AVTECH, a Taiwanese CCTV equipment manufacturer, has failed to respond to Search-Lab, a Hungarian security firm, who spent more than a year trying to inform the company about 14 security bugs affecting the firmware of all its products.
Almost a year after it first contacted the hardware maker, Search-Lab published a public advisory about the vulnerabilities it discovered, warning sysadmins that their AVTECH products may be in danger of exploitation.
AVTECH fails to provide firmware updatesAccording to a long list of security flaws, the bugs found by Search-Lab researcher Gergely Eberhardt allow attackers to take over AVTECH products from a remote location, via the Internet.
As such, the researcher is issuing a public warning, urging sysadmins to change the default admin password for AVTECH equipment, in order to avoid having these devices added to a DDoS botnet, like it previously happened with devices manufactured by companies such as Dahua , AVer , and TVT .
But changing the admin password is not enough, the researcher says. There are also other security flaws that allow attackers to bypass authentication procedures.
In order to safeguard their equipment, Eberhardt recommends that companies block access from the Internet to the devices' configuration panel, and limit access to this section only to internal IPs or via selected IP ranges.
Bugs lead to total device takeoverThe full list of vulnerabilities the Search-Lab researcher found is as follows. Eberhardt says that "every Avtech device (IP camera, NVR, DVR) and firmware version" is affected.
1) Plaintext storage of administrative password 2) Missing CSRF protection 3) Unauthenticated information disclosure under the /cgi-bin/nobody folder 4) Unauthenticated SSRF in DVR devices 5) Unauthenticated command injection in DVR devices 6) Authentication bypass if the URL contains the ".cab" string 7) Authentication bypass via the the /cgi-bin/nobody folder 8) Unauthenticated file download from web root 9) Login captcha bypass via the "login=quick" parameter 10) Login captcha bypass by manually setting specific cookies 11) Authenticated command injection in CloudSetup.cgi 12) Authenticated command injection in adcommand.cgi 13) Authenticated command injection in PwdGrp.cgi 14) HTTPS used without certificate verification"We note that the above vulnerabilities were found within a short period of time without a systematic approach," Eberhardt says. "Based on the vulnerability types we found and the overall code quality, the devices should contain much more problems."
Over 130,000 AVTECH products available onlineSearch-Lab says their researchers is not the only one that spotted these issues. Currently, the term "AVTECH" is the second most popular search term on Shodan, a search engine for discovering Internet-connected equipment, often used by hackers to find their next targets.
Eberhardt says that at the time of writing, Shodan was returning more than 130,000 search results for the AVTECH term.
A list of confirmed affected firmware versions is available here , proof of concept exploitation code is available on GitHub , and an exploitation video is available below.
