{"id":25925,"date":"2022-06-19T23:29:35","date_gmt":"2022-06-19T19:29:35","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/167466\/SA-20220607-0.txt"},"modified":"2022-06-26T09:51:56","modified_gmt":"2022-06-26T05:21:56","slug":"infiray-iray-a8z3-1-0-957-code-execution-overflow-hardcoded-credentials","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/infiray-iray-a8z3-1-0-957-code-execution-overflow-hardcoded-credentials\/","title":{"rendered":"Infiray IRAY-A8Z3 1.0.957 Code Execution \/ Overflow \/ Hardcoded Credentials"},"content":{"rendered":"

SEC Consult Vulnerability Lab Security Advisory < 20220607-0 >
\n=======================================================================
\ntitle: Multiple Vulnerabilities
\nproduct: Infiray IRAY-A8Z3 thermal camera
\nvulnerable version: V1.0.957
\nfixed version: None
\nCVE number: CVE-2022-31208, CVE-2022-31209, CVE-2022-31210,
\nCVE-2022-31211
\nimpact: Critical
\nhomepage: http:\/\/www.infiray.com\/
\nfound: 2021-02
\nby: S. Robertz (Office Vienna)
\nF. Lienhart
\nSEC Consult Vulnerability Lab<\/p>\n

An integrated part of SEC Consult, an Atos company
\nEurope | Asia | North America<\/p>\n

https:\/\/www.sec-consult.com<\/p>\n

=======================================================================<\/p>\n

Vendor description:
\n——————-
\n“IRay Technology Co., Ltd. is a wholly-owned subsidiary of Raytron Technology
\nCo., Ltd. (SSE: 688002). As a high-tech enterprise, IRay Technology develops
\nand manufactures infrared FPA detectors, thermal imaging modules, and other
\nproducts, with completely independent intellectual property rights. We are
\ncommitted to providing global customers with professional thermal imaging
\nproducts and solutions. The main products include IRFPA detectors, thermal
\nimaging cores, and terminal products for application.”<\/p>\n

Source: http:\/\/www.infiray.com\/about.html<\/p>\n

Business recommendation:
\n————————
\nThe vendor was unresponsive during the disclosure process. Hence it is unclear
\nwhether patches are available. Customers are urged to approach their vendor
\ncontact and request security reviews and updates.<\/p>\n

SEC Consult recommends to perform a thorough security review of these
\nproducts conducted by security professionals to identify and resolve all
\nsecurity issues.<\/p>\n

Vulnerability overview\/description:
\n———————————–
\n1) Hardcoded Web Credentials (CVE-2022-31210)
\nThe binary file “\/usr\/local\/sbin\/webproject\/set_param.cgi” contains hardcoded
\ncredentials to the web application. As these accounts cannot be deactivated
\nor change their passwords, they are considered to be backdoor accounts.<\/p>\n

2) Authenticated Remote Code Execution (CVE-2022-31208)
\nThe webserver contains an endpoint that can execute arbitrary commands by
\nmanipulating the “cmd_string” URL parameter. The user can login using one
\nof the backdoor accounts from issue 1.<\/p>\n

3) Potential Buffer Overflow (CVE-2022-31209)
\nThe firmware contains a potential buffer overflow by calling strcpy() without
\nchecking the string length beforehand.<\/p>\n

4) Telnet Root Shell without Password (CVE-2022-31211)
\nThe camera offers a shell through a telnet connection. The root user does not
\nrequire a password per default. Thus, anyone on the local network can
\nexecute arbitrary commands as root on the camera.<\/p>\n

5) Multiple Outdated Software Components
\nMultiple outdated software components containing vulnerabilities were found by
\nthe IoT Inspector (ONEKEY) firmware analysis platform.<\/p>\n

Proof of concept:
\n—————–
\n1) Hardcoded Web Credentials (CVE-2022-31210)
\nThe following cgi program will be executed during the login process:<\/p>\n

http:\/\/<my_ip>:8080\/set_param.cgi?&group_tag=hash_param_bridge
\n&set_cmd=loading&length=35&name=<user>&password=<password>&access=0
\n&0.3543773172371312<\/p>\n

The following de-compilation shows the code flow with the hardcoded passwords:
\n——————————————————————————-
\n[ PoC removed ]\n——————————————————————————-
\nThe authentication works by comparing the URL supplied username with the string
\n“[removed]”. Afterwards it will compare the password parameter to “[removed]” as well. If both
\nstring parameters match, a message will be removed from the messaging queue.
\nOtherwise the function will just return. The same comparison holds for the admin account.<\/p>\n

Furthermore, string comparisons are made without checking the case. Hence,
\ndrastically improving the chances of brute-force attacks.<\/p>\n

2) Authenticated Remote Code Execution (CVE-2022-31208)
\nThe web application offers an option to view the device log. Opening following URL while
\nlogged in as admin (e.g. with hardcoded password from section 1) will trigger the request:<\/p>\n

http:\/\/<my_ip>:8080\/cmd.cgi?cmd_tag=cmd_passthrough&cmd_string=[removed]\n

By changing the “cmd_string” parameter, arbitrary commands can be executed with
\nthe rights of the webserver (www-data). The de-compiled code can be seen in following
\nsnippet:
\n——————————————————————————-
\n[ PoC removed ]\n——————————————————————————-
\nThe “cmd_string” parameter is directly passed into popen() and hence executed.<\/p>\n

