keniver/AndroVideo Advan VD-1 Multiple Vulnerabilities.md Secret

## AndroVideo Advan VD-1 Multiple Vulnerabilities.md

      
    Raw
  

              AndroVideo Advan VD-1 Multiple Vulnerabilities.md
            
          
    AndroVideo Advan VD-1 Multiple Vulnerabilities

Summary

Our research team found the following vulnerabilities in AndroVideo Advan VD-1:

[CVE-2019-11064] Remote Admin Credential Disclosure (No authentication required)
[CVE-2019-13405] Remote Enable ADB(Android Debug Bridge) (No authentication required)
[CVE-2019-13406] Remote Arbitrary Install APK (No authentication required)
[CVE-2019-13407] Cross Site Scripting
[CVE-2019-13408] Arbitrary File Download (No authentication required)

Vulnerability Details

The following POC uses 10.10.10.10 as the target device IP
1. [CVE-2019-11064] Remote Admin Credential Disclosure (No authentication required)

Description

An attacker can fetch Administrator's credential by export system configuration without any authentication.
Impact

VD-1 is different from the general IP Cam. VD-1 has face recognition/displacement detection function. It is mainly used for security monitoring of physical environment, monitoring whether unauthorized personnel enter the field. The attacker can not only peek into the field image, but also close or adjust the face database and the motion detection function, thereby removing the security monitoring mechanism of the field.
Known Affected Software


AndroVideo Advan VD-1 : Firmware Version <= v230
Geovision GV-VR360 : Firmware Version <= V1.10
GeoVision GV-VD8700 : Firmware Version <= V1.01

Screenshots


2. [CVE-2019-13405] Remote Enable ADB(Android Debug Bridge) (No authentication required)

Description

An attacker can send a POST request to cgibin/AdbSetting.cgi to enable ADB without any authentication then take the compromised device as a relay or to install mining software.
Impact

An attacker can use the ADB service to install malware.
Since Android 5.1.1 for VD-1 v230 is affected by DirtyCow, an attacker can use ADB to gain root privileges.
Known Affected Software


AndroVideo Advan VD-1 : Firmware Version == v230

Screenshots


3. [CVE-2019-13406] Remote Arbitrary Install APK (No authentication required)

Description

An attacker can install arbitrary APK without any authentication.
Impact

An attacker can install arbitrary APK (e.g. malware).
Known Affected Software


AndroVideo Advan VD-1 : Firmware Version <= v230

Screenshots


4. [CVE-2019-13407] Cross Site Scripting

Description

VD-1 responses a path error message when a requested resource was not found in page cgibin/ssi.cgi. It leads to a reflected XSS because the error message does not escape properly.
Impact

An attacker can stolen administrator's cookie (without HTTP only flag).
Known Affected Software


AndroVideo Advan VD-1 : Firmware Version <= v230
Geovision GV-VR360 : Firmware Version <= V1.10
GeoVision GV-VD8700 : Firmware Version <= V1.01

Screenshots


5. [CVE-2019-13408] Arbitrary File Download (No authentication required)

Description

It allows attackers to download arbitrary files via url cgibin/ExportSettings.cgi?Download=filepath, without any authentication.
Impact

The attacker can download sensitive files (screenshots/partial programs/configs) on the device without any authentication.
Known Affected Software


AndroVideo Advan VD-1 : Firmware Version <= v230
Geovision GV-VR360 : Firmware Version <= V1.10
GeoVision GV-VD8700 : Firmware Version <= V1.01

Screenshots


Credits


Keniver Wang (CHT Security)
Randolph Shih (CHT Security)
Vtim Hsu (CHT Security)


## SS_01.png

      
    Raw
  

              SS_01.png
            
          
## SS_02.png

      
    Raw
  

              SS_02.png
            
          
## SS_03.png

      
    Raw
  

              SS_03.png
            
          
## SS_04.png

      
    Raw
  

              SS_04.png
            
          
## SS_05.png

      
    Raw
  

              SS_05.png