Xiongmai New Critical Vulnerability - Same Manufacturer Whose Products Drove Mirai Botnet Attacks

By John Honovich, Published on Dec 12, 2017

The Chinese manufacturer whose products were primarily responsible for the 2016 Mirai botnet attack has a new critical vulnerability, confirmed by US DHS ICS-CERT, registering in at a 9.8 out of 10 on the CVSS scale, just under Hikvision's perfect 10 for their IP camera backdoor.

[link no longer available]

IPVM spoke with Clinton Mielke [link no longer available], the researcher who discovered the vulnerability, about his discovery, how it can be exploited, and the potential for it to become the basis of a new Mirai-style botnet.

Vulnerability *******

* ***** ******** ****** overflow ************* ******* ******** ******* and *********, ******** *** ********* for ********* ** ******* these *******, ** *********** turn **** **** ******* for * *** ******.

*** ************* *** ** exploited ** ******* ****, the **** ****** ******** attackers ** ****** *** device (******* * ****** of ******* *** **** device) **** * ****** URL *******. ***** * specific **** ** ******** devices *** ******** ******** has *** *** **** released, *** ********** ****** it ********* ******* ***** models, **** **** ****** firmware. *** ************* ** linked ** ********** **** support ********'* "*************** ***" interface.

***-**** ***** **** * 9.8/10, ********* *** *** ease ** ******* *** ability ** ** ********* remotely.

No ***** ** ******* ********

****** **** ** **** not **** ** ******* proof ** ******* **** showing ******** **** ** leverage *** ************* ** discovered. ** *** ***** **** the ****** ******** ******** sending ** *********** **** string ** **** ** the ******** *** *** web *****, ***** *** be **** **** * simple **** ** **** command, ****** ** ****** easy ** ********.

Botnet *********

*** ********** ******** **** vulnerability *** *** ********* to ** ***** **** to ****** **** *********/****** possibilities, ***** ***** ** the ***** *** ******** a *** ******. **** would ******* ********** ******, however ******** ********, **** as *****, **** ***** that ********** ***** ****** systems *** ** ********* for *****-*** *****, ****** it ****** ****** **** attackers **** ******* **** vulnerability *******, *** **** likely ****** ** ** at *** ********.

No ******** **

******** *** *** ********** to ******** **** *** researcher *** **** ** regards ** **** *********. Thus, ** **** ** available **** ******** ** this **** ** ******* to ******** ****** *** patched ******** ************.

Brands ********

******* ******** ********* ***** to ****, **** ************* affects * **** ******* of ******. * ****** on ****** ****** ******** brands/web ********** *** ***** the *************** ******. ***** many **** ********** ***** ******, some ****** *****, **** as*********, * ***** ***** ******** OEM, **** *****. 


Shared ******* - ****** ***** ************* ********

*** ************* ** ****** in * ******* **** the ********** **** ** used ** ************* ******* XiongMai, ******** ******* ** other ************* ***** ******** as ****. **** *** gives **** ********* ** attackers ** ******* **** vulnerability ** ********* ** it *** ** **** for ****** ** ****** of ******* ********. ********* ** the **********, ***** ******** did *** ****** ** share **** *******/*************, ***** on ***** ** ******* Dahua *****.

Comments (6)

ICS-CERT ranks this a 9.8/10, primarily for its ease of exploit and ability to be exploited remotely.

IMHO, and with all respect to Clinton, 9.8 seems a bit high for something that, so far at least, can only reboot the camera.

Although more work may yield an exploit, it only stands to reason that the researcher has already tried to some degree to extend the vulnerability without success.

There are many such vulnerabilities that could have a solution but one is never found, or at least announced.  

the vendor never responded to ICS-CERT.  Score sounds too low to me.

The CERT says:

Successful exploitation of this vulnerability could cause the device to reboot and return to a more vulnerable state in which Telnet is accessible.

and

The stack-based buffer overflow vulnerability has been identified, which may allow an attacker to execute code remotely or crash the device. After rebooting, the device restores itself to a more vulnerable state in which Telnet is accessible.

Does that mean that Telnet is always accessible after this reboot exploit?

The exploit demo'd as part of the submission just reboots the camera, as it was described to us. If the camera has telnet enabled by default, then telnet will be open when it reboots.

 

...just reboots the camera...

In that case, IMHO, the scoring seems to be off, in particular the Confidentiality and Integrity metrics:

 

Read this IPVM report for free.

