Multiple zero-day vulnerabilities were actively being exploited in CCTV security cameras manufactured by Taiwan-based LILIN, researchers found.
The company, an IP video solution provider, was being targeted by hackers hijacking the company’s DVR hardware. Once commandeered, hackers then planted malware on devices to run botnets Chalubo, FBot and Moobot.
Researchers said the attacks began August 30. The company was notified on January 19 of the bugs. And on February 14 the vulnerabilities were patched. Public disclosure was on Friday by Qihoo 360’s NetLab team. Firmware is available that fixes the bugs found in 11 LILIN DVR and IP cameras.
According to a technical description of the attacks by NetLab, the flaw is broken down into three parts. Researchers describe it as, “Hard-coded login credentials, /z/zbin/dvr_box command-injection vulnerabilities and /z/zbin/net_html.cgi arbitrary file-reading vulnerabilities.”
The added, “/z/zbin/dvr_box provides web services, and its web interface /dvr/cmd and /cn/cmd have a command-injection vulnerability. The injected parameters have been: NTPUpdate, FTP and NTP.”
As for the botnets, instances of Chalubo bots were first spotted August. The malware is known for targeting poorly secured internet-of-things (IoT) devices. Fbot meanwhile is a Satori-related botnet known for using blockchain DNS systems for propagation. The Moobot is a new botnet family based on Mirai botnet, according to NetLab. Researchers did not offer details in terms of what was being targeted by the botnets, only that the LILIN DVR and IP cameras were tied to unspecified DDoS campaigns.
Patch Deployment Needed
Because the firmware patch must be deployed by equipment owners, and can’t be pushed out by the vendor, it’s unclear when the majority of affected hardware will be updated. For years, the security community has warned that IoT poses a growing security risk chiefly because many devices are still in use that cannot be easily updated to fix security bugs.
As for the LILIN DVR vulnerability specifics, one is tied to the DRV’s NTPDate computer program. NTPDate is a program used for synchronizing a computers’ date and time by querying a Network Time Protocol (NTP) server. According to researchers the LILIN software doesn’t filter special characters out of one of the ValidateHostName fields and opens the door for an attacker to launch a command injection attack.
Similar injection vulnerabilities exist within the software’s FTP settings that eventually allow remote access to the “/dvr/cmd” interface through hard-coded account passwords. CMD (or cmd.exe) is known as the command prompt or the command-line interpreter, which gives a user carte blanche do almost anything to the underlying software.
“Device configuration /zconf/service.xml, can be obtained through hard-coded login account password and /z/zbin/net_html.cgi arbitrary file reading,” researcher wrote. “By modifying the aerver field of the FTP or NTP parameters in the /zconf/service.xml, backdoor commanda can be injected.”
The company said a newly patched version (2.0b60_20200207) fixes the vulnerability.