A vulnerability in the consumer-grade Amcrest IP2M-841B IP home security video camera would allow an attacker to remotely listen to the camera’s audio over the internet, without authentication.
“Essentially, if this thing is connected directly to the internet, it’s anyone’s listening device,” explained Jacob Baines, researcher with Tenable Security, in a posting on the flaw this week.
The bug (CVE-2019–3948) exists in the firmware of the device, which is based on OEM code from another vendor, Dahua (a Chinese company that the U.S. is considering blacklisting over espionage concerns). Tenable found that, like many Wi-Fi-enabled Dahua devices, the IP2M-841B has a service listening on TCP port 37777.
“Previously, another researcher had discovered a remote attacker can login to this interface using a captured hash (CVE-2017-7927),” Baines said. “Dahua appeared to fix this at the time. However, Tenable discovered the Amcrest IP2M-841B was still vulnerable to this attack if the user’s password was only 8 characters long.”
From Amazon’s ad for the device.
A proof-of-concept script logs in a remote attacker using “admin” and “01testit” hashes to make authenticated request.
There’s also a second bug: the camera exposes a file called “/videotalk” within the component HTTP Endpoint. The researcher said that connecting to the audio stream is trivial: “Any remote unauthenticated attacker that can decode the DHAV [audio-output] format can make a single HTTP request and listen to the camera’s audio.”
“Simply point your browser or a tool like VLC [a free media player] at the videotalk endpoint,” Baines said. In the latter case, “VLC just doesn’t understand the ‘DHAV’ container that the camera has wrapped the audio in. Fortunately, it was pretty easy to write a script that connects to the endpoint and extracts the audio so that it can be played by ffplay [an open-source media player].”
The IP2M-841B should be upgraded to V2.420.AC00.18.R or later to address the issues. But Baines added that other cameras that white-label the same Dahua camera may also be vulnerable.
“Amcrest is one of many companies that rebrand Dahua products,” Baines noted. “But because each company seems to keep their devices at different patch levels or include different features, it remains unclear how many vendors are vulnerable to this particular issue..since Dahua was included in our disclosure timeline we assume patches exist or are forthcoming.”
Interested in more on patch management? Don’t miss our free Threatpost webinar, “Streamlining Patch Management,” now available on-demand. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Click here to listen (registration required).
