At least five different types of AirLive cameras are susceptible to command injection vulnerabilities that could let attackers access user credentials, gaining complete control over the devices.
The cameras are manufactured by OvisLink, and are used in IP surveillance video installations. Core Security’s Nahuel Riva found that three of the vulnerable devices—MD-3025, BU-3026 and the BU-2015—suffer from an OS command injection in the cgi_test.cgi binary file.
The other two cameras, WL-2000CAM and POE-200CAM, have a command injection flaw in the vulnerable wireless_mft.cgi binary file.
The vulnerability means that those specific files can be requested without authentication, unless the user has specified in the configuration of the camera that HTTPS is used for communications—this is not enabled by default.
“I found these vulnerabilities by looking at the firmware,” Riva said told Threatpost. “I found that I could invoke some CGIs without authentication, and some backdoor accounts allowed me to execute arbitrary OS commands on the device.”
This enables attackers to access the camera’s MAC address, model name, hardware version, firmware version and other sensitive details.
Core Security tried several times to contact AirLive to address the vulnerabilities, but the company never responded, even after four emails and multiple tweets.