AndroVideo Advan VD-1 Multiple Vulnerabilities
Summary
Our research team found the following vulnerabilities in AndroVideo Advan VD-1:
- [CVE-2019-11064] Remote Admin Credential Disclosure (No authentication required)
- [CVE-2019-13405] Remote Enable ADB(Android Debug Bridge) (No authentication required)
- [CVE-2019-13406] Remote Arbitrary Install APK (No authentication required)
- [CVE-2019-13407] Cross Site Scripting
- [CVE-2019-13408] Arbitrary File Download (No authentication required)
Vulnerability Details
The following POC uses 10.10.10.10 as the target device IP
1. [CVE-2019-11064] Remote Admin Credential Disclosure (No authentication required)
Description
An attacker can fetch Administrator's credential by export system configuration without any authentication.
Impact
VD-1 is different from the general IP Cam. VD-1 has face recognition/displacement detection function. It is mainly used for security monitoring of physical environment, monitoring whether unauthorized personnel enter the field. The attacker can not only peek into the field image, but also close or adjust the face database and the motion detection function, thereby removing the security monitoring mechanism of the field.
Known Affected Software
- AndroVideo Advan VD-1 : Firmware Version <= v230
- Geovision GV-VR360 : Firmware Version <= V1.10
- GeoVision GV-VD8700 : Firmware Version <= V1.01
Screenshots
2. [CVE-2019-13405] Remote Enable ADB(Android Debug Bridge) (No authentication required)
Description
An attacker can send a POST request to cgibin/AdbSetting.cgi to enable ADB without any authentication then take the compromised device as a relay or to install mining software.
Impact
An attacker can use the ADB service to install malware.
Since Android 5.1.1 for VD-1 v230 is affected by DirtyCow, an attacker can use ADB to gain root privileges.
Known Affected Software
- AndroVideo Advan VD-1 : Firmware Version == v230
Screenshots
3. [CVE-2019-13406] Remote Arbitrary Install APK (No authentication required)
Description
An attacker can install arbitrary APK without any authentication.
Impact
An attacker can install arbitrary APK (e.g. malware).
Known Affected Software
- AndroVideo Advan VD-1 : Firmware Version <= v230
Screenshots
4. [CVE-2019-13407] Cross Site Scripting
Description
VD-1 responses a path error message when a requested resource was not found in page cgibin/ssi.cgi. It leads to a reflected XSS because the error message does not escape properly.
Impact
An attacker can stolen administrator's cookie (without HTTP only flag).
Known Affected Software
- AndroVideo Advan VD-1 : Firmware Version <= v230
- Geovision GV-VR360 : Firmware Version <= V1.10
- GeoVision GV-VD8700 : Firmware Version <= V1.01
Screenshots
5. [CVE-2019-13408] Arbitrary File Download (No authentication required)
Description
It allows attackers to download arbitrary files via url cgibin/ExportSettings.cgi?Download=filepath, without any authentication.
Impact
The attacker can download sensitive files (screenshots/partial programs/configs) on the device without any authentication.
Known Affected Software
- AndroVideo Advan VD-1 : Firmware Version <= v230
- Geovision GV-VR360 : Firmware Version <= V1.10
- GeoVision GV-VD8700 : Firmware Version <= V1.01
Screenshots
Credits
- Keniver Wang (CHT Security)
- Randolph Shih (CHT Security)
- Vtim Hsu (CHT Security)









