Xiongmai New Critical Vulnerability - Same Manufacturer Whose Products Drove Mirai Botnet Attacks

•Published Dec 12, 2017 13:07 PM

The Chinese manufacturer whose products were primarily responsible for the 2016 Mirai botnet attack has a new critical vulnerability, confirmed by US DHS ICS-CERT, registering in at a 9.8 out of 10 on the CVSS scale, just under Hikvision's perfect 10 for their IP camera backdoor.

[link no longer available]

IPVM spoke with Clinton Mielke [link no longer available], the researcher who discovered the vulnerability, about his discovery, how it can be exploited, and the potential for it to become the basis of a new Mirai-style botnet.

Vulnerability *******

* ***** ******** ****** ******** ************* ******* ******** ******* *** *********, ******** *** ********* *** ********* to ******* ***** *******, ** *********** turn **** **** ******* *** * new ******.

*** ************* *** ** ********* ** various ****, *** **** ****** ******** attackers ** ****** *** ****** (******* a ****** ** ******* *** **** device) **** * ****** *** *******. While * ******** **** ** ******** devices *** ******** ******** *** *** yet **** ********, *** ********** ****** it ********* ******* ***** ******, **** with ****** ********. *** ************* ** linked ** ********** **** ******* ********'* "NETSurveillance ***" *********.

***-**** ***** **** * *.*/**, ********* for *** **** ** ******* *** ability ** ** ********* ********.

No ***** ** ******* ********

****** **** ** **** *** **** to ******* ***** ** ******* **** showing ******** **** ** ******** *** vulnerability ** **********. ** *** ***** **** the ****** ******** ******** ******* ** excessively **** ****** ** **** ** the ******** *** *** *** *****, which *** ** **** **** * simple **** ** **** *******, ****** an ****** **** ** ********.

Botnet *********

*** ********** ******** **** ************* *** the ********* ** ** ***** **** to ****** **** *********/****** *************, ***** would ** *** ***** *** ******** a *** ******. **** ***** ******* additional ******, ******* ******** ********, **** as *****, **** ***** **** ********** large ****** ******* *** ** ********* for *****-*** *****, ****** ** ****** likely **** ********* **** ******* **** vulnerability *******, *** **** ****** ****** it ** ** *** ********.

No ******** **

******** *** *** ********** ** ******** from *** ********** *** **** ** regards ** **** *********. ****, ** data ** ********* **** ******** ** this **** ** ******* ** ******** models *** ******* ******** ************.

Brands ********

******* ******** ********* ***** ** ****, this ************* ******* * **** ******* of ******. * ****** ** ****** showed ******** ******/*** ********** *** ***** the *************** ******. ***** **** **** relatively small ******, **** ****** *****, **** as*********, * ***** ***** ******** ***, **** found.

Shared ******* - ****** ***** ************* ********

*** ************* ** ****** ** * library **** *** ********** **** ** used ** ************* ******* ********, ******** leading ** ***** ************* ***** ******** as ****. **** *** ***** **** incentive ** ********* ** ******* **** vulnerability ** ********* ** ** *** be **** *** ****** ** ****** of ******* ********. ********* ** *** **********, Dahua ******** *** *** ****** ** share **** *******/*************, ***** ** ***** of ******* ***** *****.

Comments (6)

Undisclosed #1

•Dec 12, 2017

IPVMU Certified

ICS-CERT ranks this a 9.8/10, primarily for its ease of exploit and ability to be exploited remotely.

IMHO, and with all respect to Clinton, 9.8 seems a bit high for something that, so far at least, can only reboot the camera.

Although more work may yield an exploit, it only stands to reason that the researcher has already tried to some degree to extend the vulnerability without success.

There are many such vulnerabilities that could have a solution but one is never found, or at least announced.

Reactions:

Undisclosed

•Dec 18, 2017

In reply to Undisclosed #1

the vendor never responded to ICS-CERT. Score sounds too low to me.

Reactions:

(1)

Undisclosed #1

•Dec 18, 2017

IPVMU Certified

In reply to Undisclosed

See below.

Reactions:

Undisclosed #1

•Dec 12, 2017

IPVMU Certified

The CERT says:

Successful exploitation of this vulnerability could cause the device to reboot and return to a more vulnerable state in which Telnet is accessible.

and

The stack-based buffer overflow vulnerability has been identified, which may allow an attacker to execute code remotely or crash the device. After rebooting, the device restores itself to a more vulnerable state in which Telnet is accessible.

Does that mean that Telnet is always accessible after this reboot exploit?

Reactions:

Brian Karas

•Dec 12, 2017

IPVM

In reply to Undisclosed #1

The exploit demo'd as part of the submission just reboots the camera, as it was described to us. If the camera has telnet enabled by default, then telnet will be open when it reboots.

Reactions:

Undisclosed #1

•Dec 12, 2017

IPVMU Certified

In reply to Brian Karas

...just reboots the camera...

In that case, IMHO, the scoring seems to be off, in particular the Confidentiality and Integrity metrics:

Reactions:

(1)