Hungarian bug-hunters spot 130,000 vulnerable Avtech vid systems on Shodan
SOHOpeless CCTVs and video recorders
It shouldn't surprise anyone that closed circuit television (CCTV) rigs are becoming the world's favourite botnet hosts: pretty much any time a security researcher looks at a camera, it turns out to be a buggy mess.
According to this advisory, Avtech's IP cameras and video recorders offer the world the usual list of possible exploits: credentials in plain text, information disclosure, request forgery vulns, and more.
The advisory claims all Avtech CCTVs, digital video recorders and network video recorders – and all firmware revisions – contains vulnerabilities.
The researchers who turned up the vulnerabilities, from the Budapest University of Technology and Economics, say around 130,000 vulnerable devices are searchable on Shodan.
Since the bugs haven't yet been fixed, users are advised to change their admin passwords and take the devices off the Internet.
Of the 14 vulnerabilities disclosed by the researchers, some are pretty special:
- All cgi scripts are remotely accessible without authentication;
- All device settings can be accessed and modified via a cross-site request forgery attack;
- All passwords are accessible in plain text;
- DVRs have a search.cgi that doesn't need authentication. Not only does that let an attacker into the target device, the script also searches for cameras on the local network. Search.cgi also has a command injection vulnerability that lets an attacker get root on the target;
- If you need to bypass authentication – remember, there's no credential protection anyway – there are two vectors, either via video plugins stored in the Web root; or via /cgi-bin/nobody;
- Someone figured login needed a captcha; to stop the captcha irritating developers, there's a login=quick parameter that nobody thought to remove. Oh, and the captcha can be bypassed if an attacker manually sets the appropriate cookie in their request.
The researchers say they pressed the “publish” button after trying to contact Avtech in October 2015, and twice in May 2016. ®