GeoVision Embedded IP Devices Remote Command Injection Vulnerability Allowing Arbitrary Command Execution

A remote command injection vulnerability has been identified in GeoVision embedded IP devices, specifically in the GV-BX1500 and GV-MFD1501 models. This vulnerability allows attackers to execute arbitrary commands on the device via the '/PictureCatch.cgi' endpoint. The issue arises from improper sanitization of user input, enabling command injection that can be exploited to gain unauthorized access or control over the device.

Impact

Exploitation of this vulnerability leads to unauthorized remote command execution on the affected device, with the executed commands running with root privileges.

Reproduction

The vulnerability can be reproduced by sending a crafted request to the '/PictureCatch.cgi' endpoint. The 'username' and 'password' parameters can be used to inject commands. For example, injecting a command to create a reverse shell connection back to the attacker's machine demonstrates the exploitation of this vulnerability. Additionally, the vulnerability can be exploited through other CGI endpoints such as 'JpegStream.cgi' and 'Login3gpp.cgi', by injecting similar command payloads.

Remediation

Users are advised to update to the latest firmware versions available on the GeoVision website. Consult the GeoVision release notes for information on the latest updates.