Our research team found the following vulnerabilities in AndroVideo Advan VD-1:
- [CVE-2019-11064] Remote Admin Credential Disclosure (No authentication required)
- [CVE-2019-13405] Remote Enable ADB(Android Debug Bridge) (No authentication required)
- [CVE-2019-13406] Remote Arbitrary Install APK (No authentication required)
- [CVE-2019-13407] Cross Site Scripting
- [CVE-2019-13408] Arbitrary File Download (No authentication required)
The following POC uses 10.10.10.10 as the target device IP
An attacker can fetch Administrator's credential by export system configuration without any authentication.
VD-1 is different from the general IP Cam. VD-1 has face recognition/displacement detection function. It is mainly used for security monitoring of physical environment, monitoring whether unauthorized personnel enter the field. The attacker can not only peek into the field image, but also close or adjust the face database and the motion detection function, thereby removing the security monitoring mechanism of the field.
- AndroVideo Advan VD-1 : Firmware Version <= v230
- Geovision GV-VR360 : Firmware Version <= V1.10
- GeoVision GV-VD8700 : Firmware Version <= V1.01
An attacker can send a POST request to cgibin/AdbSetting.cgi to enable ADB without any authentication then take the compromised device as a relay or to install mining software.
An attacker can use the ADB service to install malware.
Since Android 5.1.1 for VD-1 v230 is affected by DirtyCow, an attacker can use ADB to gain root privileges.
- AndroVideo Advan VD-1 : Firmware Version == v230
An attacker can install arbitrary APK without any authentication.
An attacker can install arbitrary APK (e.g. malware).
- AndroVideo Advan VD-1 : Firmware Version <= v230
VD-1 responses a path error message when a requested resource was not found in page cgibin/ssi.cgi. It leads to a reflected XSS because the error message does not escape properly.
An attacker can stolen administrator's cookie (without HTTP only flag).
- AndroVideo Advan VD-1 : Firmware Version <= v230
- Geovision GV-VR360 : Firmware Version <= V1.10
- GeoVision GV-VD8700 : Firmware Version <= V1.01
It allows attackers to download arbitrary files via url cgibin/ExportSettings.cgi?Download=filepath, without any authentication.
The attacker can download sensitive files (screenshots/partial programs/configs) on the device without any authentication.
- AndroVideo Advan VD-1 : Firmware Version <= v230
- Geovision GV-VR360 : Firmware Version <= V1.10
- GeoVision GV-VD8700 : Firmware Version <= V1.01
- Keniver Wang (CHT Security)
- Randolph Shih (CHT Security)
- Vtim Hsu (CHT Security)