[s04e01] RCE on Geutebruck IP Cameras


Abstract

Those who follow our blog know that we like Geutebruck cameras: we found many trivial RCE on their products since 2016.

A few months ago two attendees (Guillaume Gronnier and Romain Luyer from CEIS) of one of our pentest training found new ways to exploit two old RCE we found two years ago ! We dug further and found an additional way and as a bonus a stored XSS has even been found by an attendee. It was a fun training… Those new attack vectors / vulnerabilites are affecting version 1.12.0.25 and prior versions of E2 series IP cameras.

 

Like before we’ve choose to “responsible disclose” these 0day vulnerabilities, directly to Geutebruck and the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team).  Since then a new firmware has been released (1.12.13.2) to fix that, ICS-CERT has released an advisory and three CVE (CVE-2019-10956 – CVE-2019-10957 and CVE-2019-10958) have been assigned.

Many thanks to Geutebruck and ICS-CERT teams.

 

Advisory

  • 2019-10956: « Using a specially crafted URL command, a remote authenticated user can execute commands as root. »
  • 2019-10958: « User input is not properly validated, which could allow a remote authenticated attacker with access to network configuration to supply system commands to the server, leading to remote code execution as root.
  • 2019-10958: « A cross-site scripting vulnerability allows a remote authenticated attacker with access to event configuration to store malicious code on the server, which could later be triggered by a legitimate user resulting in code execution within the user’s browser »

https://ics-cert.us-cert.gov/advisories/ICSA-19-155-03

 

Exploit

Coming soon.

 

Mitigation

Geutebruck has released a new software version, Version 1.12.13.2, to address the identified vulnerabilities, which is available at the following location (registration needed):

http://www.geutebrueck.com/en_EN/login.html

If an update is not possible right now in between users can disable the “Enable anonymous access” option to mitigate the risk. The RCEs will remain but will only be reachable by authenticated users.

In the wild

Many brands use the same firmware:

  • UDP Technology (which is also the supplier of the firmware for the other vendors)
  • Ganz
  • Visualint
  • Cap
  • THRIVE Intelligence
  • Sophus
  • VCA
  • TripCorps
  • Sprinx Technologies
  • Smartec
  • Riva