Command Injection Vulnerabilities Plague IP Enabled AirLive Cameras

Core Security disclosed information on command-injection vulnerabilities found in a number of AirLive IP-enabled cameras after repeated attempts to disclose to the manufacturer were ignored.

A handful of IP-enabled cameras are susceptible to command injection vulnerabilities that could let attackers decode user credentials and gain complete access to the devices.

At least five different types of AirLive cameras, manufactured by OvisLink Corp., an IP surveillance networking solutions provider based in Taiwan, are vulnerable, according to the security firm Core Security, which discovered the bugs.

Nahuel Riva, a researcher with Core’s Exploit Writing Team dug up the vulnerabilities and warns the following builds are at risk:

  • AirLive BU-2015 with firmware 1.03.18 16.06.2014
  • AirLive BU-3026 with firmware 1.43 21.08.2014
  • AirLive MD-3025 with firmware 1.81 21.08.2014
  • AirLive WL-2000CAM with firmware LM.1.6.18 14.10.2011
  • AirLive POE-200CAM v2 with firmware LM.

According to Riva the first three vulnerable cameras – MD-3025, BU-3026 and the BU-2015 – suffer from a command injection vulnerability in the cgi_test.cgi binary file. An attacker can request the file without authentication – that is unless the owner of the camera has changed its configuration to ensure each communication is done over HTTPS, something that is not enabled by default. Attackers can exploit the hole by injecting arbitrary commands into the operating system. By doing so, they can reveal the camera’s MAC address, model name, hardware version, firmware version, along with a slew of other sensitive details.

The other two cameras, WL-2000CAM and POE-200CAM, also have CGI files that suffer from a command injection flaw. Both have hardcoded credentials that can be easily be retrieved and decoded, Core Security warns.

“I found these vulnerabilities by looking at the firmware,” Riva said Monday of her research, “I found that I could invoke some CGIs without authentication, and some backdoor accounts allowed me to execute arbitrary OS commands on the device.”

Riva and the security firm tried multiple times to get in touch with AirLive to address the vulnerabilities. The company sent four emails and three tweets to the company over the course of May and June but never received a response. An email request for comment by Threatpost wasn’t immediately returned from the company on Monday.

IP cameras, as most things connected to the internet tend to be, can be prone to security vulnerabilities.

In March, D-Link patched an issue in some of its IP cameras that used a custom Linux distribution model. If exploited an attacker could have uploaded their own files, created or deleted information.

In 2013 Foscam, a Chinese company that makes IP surveillance cameras and baby monitors, got some heat when vulnerabilities surfaced, also discovered by Core, that allowed anyone with the camera’s internet address to watch live and archived video footage.

Suggested articles