Security advisory: Visual Tools DVR (CVE-2021-42071)

Visual Tools DVR VX16 4.2.28.0 – OS Command Injection (unauthenticated)

Swascan Offensive Security Team identified a critical vulnerability during regular penetration testing on a client related to Visual Tools (trademark) a software from AX Solution LA (https://visual-tools.com).

At the time of publication (see the timeline at the bottom of the article), Swascan informed AX Solution of the vulnerability without any response.

This article will be updated with the publisher’s response.

AX solutions at a glance

AX Solutions is a company with a solid technical, financial and commercial infrastructure, whose management is guided by the strategic vision of its executives and by the partnership with the most important technological and commercial partners in the fields of security and image technology.

AX Solutions develops and manufactures products and solutions for intelligent video observation and people counting for the professional market. These are sold under the Visual Tools brand through a strengthened international distribution channel consisting of a broad network of partners with active presence in more than 40 countries.

Technical summary

During a Penetration Test, Swascan’s cybersecurity research team found an important vulnerability on: Visual Tools DVR VX16 4.2.28.0

VulnerabilityCVSSv3.1

Severity

OS Command InjectionAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8 Critical

In the following section the technical details about this vulnerability, including evidence and a proof-of-concept.

This vulnerability can affect hundreds of Internet-connected devices.

Vulnerability details

OS Command Injection (unauthenticated)

  • CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
  • CVSSv3.1: 9.8 [AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H]
  • OWASP: A1:2017-Injection

Description

In Visual Tools DVR VX16 4.2.28, an unauthenticated attacker can obtain remote command execution via shell metacharacters in the cgi-bin/slogin/login.py User-Agent HTTP header.
It is possible to launch the attack remotely without any form of authentication.

Proof of Concept

The following POC shows how to run system commands and get a remote shell.

# curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' http://DVR_ADDR:PORT/cgi-bin/slogin/login.py

To demonstrate the vulnerability, it was chosen to execute the command “/bin/cat /etc/passwd” showing the contents of the file.

Command execution “/bin/cat /etc/password”

More details about the DVR:

NoteDetails
System InformationLinux VSserver 2.6.35.4; i686 GNU/Linux Embedded Debian GNU 0.7
BashGNU bash, version 3.2.39(1)-release(i486-pc-linux gnu)

Impact

An attacker could obtain access to the remote system and execute arbitrary commands on the Linux-based system as unprivileged user.

Remediation

Swascan is not aware of a patch or update to fix this vulnerability.

Please contact the vendor asking for new releases, patch or device upgrade.

Mitigation

The Swascan Cyber Security Research Team suggests to do not deploy the device directly on the internet, instead set up the DVR behind a VPN connection.

Disclosure Timeline:

  • 2020-giu-01: Vulnerabilities discovered
  • 2020-giu-06: Vendor contacted by email (1st time, no reply)
  • 2021-giu-18: CERT/CC contacted by email (no reply)
  • 2021-giu-28: Vendor contacted by email (2nd time, no reply)
  • 2021-lug-05: Exploit posted
  • 2021-lug-07: CVE-ID requested at MITRE
  • 2021-10 ottobre: ​​issued CVE-ID CVE-2021-42071

Sources and references:

  1. https://www.cve.org/CVERecord?id=CVE-2021-42071
  2. https://nvd.nist.gov/vuln/detail/CVE-2021-42071
  3. https://www.exploit-db.com/exploits/50098
  4. https://visual-tools.com/
  5. https://en.wikipedia.org/wiki/Shellshock_(software_bug)
  6. https://owasp.org/www-community/attacks/Command_Injection
  7. https://cwe.mitre.org/data/definitions/78.html
  8. https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.md
Security advisory Rohde Schwarz: R&S®Cloud Protector WAF Bypass
Security Advisory: MSI

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.