Xiongmai New Critical Vulnerability - Same Manufacturer Whose Products Drove Mirai Botnet Attacks

Published Dec 12, 2017 13:07 PM

The Chinese manufacturer whose products were primarily responsible for the 2016 Mirai botnet attack has a new critical vulnerability, confirmed by US DHS ICS-CERT, registering in at a 9.8 out of 10 on the CVSS scale, just under Hikvision's perfect 10 for their IP camera backdoor.

[link no longer available]

IPVM spoke with Clinton Mielke [link no longer available], the researcher who discovered the vulnerability, about his discovery, how it can be exploited, and the potential for it to become the basis of a new Mirai-style botnet.

Vulnerability *******

* ***** ******** ****** ******** ************* ******* ******** ******* *** *********, ******** *** ********* *** ********* to ******* ***** *******, ** *********** turn **** **** ******* *** * new ******.

*** ************* *** ** ********* ** various ****, *** **** ****** ******** attackers ** ****** *** ****** (******* a ****** ** ******* *** **** device) **** * ****** *** *******. While * ******** **** ** ******** devices *** ******** ******** *** *** yet **** ********, *** ********** ****** it ********* ******* ***** ******, **** with ****** ********. *** ************* ** linked ** ********** **** ******* ********'* "NETSurveillance ***" *********.

***-**** ***** **** * *.*/**, ********* for *** **** ** ******* *** ability ** ** ********* ********.

No ***** ** ******* ********

****** **** ** **** *** **** to ******* ***** ** ******* **** showing ******** **** ** ******** *** vulnerability ** **********. ** *** ***** **** the ****** ******** ******** ******* ** excessively **** ****** ** **** ** the ******** *** *** *** *****, which *** ** **** **** * simple **** ** **** *******, ****** an ****** **** ** ********.

Botnet *********

*** ********** ******** **** ************* *** the ********* ** ** ***** **** to ****** **** *********/****** *************, ***** would ** *** ***** *** ******** a *** ******. **** ***** ******* additional ******, ******* ******** ********, **** as *****, **** ***** **** ********** large ****** ******* *** ** ********* for *****-*** *****, ****** ** ****** likely **** ********* **** ******* **** vulnerability *******, *** **** ****** ****** it ** ** *** ********.

No ******** **

******** *** *** ********** ** ******** from *** ********** *** **** ** regards ** **** *********. ****, ** data ** ********* **** ******** ** this **** ** ******* ** ******** models *** ******* ******** ************.

Brands ********

******* ******** ********* ***** ** ****, this ************* ******* * **** ******* of ******. * ****** ** ****** showed ******** ******/*** ********** *** ***** the *************** ******. ***** **** **** relatively small ******, **** ****** *****, **** as*********, * ***** ***** ******** ***, **** found. 


Shared ******* - ****** ***** ************* ********

*** ************* ** ****** ** * library **** *** ********** **** ** used ** ************* ******* ********, ******** leading ** ***** ************* ***** ******** as ****. **** *** ***** **** incentive ** ********* ** ******* **** vulnerability ** ********* ** ** *** be **** *** ****** ** ****** of ******* ********. ********* ** *** **********, Dahua ******** *** *** ****** ** share **** *******/*************, ***** ** ***** of ******* ***** *****.

Comments (6)
U
Undisclosed #1
Dec 12, 2017
IPVMU Certified

ICS-CERT ranks this a 9.8/10, primarily for its ease of exploit and ability to be exploited remotely.

IMHO, and with all respect to Clinton, 9.8 seems a bit high for something that, so far at least, can only reboot the camera.

Although more work may yield an exploit, it only stands to reason that the researcher has already tried to some degree to extend the vulnerability without success.

There are many such vulnerabilities that could have a solution but one is never found, or at least announced.  

U
Undisclosed
Dec 18, 2017

the vendor never responded to ICS-CERT.  Score sounds too low to me.

(1)
U
Undisclosed #1
Dec 18, 2017
IPVMU Certified
U
Undisclosed #1
Dec 12, 2017
IPVMU Certified

The CERT says:

Successful exploitation of this vulnerability could cause the device to reboot and return to a more vulnerable state in which Telnet is accessible.

and

The stack-based buffer overflow vulnerability has been identified, which may allow an attacker to execute code remotely or crash the device. After rebooting, the device restores itself to a more vulnerable state in which Telnet is accessible.

Does that mean that Telnet is always accessible after this reboot exploit?

Avatar
Brian Karas
Dec 12, 2017
IPVM

The exploit demo'd as part of the submission just reboots the camera, as it was described to us. If the camera has telnet enabled by default, then telnet will be open when it reboots.

 

U
Undisclosed #1
Dec 12, 2017
IPVMU Certified

...just reboots the camera...

In that case, IMHO, the scoring seems to be off, in particular the Confidentiality and Integrity metrics:

 

(1)