Xiongmai New Critical Vulnerability - Same Manufacturer Whose Products Drove Mirai Botnet Attacks

By John Honovich, Published Dec 12, 2017, 08:07am EST

The Chinese manufacturer whose products were primarily responsible for the 2016 Mirai botnet attack has a new critical vulnerability, confirmed by US DHS ICS-CERT, registering in at a 9.8 out of 10 on the CVSS scale, just under Hikvision's perfect 10 for their IP camera backdoor.

[link no longer available]

IPVM spoke with Clinton Mielke [link no longer available], the researcher who discovered the vulnerability, about his discovery, how it can be exploited, and the potential for it to become the basis of a new Mirai-style botnet.

Vulnerability *******

* ***** ******** ****** overflow ************* ******* ******** ******* and *********, ******** *** ********* for ********* ** ******* these *******, ** *********** turn **** **** ******* for * *** ******.

*** ************* *** ** exploited ** ******* ****, the **** ****** ******** attackers ** ****** *** device (******* * ****** of ******* *** **** device) **** * ****** URL *******. ***** * specific **** ** ******** devices *** ******** ******** has *** *** **** released, *** ********** ****** it ********* ******* ***** models, **** **** ****** firmware. *** ************* ** linked ** ********** **** support ********'* "*************** ***" interface.

***-**** ***** **** * 9.8/10, ********* *** *** ease ** ******* *** ability ** ** ********* remotely.

No ***** ** ******* ********

****** **** ** **** not **** ** ******* proof ** ******* **** showing ******** **** ** leverage *** ************* ** discovered. ** *** ***** **** the ****** ******** ******** sending ** *********** **** string ** **** ** the ******** *** *** web *****, ***** *** be **** **** * simple **** ** **** command, ****** ** ****** easy ** ********.

Botnet *********

*** ********** ******** **** vulnerability *** *** ********* to ** ***** **** to ****** **** *********/****** possibilities, ***** ***** ** the ***** *** ******** a *** ******. **** would ******* ********** ******, however ******** ********, **** as *****, **** ***** that ********** ***** ****** systems *** ** ********* for *****-*** *****, ****** it ****** ****** **** attackers **** ******* **** vulnerability *******, *** **** likely ****** ** ** at *** ********.

No ******** **

******** *** *** ********** to ******** **** *** researcher *** **** ** regards ** **** *********. Thus, ** **** ** available **** ******** ** this **** ** ******* to ******** ****** *** patched ******** ************.

Brands ********

******* ******** ********* ***** to ****, **** ************* affects * **** ******* of ******. * ****** on ****** ****** ******** brands/web ********** *** ***** the *************** ******. ***** many **** ********** ***** ******, some ****** *****, **** as*********, * ***** ***** ******** OEM, **** *****. 


Shared ******* - ****** ***** ************* ********

*** ************* ** ****** in * ******* **** the ********** **** ** used ** ************* ******* XiongMai, ******** ******* ** other ************* ***** ******** as ****. **** *** gives **** ********* ** attackers ** ******* **** vulnerability ** ********* ** it *** ** **** for ****** ** ****** of ******* ********. ********* ** the **********, ***** ******** did *** ****** ** share **** *******/*************, ***** on ***** ** ******* Dahua *****.

Comments (6)

ICS-CERT ranks this a 9.8/10, primarily for its ease of exploit and ability to be exploited remotely.

IMHO, and with all respect to Clinton, 9.8 seems a bit high for something that, so far at least, can only reboot the camera.

Although more work may yield an exploit, it only stands to reason that the researcher has already tried to some degree to extend the vulnerability without success.

There are many such vulnerabilities that could have a solution but one is never found, or at least announced.  

Agree
Disagree
Informative
Unhelpful
Funny

the vendor never responded to ICS-CERT.  Score sounds too low to me.

Agree: 1
Disagree
Informative
Unhelpful
Funny
Agree
Disagree
Informative
Unhelpful
Funny

The CERT says:

Successful exploitation of this vulnerability could cause the device to reboot and return to a more vulnerable state in which Telnet is accessible.

and

The stack-based buffer overflow vulnerability has been identified, which may allow an attacker to execute code remotely or crash the device. After rebooting, the device restores itself to a more vulnerable state in which Telnet is accessible.

Does that mean that Telnet is always accessible after this reboot exploit?

Agree
Disagree
Informative
Unhelpful
Funny

The exploit demo'd as part of the submission just reboots the camera, as it was described to us. If the camera has telnet enabled by default, then telnet will be open when it reboots.

 

Agree
Disagree
Informative
Unhelpful
Funny

...just reboots the camera...

In that case, IMHO, the scoring seems to be off, in particular the Confidentiality and Integrity metrics:

 

Agree
Disagree
Informative: 1
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 6,912 reports, 924 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports