Probes for recent ABUS Security Camera Vulnerability: Attackers keep an eye on everything.
ABUS is usually better known for its "old-fashioned" mechanical locks. But as part of its b "Industry Solution" portfolio of products, ABUS is offering some more high-tech solutions, like, for example, network-connected cameras [1]. Sadly, these cameras suffer from some of the same vulnerabilities as many similar cameras.
In February, Peter Ohm disclosed a vulnerability affecting ABUS cameras on the full disclosure mailing list [2]. The disclosure includes three different vulnerabilities,
1 - Local File Inclusion
This vulnerability can be used to read arbitrary files:
cgi-bin/admin/fileread?READ.filePath=[filename]
2 - Remote command injection vulnerability
/cgi-bin/mft/wireless_mft?ap=irrelevant;[command]
This vulnerability allows for arbitrary command injection. Instead of a semicolon, an attacker could also use a pipe or a carriage return.
3 - Fixed "maintenance" account
The affected cameras use the following credentials for a built-in "maintenance" account.
manufacture erutcafunam
Among these vulnerabilities, the remote command execution vulnerability is the most interesting one. Yesterday, our sensor picked up exploit attempts consistent with this vulnerability:
/cgi-bin/mft/wireless_mft?ap=irrelevant;{payload}
I did not obfuscate the command. The attacker did not correctly expand the command parameter. Maybe they are using a Python "f-string" but forgot the leading "f"?
All the attacks originate from an unconfigured server (45.95.147.229) in the Netherlands. This server has a history of attempts to exploit various common vulnerabilities.
But there is more...
Our web application honeypots have been around for a while, so we have some history to look back at. Similar exploit attempts are going back to 2015:
+------------+--------------------------------------------------------------------+
| date | url |
+------------+--------------------------------------------------------------------+
| 2015-07-12 | /cgi-bin/mft/wireless_mft |
| 2015-07-13 | /cgi-bin/mft/wireless_mft |
| 2015-07-13 | /cgi-bin/mft/wireless_mft?ap=testname;cat%20/var/www/secret.passwd |
| 2021-12-13 | /cgi-bin/mft/wireless_mft?ap=travesti;id |
| 2021-12-13 | /cgi-bin/mft/wireless_mft?ap=travesti;ipconfig |
| 2021-12-17 | /cgi-bin/mft/wireless_mft?ap=travesti;id |
| 2021-12-17 | /cgi-bin/mft/wireless_mft?ap=travesti;ipconfig |
| 2022-01-22 | /cgi-bin/mft/wireless_mft?ap=travesti;id |
| 2022-01-22 | /cgi-bin/mft/wireless_mft?ap=travesti;ipconfig |
| 2023-05-20 | /cgi-bin/mft/wireless_mft |
| 2023-05-21 | /cgi-bin/mft/wireless_mft?ap=irrelevant;{payload} |
+------------+--------------------------------------------------------------------+
Back in 2015, CORE security released a very similar vulnerability in "Air Live" cameras [3][4]. Searching further shows that this vulnerability was also found in 2013 Zavio IP Cameras [5].
So this appears to be one of these all too common "IoT" security issues: The same firmware/hardware is being resold under different brands, and once a vendor fixes the flaw does in no way guarantee that other vendors selling the same equipment will even bother to look if they are vulnerable as well. ABUS likely is just the sales organization feeling zero responsibility to check if what they are selling is remotely fit to be connected to a network.
As a user of such a camera, you must ensure that you keep your firmware up to date and avoid exposing these cameras to the internet. And as ABUS puts it: "KEEP AN EYE ON EVERYTHING.", most notably your vendors.
[1] https://mobil.abus.com/usa/Commercial-Security/Industry-solutions/Campus-Security
[2] https://seclists.org/fulldisclosure/2023/Feb/16
[3] https://seclists.org/fulldisclosure/2015/Jul/29
[4] http://camera.airlive.com/
[5] https://www.exploit-db.com/exploits/25815
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
Comments