Probes for recent ABUS Security Camera Vulnerability: Attackers keep an eye on everything.

Published: 2023-05-22
Last Updated: 2023-05-22 11:47:02 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

ABUS is usually better known for its "old-fashioned" mechanical locks. But as part of its b "Industry Solution" portfolio of products, ABUS is offering some more high-tech solutions, like, for example, network-connected cameras [1]. Sadly, these cameras suffer from some of the same vulnerabilities as many similar cameras.

In February, Peter Ohm disclosed a vulnerability affecting ABUS cameras on the full disclosure mailing list [2]. The disclosure includes three different vulnerabilities,

1 - Local File Inclusion

This vulnerability can be used to read arbitrary files:

cgi-bin/admin/fileread?READ.filePath=[filename]

 

2 - Remote command injection vulnerability

/cgi-bin/mft/wireless_mft?ap=irrelevant;[command]

This vulnerability allows for arbitrary command injection. Instead of a semicolon, an attacker could also use a pipe or a carriage return.

3 - Fixed "maintenance" account

The affected cameras use the following credentials for a built-in "maintenance" account.

manufacture erutcafunam

 

Among these vulnerabilities, the remote command execution vulnerability is the most interesting one. Yesterday, our sensor picked up exploit attempts consistent with this vulnerability:

/cgi-bin/mft/wireless_mft?ap=irrelevant;{payload}

I did not obfuscate the command. The attacker did not correctly expand the command parameter. Maybe they are using a Python "f-string" but forgot the leading "f"?

All the attacks originate from an unconfigured server (45.95.147.229) in the Netherlands. This server has a history of attempts to exploit various common vulnerabilities.

But there is more...

Our web application honeypots have been around for a while, so we have some history to look back at. Similar exploit attempts are going back to 2015:

+------------+--------------------------------------------------------------------+
| date       | url                                                                |
+------------+--------------------------------------------------------------------+
| 2015-07-12 | /cgi-bin/mft/wireless_mft                                          |
| 2015-07-13 | /cgi-bin/mft/wireless_mft                                          |
| 2015-07-13 | /cgi-bin/mft/wireless_mft?ap=testname;cat%20/var/www/secret.passwd |
| 2021-12-13 | /cgi-bin/mft/wireless_mft?ap=travesti;id                           |
| 2021-12-13 | /cgi-bin/mft/wireless_mft?ap=travesti;ipconfig                     |
| 2021-12-17 | /cgi-bin/mft/wireless_mft?ap=travesti;id                           |
| 2021-12-17 | /cgi-bin/mft/wireless_mft?ap=travesti;ipconfig                     |
| 2022-01-22 | /cgi-bin/mft/wireless_mft?ap=travesti;id                           |
| 2022-01-22 | /cgi-bin/mft/wireless_mft?ap=travesti;ipconfig                     |
| 2023-05-20 | /cgi-bin/mft/wireless_mft                                          |
| 2023-05-21 | /cgi-bin/mft/wireless_mft?ap=irrelevant;{payload}                  |
+------------+--------------------------------------------------------------------+

Back in 2015, CORE security released a very similar vulnerability in "Air Live" cameras [3][4]. Searching further shows that this vulnerability was also found in 2013 Zavio IP Cameras [5]. 

So this appears to be one of these all too common "IoT" security issues: The same firmware/hardware is being resold under different brands, and once a vendor fixes the flaw does in no way guarantee that other vendors selling the same equipment will even bother to look if they are vulnerable as well. ABUS likely is just the sales organization feeling zero responsibility to check if what they are selling is remotely fit to be connected to a network.

As a user of such a camera, you must ensure that you keep your firmware up to date and avoid exposing these cameras to the internet. And as ABUS puts it: "KEEP AN EYE ON EVERYTHING.", most notably your vendors.

[1] https://mobil.abus.com/usa/Commercial-Security/Industry-solutions/Campus-Security
[2] https://seclists.org/fulldisclosure/2023/Feb/16
[3] https://seclists.org/fulldisclosure/2015/Jul/29
[4] http://camera.airlive.com/
[5] https://www.exploit-db.com/exploits/25815

---

Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords: abus camera iot
0 comment(s)
ISC Stormcast For Monday, May 22nd, 2023 https://isc.sans.edu/podcastdetail/8506

Comments

What's this all about ..?

Anonymous

Dec 3rd 2022
9 months ago

password reveal .

Anonymous

Dec 3rd 2022
9 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

Anonymous

Dec 26th 2022
8 months ago

https://thehomestore.com.pk/

Anonymous

Dec 26th 2022
8 months ago

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

Anonymous

Dec 26th 2022
8 months ago

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

Anonymous

Dec 26th 2022
8 months ago

https://defineprogramming.com/

Anonymous

Dec 26th 2022
8 months ago

https://defineprogramming.com/

https://defineprogramming.com/

Dec 26th 2022
8 months ago

Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/

https://defineprogramming.com/

Dec 26th 2022
8 months ago

Enter corthrthmment here...

rthrth

Jan 2nd 2023
8 months ago

Login here to join the discussion.


Diary Archives