CVE-2017-8229

{"id": "CVE-2017-8229", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2019-07-03T20:15:10.633", "references": [{"url": "http://packetstormsecurity.com/files/153224/Amcrest-IPM-721S-Credential-Disclosure-Privilege-Escalation.html", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Amcrest_sec_issues.pdf", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://seclists.org/bugtraq/2019/Jun/8", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-255"}]}], "descriptions": [{"lang": "en", "value": "Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices allow an unauthenticated attacker to download the administrative credentials. If the firmware version V2.420.AC00.16.R 9/9/2016 is dissected using binwalk tool, one obtains a _user-x.squashfs.img.extracted archive which contains the filesystem set up on the device that many of the binaries in the /usr folder. The binary \"sonia\" is the one that has the vulnerable function that sets up the default credentials on the device. If one opens this binary in IDA-pro one will notice that this follows a ARM little endian format. The function sub_436D6 in IDA pro is identified to be setting up the configuration for the device. If one scrolls to the address 0x000437C2 then one can see that /current_config is being set as an ALIAS for /mnt/mtd/Config folder on the device. If one TELNETs into the device and navigates to /mnt/mtd/Config folder, one can observe that it contains various files such as Account1, Account2, SHAACcount1, etc. This means that if one navigates to http://[IPofcamera]/current_config/Sha1Account1 then one should be able to view the content of the files. The security researchers assumed that this was only possible only after authentication to the device. However, when unauthenticated access tests were performed for the same URL as provided above, it was observed that the device file could be downloaded without any authentication."}, {"lang": "es", "value": "Los dispositivos Amcrest IPM-721S V2.420.AC00.16.R.20160909 permiten que un atacante no identificado descargue las credenciales administrativas. Si la versi\u00f3n del firmware V2.420.AC00.16.R 9/9/2016 se diseca con la herramienta binwalk, se obtiene un archivo _user-x.squashfs.img.extracted que contiene el sistema de archivos configurado en el dispositivo que muchos de los binarios en la carpeta / usr. El \"sonia\" binario es el que tiene la funci\u00f3n vulnerable que configura las credenciales predeterminadas en el dispositivo. Si uno abre este binario en IDA-pro, notar\u00e1 que sigue un formato ARM little endian. La funci\u00f3n sub_436D6 en IDA pro se identifica para configurar la configuraci\u00f3n del dispositivo. Si uno se desplaza a la direcci\u00f3n 0x000437C2, se puede ver que / current_config se est\u00e1 configurando como ALIAS para la carpeta / mnt / mtd / Config en el dispositivo. Si se coloca un TELNET en el dispositivo y se navega a la carpeta / mnt / mtd / Config, se puede observar que contiene varios archivos como Account1, Account2, SHAACcount1, etc. Esto significa que si se navega a http: // [IPofcamera] / current_config / Sha1Account1 entonces uno deber\u00eda poder ver el contenido de los archivos. Los investigadores de seguridad asumieron que esto solo era posible despu\u00e9s de la autorizaci\u00f3n en el dispositivo. Sin embargo, cuando se realizaron pruebas de acceso no autenticado para la misma URL que se proporcion\u00f3 anteriormente, se observ\u00f3 que el archivo del dispositivo pod\u00eda descargarse sin ninguna autorizaci\u00f3n."}], "lastModified": "2019-07-11T02:29:10.300", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:amcrest:ipm-721s_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2EC72AB3-67BC-4187-8918-8030B045F383", "versionEndIncluding": "2.420.ac00.16.r.20160909"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:amcrest:ipm-721s:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A8A354BD-B8FC-45D1-B8B2-5A44334CF2F8"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}