Xiongmai New Critical Vulnerability - Same Manufacturer Whose Products Drove Mirai Botnet Attacks

By John Honovich, Published Dec 12, 2017, 08:07am EST

The Chinese manufacturer whose products were primarily responsible for the 2016 Mirai botnet attack has a new critical vulnerability, confirmed by US DHS ICS-CERT, registering in at a 9.8 out of 10 on the CVSS scale, just under Hikvision's perfect 10 for their IP camera backdoor.

[link no longer available]

IPVM spoke with Clinton Mielke [link no longer available], the researcher who discovered the vulnerability, about his discovery, how it can be exploited, and the potential for it to become the basis of a new Mirai-style botnet.

Vulnerability *******

* ***** ******** ****** overflow ************* ******* ******** ******* and *********, ******** *** ********* for ********* ** ******* these *******, ** *********** turn **** **** ******* for * *** ******.

*** ************* *** ** exploited ** ******* ****, the **** ****** ******** attackers ** ****** *** device (******* * ****** of ******* *** **** device) **** * ****** URL *******. ***** * specific **** ** ******** devices *** ******** ******** has *** *** **** released, *** ********** ****** it ********* ******* ***** models, **** **** ****** firmware. *** ************* ** linked ** ********** **** support ********'* "*************** ***" interface.

***-**** ***** **** * 9.8/10, ********* *** *** ease ** ******* *** ability ** ** ********* remotely.

No ***** ** ******* ********

****** **** ** **** not **** ** ******* proof ** ******* **** showing ******** **** ** leverage *** ************* ** discovered. ** *** ***** **** the ****** ******** ******** sending ** *********** **** string ** **** ** the ******** *** *** web *****, ***** *** be **** **** * simple **** ** **** command, ****** ** ****** easy ** ********.

Botnet *********

*** ********** ******** **** vulnerability *** *** ********* to ** ***** **** to ****** **** *********/****** possibilities, ***** ***** ** the ***** *** ******** a *** ******. **** would ******* ********** ******, however ******** ********, **** as *****, **** ***** that ********** ***** ****** systems *** ** ********* for *****-*** *****, ****** it ****** ****** **** attackers **** ******* **** vulnerability *******, *** **** likely ****** ** ** at *** ********.

No ******** **

******** *** *** ********** to ******** **** *** researcher *** **** ** regards ** **** *********. Thus, ** **** ** available **** ******** ** this **** ** ******* to ******** ****** *** patched ******** ************.

Brands ********

******* ******** ********* ***** to ****, **** ************* affects * **** ******* of ******. * ****** on ****** ****** ******** brands/web ********** *** ***** the *************** ******. ***** many **** ********** ***** ******, some ****** *****, **** as*********, * ***** ***** ******** OEM, **** *****. 


Shared ******* - ****** ***** ************* ********

*** ************* ** ****** in * ******* **** the ********** **** ** used ** ************* ******* XiongMai, ******** ******* ** other ************* ***** ******** as ****. **** *** gives **** ********* ** attackers ** ******* **** vulnerability ** ********* ** it *** ** **** for ****** ** ****** of ******* ********. ********* ** the **********, ***** ******** did *** ****** ** share **** *******/*************, ***** on ***** ** ******* Dahua *****.

Comments (6)

ICS-CERT ranks this a 9.8/10, primarily for its ease of exploit and ability to be exploited remotely.

IMHO, and with all respect to Clinton, 9.8 seems a bit high for something that, so far at least, can only reboot the camera.

Although more work may yield an exploit, it only stands to reason that the researcher has already tried to some degree to extend the vulnerability without success.

There are many such vulnerabilities that could have a solution but one is never found, or at least announced.  

the vendor never responded to ICS-CERT.  Score sounds too low to me.

The CERT says:

Successful exploitation of this vulnerability could cause the device to reboot and return to a more vulnerable state in which Telnet is accessible.

and

The stack-based buffer overflow vulnerability has been identified, which may allow an attacker to execute code remotely or crash the device. After rebooting, the device restores itself to a more vulnerable state in which Telnet is accessible.

Does that mean that Telnet is always accessible after this reboot exploit?

The exploit demo'd as part of the submission just reboots the camera, as it was described to us. If the camera has telnet enabled by default, then telnet will be open when it reboots.

 

...just reboots the camera...

In that case, IMHO, the scoring seems to be off, in particular the Confidentiality and Integrity metrics:

 

Read this IPVM report for free.

This article is part of IPVM's 6,728 reports, 907 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports