Uniview CVE-2021-45039 8.9 Vulnerability Analyzed

bm
bashis mcw
Published Jun 07, 2023 13:17 PM

Quietly, a year and a half ago, a Uniview vulnerability with a high rating of 8.9 was disclosed. We recently saw this while researching a sizeable bounty being offered for new Uniview vulnerabilities.

IPVM Image

In this report, IPVM explains the vulnerability and provides an analysis of Uniview's security notice and SSD Secure Disclosure advisory with the proof of concept included.

Executive *******

******* ******** * ******** ******** * ****** ******** ************* ***** as ***-****-***** **** * **** ******** of *.* ** ******** **, ****, affecting ** ******** ********.

*** ****** ********** ******** *** ******** with *** ******** ***** ** ******* (PoC)** ******* **, ****, ***** ********* how ** ******** ***** ******* *** gain ****** ****** ** *** ******.

**** ***** **** *** ***-****-***** *** in ******** ****** ** ***** **** no ******** **** ******** ******* **** by ***, *** ********* ******** ** ***-****-*****, ***** ** ******* ** **** Uniview's *** *** ******** ********** ************.

***** **** ************* ***** ** **** to **** **** *** *******, *** main ********** ****** ** **** ** requires ****** ** * ***-********** **** (7788) **** ** ********* *** ******* when **** **********.

***-****-*****, ******.*: *.* (****)

*** ************* ****** ** ******** ** remotely ****** * *** **** *** access *** ******'* ********* ******, ***** exploiting *** ****** ** ***** * telnet ******.

* ******* *********** ******** **** ** the ****************** ***** ********** ** ** *********** and *************** ****** ********.

Uniview ******** ******

******* ********* *** ******** ****** ** December **, ****, ***** ******** * ****** ******** vulnerability ******** ***-****-***** **** * **** severity ******* ** *.* *** ******** by *** ****** **********, ***** **** 34 ********** *** ********* ******** ********

IPVM Image

** *******'* **** ********** ** *** vulnerability, ** *** ****** **** *** attacker **** **** ****** ** *** port **** ** ***** ** ************ exploit *** *************.

**** ** *** ******** ******** ** port ******* **** ** ******* ** firewalls, ******* **** ********** ******* ****** routers ** ********* ***** *** ** exploited **** *** ********, ****** *** port **** *** ******** ********* ** the ****.

***-****-***** - ******** *** *** ******

**** **** ***** ** **** **** information ***** *** ******** ***, ** noted **** ****** *** ******** ****** ** *********** *** ***** ******* ** *** CVE, ***** ***** *** *** *** officially ****** *** ********.

**** ***** ******* ** **** ********* the *** *** ** *** **** severity ***** *** ****-********, ******* ********* that *** ****** ********** ******** *** vulnerability *** **** ******* *** *** CVE, *** ** *** *** ******* an ****** ** ** ******* *** CVSS ***** *** ****-******** ******* ********* up ** *** ********, ** ***** Uniview *********:

** ********* *** ******* ** *** advisory **** *** ****** ******* *** security ********.

** *******, ***** ** ******* ***** with ****-********* **** ********** ******, *** it ** ****** *** *** ** do ****** *** ******** **** ******** scoring.

***** ****** *******

** *** ***** *******, ** *********** ** * *** ***** ****** as "********" **** * *** ** is ***** ******** ****?*******:

**** ********** (*** **)** ****** ** "********" **** ** has **** ******** *** *** ** a*** ********* ********* (***)** ******** **********, *** *** ******* of ** *** *** *** ******** in *** *** *****. *****, **** is ******* *** ******** ********* ** the *** ** ********** *** *** sent ** ****** ** ***** ******* *********** ****** ** ******** *** CVE *****.

If *** *** ***** ** * *** ** **** ** ***** **** ******** *** ** *** *** ******** ** *** *** ****, *** *** ******* **** *** *** ** ** ******* through the *** ******* *** ****. ***** **** ********** **** *** original ********* ** **** *** ******* public *********** ***** ** *** *****. [emphasis *****]

**** ********* ***** ** ****** ***-****-***** with *** ********** **** **** ******* and *** ****** **********.

***** ******* *** ********* *** ****** **** ***, ***** ********** *** ******** ******** ** ***.

***** ******** ** **** ******** ***** by *******.

IPVM Image

  • Attack ******
    • *******, *** ****** *** **** ** exploited **** * *******.
  • Attack **********
    • ****, ** ******** **** ******** ******* the ******* ** ************ *******.
  • Privileges ********
    • ****, ********** *** *** ******** ** exploit.
  • User ***********
    • ****, ** **** *********** ** ******** to *******.
  • *****
    • *******, *** ********** ********* *** ** exploited ** ***** ** ****** ****** daemon ** *** *** ******** ***** to *** ****** **** ******* ***********.
  • **************
    • ****, *** ******** *** ****** ** some ******* *********** *** ******** **** information *** ** ********.
  • *********
    • ***, *** ******** *** ****** *** modify **** ** /***.
  • ************
    • ****, *** ******** *** ***** **** access ** *** ************ ** ****** resources.

SSD ****** ********** ********

*********** ********* ******* **, ****,******** **** ** *********** ******** ********** reported * *****-***** ****** ******** ** a ******* *********** ******** ********* ** UDP **** **** **** ******* ** unauthenticated ******** ** ******* * ****** code ********* ***** **** ******** ***** of ******* (***), ***** ** ********* below.

**** ***** **** *** *** *** requested **** *****, *** ***** *** it *** *** ********* *** ***********, SSD *********:

*. ** ** *** **** *** MITRE ****'* ******* *** ***, ** mentioned ******, ** ********* *** ******** and ****'* *** **************

****** *******, *** *** *** ******* a **** ******** ***** ** *** advisory, **** ***** *** *** *** replied:

*. ** ******** * **** ****** when ** ********* *** ***, ***** we **** ** *** ********

** ** *** ***** *** ******* or ************, ** **** **** *** given ** *** *** **** *** CVE ******* ******, *** ** ** get **** ** ***** ** ** this ****

** ********, *** **** ** ***** that **** *** ***** ** ******* vulnerabilities:

** *** ***** ** ******* *************** from ******** *********** *** *** *** vendors ** *** ****, ** **** publish *************** *** ** **** ****** to *** **** * *****, ** make **** ****** ** *****

***-****-***** - ***** ** ******* (***)

*** *** ** **** ********** *** provides **** ******* **** *** *************, where *** ******* ****** ***/*******/***/************** *** ** *** ********* ********, where *** ****** ********** ******** *** sscanf ******** ** **** ******* *********** until ** ********** * ***** *********.

IPVM Image

** *** *** ** *** ******* function, ***** *** ****** ********** ******** the ****** ******** ** **** * maximum ** ** *****, ** ***** it ********** *** ***** *********.

IPVM Image

***** *** ********** ******** **** *** limit ***** ***** **** * *****-**** internal ******, ** **** ****** * stack ******** ******** **** ***** ** exploited ** **** ****** *** ****** and ***** *** ****** ******, *********** with *** ***** ***** ** *******.

IPVM Image

***** ******* *** ***** ******* ************, telnet ** *** ****** *** ******* in **** *** ******* *************** ******************* ** ******** *** ***** *** up ** * ********** *****.

** ***** *** ** *** ********** shell *** *** * *******, ************, shell, *** ******* **** *** ***** commands ****** ** ********.

**** -*"#!/***/**\***** ****:*************:*:*::/****:/***/** >> /***/******\*** /****/****** /****/******.***\*">/***/***/************.**

**** ******* ***** ********* *** **** "/tmp/bin/killwatchdog.sh" **** *** ********* *******.

#!/***/**

**** ****:*************:*:*::/****:/***/** >> /***/******

** /****/****** /****/******.***

***** ******** **** ** ****** *******. *** ****** **** **** * line ** /***/****** **** ****** ***** with *** *************** *** **************, *** ***** **** **** ****** the************* ********.***. **** **** ******* *** ****** from ********* **** *** **** ******* that ******** *** ********* ** *** script.

****>****** -**** / ***

**** *** ********* *******, ** **** that *** ****** *** ************ ******** because *** "******" ******* *** *** found.

*******"/***/***/******.**: **** **: ******: *** *****"

*** ****** ** *** ****** *** login **** *************** ******************* ** ********, *** *** * regular, ************, ***** ******* ** * restricted ***.

****: ******* *** ***** ******* *** default ****** ******** ** ***** ********, IPVM *** *********.

Comments