This article is part of IPVM's 6,584 reports, 886 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Anixter Runs Fake Coronavirus Marketing Using Shutterstock Watermarked Images on Jul 24, 2020
Coronavirus faked marketing is regrettably commonplace right now but Anixter...
Faulty Hikvision Fever Cam Setup at Mexico City Basilica and Cathedral on Oct 14, 2020
Donated Hikvision fever cameras (claiming screening of 1,800 people/min. with...
Thermology Expert: "95-99%" Doing Fever Screening Wrong, Unjustified Compensating Algorithms "Insane" on Aug 27, 2020
A thermology expert tells IPVM "95 to 99% of people" are doing fever...
New Products Show Fall 2020 - 25+ Manufacturers On-Demand Recordings on Sep 30, 2020
This show featured 25+ Manufacturers showcasing their latest new products....
Dahua, Hikvision, ZKTeco Face Mask Detection Shootout on Jun 19, 2020
Temperature tablets with face mask detection are one of the hottest trends in...
Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
Warning: Panasonic i-PRO Deceives About NDAA Compliance on Aug 18, 2020
IPVM has determined that Panasonic i-PRO has deceived about its NDAA...
Colombia's President Promotes Bad Hikvision Fever Camera Setup on Jun 17, 2020
Colombia's President Iván Duque has promoted a haphazard Hikvision fever...
WDR Cheat Sheet and Camera Tracking - 30 Manufacturers on Aug 26, 2020
Manufacturers are regularly cryptic about what WDR support they actually...
IPVM Editorial Staff on Aug 01, 2020
IPVM has the largest and most experienced editorial team covering video...
Hikvision Illicitly Uses Back To The Future In Marketing on Jul 03, 2020
NBCUniversal told IPVM that Hikvision UK's ongoing coronavirus marketing...
Faulty Hikvision Cali Colombia Fever Camera Implementation on Jul 20, 2020
The mayor of one of Colombia's largest cities has promoted a faulty Hikvision...
Worst Access Control Manufacturers 2020 on Sep 30, 2020
200+ Integrators told IPVM "In the past year, what access control...

Recent Reports

Panasonic Presents i-PRO Cameras and Video Analytics on Oct 19, 2020
Panasonic presented its i-PRO X-Series cameras and AI video analytics at the...
Augmented Reality (AR) Cameras From Hikvision and Dahua Examined on Oct 19, 2020
Hikvision, Dahua, and other China companies are marketing augmented reality...
18 TB Video Surveillance Drives (WD and Seagate) on Oct 19, 2020
Both Seagate and Western Digital recently announced 18TB hard drives...
Watrix Gait Recognition Profile on Oct 16, 2020
Watrix is the world's only gait recognition surveillance provider IPVM has...
Intel Presents Edge-to-Cloud Ecosystem for Video Analytics on Oct 16, 2020
Intel presented its processors and software toolkit for computer vision at...
Best Manufacturer Technical Support 2020 on Oct 16, 2020
5 manufacturers stood out as providing the best technical support to ~200...
Microsoft Azure Presents Live Video Analytics on Oct 15, 2020
Microsoft Azure presented its Live Video Analytics offering at the September...
Worst Manufacturer Technical Support 2020 on Oct 15, 2020
4 manufacturers stood out as providing the worst technical support to ~200...
Clorox Announces, Then Pulls, Fever Camera on Oct 15, 2020
For almost one week, Clorox was marketing fever cameras. The booming...
Faulty Hikvision Fever Cam Setup at Mexico City Basilica and Cathedral on Oct 14, 2020
Donated Hikvision fever cameras (claiming screening of 1,800 people/min. with...
Directory of 209 "Fever" Camera Suppliers on Oct 14, 2020
This directory provides a list of "Fever" scanning thermal camera providers...
Avigilon UMD / UAD Tested on Oct 14, 2020
Avigilon's Unusual Activity Detection and Unusual Motion Detection claim to...
Longse Promoting Hikvision Partner Fullhan Chip Based Cameras on Oct 14, 2020
With Huawei HiSilicon production being shut down at TSMC, camera...
Meridian & Goodview (BEMS Relabeller) Temperature Screening Tested on Oct 13, 2020
A lot of temperature tablets look exactly alike and that is because they use...
Monitoring Alarm Systems From Home - Innovation or Danger? on Oct 13, 2020
Remote monitoring by alarm companies since COVID-19 is bringing cost savings...