Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?

AndroVideo Advan VD-1 Multiple Vulnerabilities

Summary

Our research team found the following vulnerabilities in AndroVideo Advan VD-1:

  1. [CVE-2019-11064] Remote Admin Credential Disclosure (No authentication required)
  2. [CVE-2019-13405] Remote Enable ADB(Android Debug Bridge) (No authentication required)
  3. [CVE-2019-13406] Remote Arbitrary Install APK (No authentication required)
  4. [CVE-2019-13407] Cross Site Scripting
  5. [CVE-2019-13408] Arbitrary File Download (No authentication required)

Vulnerability Details

The following POC uses 10.10.10.10 as the target device IP

1. [CVE-2019-11064] Remote Admin Credential Disclosure (No authentication required)

Description

An attacker can fetch Administrator's credential by export system configuration without any authentication.

Impact

VD-1 is different from the general IP Cam. VD-1 has face recognition/displacement detection function. It is mainly used for security monitoring of physical environment, monitoring whether unauthorized personnel enter the field. The attacker can not only peek into the field image, but also close or adjust the face database and the motion detection function, thereby removing the security monitoring mechanism of the field.

Known Affected Software

  • AndroVideo Advan VD-1 : Firmware Version <= v230
  • Geovision GV-VR360 : Firmware Version <= V1.10
  • GeoVision GV-VD8700 : Firmware Version <= V1.01

Screenshots

SS_01.png

2. [CVE-2019-13405] Remote Enable ADB(Android Debug Bridge) (No authentication required)

Description

An attacker can send a POST request to cgibin/AdbSetting.cgi to enable ADB without any authentication then take the compromised device as a relay or to install mining software.

Impact

An attacker can use the ADB service to install malware.

Since Android 5.1.1 for VD-1 v230 is affected by DirtyCow, an attacker can use ADB to gain root privileges.

Known Affected Software

  • AndroVideo Advan VD-1 : Firmware Version == v230

Screenshots

SS_02.png

3. [CVE-2019-13406] Remote Arbitrary Install APK (No authentication required)

Description

An attacker can install arbitrary APK without any authentication.

Impact

An attacker can install arbitrary APK (e.g. malware).

Known Affected Software

  • AndroVideo Advan VD-1 : Firmware Version <= v230

Screenshots

SS_03.png

4. [CVE-2019-13407] Cross Site Scripting

Description

VD-1 responses a path error message when a requested resource was not found in page cgibin/ssi.cgi. It leads to a reflected XSS because the error message does not escape properly.

Impact

An attacker can stolen administrator's cookie (without HTTP only flag).

Known Affected Software

  • AndroVideo Advan VD-1 : Firmware Version <= v230
  • Geovision GV-VR360 : Firmware Version <= V1.10
  • GeoVision GV-VD8700 : Firmware Version <= V1.01

Screenshots

SS_04.png

5. [CVE-2019-13408] Arbitrary File Download (No authentication required)

Description

It allows attackers to download arbitrary files via url cgibin/ExportSettings.cgi?Download=filepath, without any authentication.

Impact

The attacker can download sensitive files (screenshots/partial programs/configs) on the device without any authentication.

Known Affected Software

  • AndroVideo Advan VD-1 : Firmware Version <= v230
  • Geovision GV-VR360 : Firmware Version <= V1.10
  • GeoVision GV-VD8700 : Firmware Version <= V1.01

Screenshots

SS_05.png

Credits

  • Keniver Wang (CHT Security)
  • Randolph Shih (CHT Security)
  • Vtim Hsu (CHT Security)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.