3) Potential Buffer-Overflow (CVE-2022-31209)
\nThe firmware contains a potential buffer overflow vulnerability:
\n——————————————————————————-
\n[ PoC removed ]\n——————————————————————————-
\nA pointer to the “next_url” parameter is supplied. A buffer of 64 bytes is
\nallocated and the parameter value copied to it without checking the string
\nlength. Hence, a “next_url” parameter with more than 64 bytes could be
\nsupplied in order to overflow the buffer.
\nPlease note that this vulnerability is only based on firmware analysis and thus
\nwas not tested in a live scenario.<\/p>\n

4) Telnet Root Shell without Password (CVE-2022-31211)
\nThe camera has a telnetd server running on port 23 per default. The root
\npassword is empty. If the telnet port is exposed to the internet, an attacker
\ncould easily connect to the device and gain root access. The telnet server
\ncannot be deactivated and the root password cannot be changed through the
\nweb interface.<\/p>\n

5) Multiple Outdated Software Components
\nIoT Inspector (ONEKEY) recognized multiple outdated software components
\nwith known vulnerabilities:<\/p>\n

BusyBox 1.25.0: 6 CVEs
\ncurl 7.54.0: 13 CVEs
\nDnsmasq 2.76: 9 CVEs
\nlighttpd 1.4.41: 2 CVEs
\nLinux Kernel 3.10.104: 1004 CVEs
\nhostapd 2.5: 22 CVEs
\nwpa_supplicant 2.5-devel_rtw_r17190.20160415: 12 CVEs<\/p>\n

Vulnerable \/ tested versions:
\n—————————–
\nThe following product\/firmware version has been tested:
\n* Infiray IRAY-A8Z3 V1.0.957<\/p>\n

It has to be assumed that further products or firmware versions are affected as well.<\/p>\n

Vendor contact timeline:
\n————————
\n2021-02-24: Contacting vendor through email address found on their website
\n(sales@infiray.com)
\n2021-03-11: Contacted vendor again through sales@infiray.com
\n2021-04-12: Contacting vendor through sales@infiray.com and InfiRay.CS@iraytek.com
\n2021-04-12: Response from Sales Director, does not understand what to do with the information
\n2021-04-12: Requesting a contact to the product owner or developer
\n2021-04-13: Sending unencrypted security advisory to two provided email addresses.
\n2021-04-29: Requesting status from vendor, no reply.
\n2022-04-05: Requested status from vendor, no reply.
\n2022-06-07: Release of security advisory.<\/p>\n

Solution:
\n———
\nThe vendor was unresponsive during the disclosure process. Hence it is unclear
\nwhether patches are available. Customers are urged to approach their vendor
\ncontact and request security reviews and updates.<\/p>\n

Workaround:
\n———–
\nNone<\/p>\n

Advisory URL:
\n————-
\nhttps:\/\/sec-consult.com\/vulnerability-lab\/<\/p>\n

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<\/p>\n

SEC Consult Vulnerability Lab<\/p>\n

SEC Consult, an Atos company
\nEurope | Asia | North America<\/p>\n

About SEC Consult Vulnerability Lab
\nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
\nAtos company. It ensures the continued knowledge gain of SEC Consult in the
\nfield of network and application security to stay ahead of the attacker. The
\nSEC Consult Vulnerability Lab supports high-quality penetration testing and
\nthe evaluation of new offensive and defensive technologies for our customers.
\nHence our customers obtain the most current information about vulnerabilities
\nand valid recommendation about the risk profile of new technologies.<\/p>\n

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
\nInterested to work with the experts of SEC Consult?
\nSend us your application https:\/\/sec-consult.com\/career\/<\/p>\n

Interested in improving your cyber security with the experts of SEC Consult?
\nContact our local offices https:\/\/sec-consult.com\/contact\/
\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<\/p>\n

Mail: security-research at sec-consult dot com
\nWeb: https:\/\/www.sec-consult.com
\nBlog: http:\/\/blog.sec-consult.com
\nTwitter: https:\/\/twitter.com\/sec_consult<\/p>\n

EOF S. Robertz, F. Lienhart \/ @2022<\/p>\n","protected":false},"excerpt":{"rendered":"

SEC Consult Vulnerability Lab Security Advisory < 20220607-0 > ======================================================================= title: Multiple Vulnerabilities product: Infiray IRAY-A8Z3 thermal camera vulnerable version: V1.0.957 fixed version: None CVE number: CVE-2022-31208, CVE-2022-31209, CVE-2022-31210, CVE-2022-31211 impact: Critical homepage: http:\/\/www.infiray.com\/ found: 2021-02 by: S. Robertz (Office Vienna) F. Lienhart SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-25925","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/25925","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=25925"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/25925\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=25925"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=25925"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=25925"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}