on firmware analysis and thus was not tested in a live scenario. 

4) Telnet Root Shell without Password (CVE-2022-31211) 

The camera has a telnetd server running on port 23 per default. The root password is empty. If the telnet port is exposed to the internet, an attacker could easily connect to the device and gain root access. The telnet server cannot be deactivated and the root password cannot be changed through the web interface. 

5) Multiple Outdated Software Components 

IoT Inspector (ONEKEY) recognized multiple outdated software components with known vulnerabilities:

BusyBox 1.25.0:                                  6 CVEs 
curl 7.54.0:                                    13 CVEs 
Dnsmasq 2.76:                                    9 CVEs 
lighttpd 1.4.41:                                 2 CVEs 
Linux Kernel 3.10.104:                        1004 CVEs 
hostapd 2.5:                                    22 CVEs 
wpa_supplicant 2.5-devel_rtw_r17190.20160415:   12 CVEs 

Vulnerable / tested versions

The following product/firmware version has been tested: 

  • Infiray IRAY-A8Z3 V1.0.957 

It has to be assumed that further products or firmware versions are affected as well. 

Vendor contact timeline

2021-02-24 Contacting vendor through email address found on their website (sales@infiray.com)
2021-03-11 Contacted vendor again through sales@infiray.com
2021-04-12 Contacting vendor through sales@infiray.com and InfiRay.CS@iraytek.com
2021-04-12 Response from Sales Director, does not understand what to do with the information
2021-04-12 Requesting a contact to the product owner or developer
2021-04-13 Sending unencrypted security advisory to two provided email addresses.
2021-04-29 Requesting status from vendor, no reply.
2022-04-05 Requested status from vendor, no reply.
2022-06-07 Release of security advisory.

Solution

The vendor was unresponsive during the disclosure process. Hence it is unclear whether patches are available. Customers are urged to approach their vendor contact and request security reviews and updates. 

Workaround: 

None 

Advisory URL: 

https://sec-consult.com/vulnerability-lab/

EOF S. Robertz, F. Lienhart / @2022 

Interested to work with the experts of SEC Consult? 

Send us your application 

Interested in improving your cyber security with the experts of SEC Consult? 

Contact our local offices