Selea Targa IP OCR-ANPR Camera Unauthenticated Remote Code Execution Vulnerability

A command injection vulnerability has been identified in the Selea Targa IP OCR-ANPR Camera. This vulnerability allows remote attackers to execute arbitrary shell commands on the device. The issue arises in the 'utils.php' file, where the 'addr' and 'port' parameters can be exploited to inject commands. The vulnerability takes advantage of local file inclusion techniques to gain access as the 'www-data' user.

Impact

Exploitation of this vulnerability allows for unauthorized remote code execution on the affected camera, with the executed commands running under the 'www-data' user account.

Reproduction

The vulnerability can be reproduced by sending a GET request to 'utils.php' with the 'cmd' parameter set to 'addr_check', the 'addr' parameter containing the injected command (e.g., '1.3.3.7$(command)') and the 'port' parameter set to '80'. This request must include a basic authorization header with the 'admin' credentials, which can be obtained by exploiting an earlier local file inclusion vulnerability to retrieve the admin password from a JSON file containing user credentials.

Remediation

Users are advised to update to the latest firmware version, as the vendor has released patches for this vulnerability. Instructions for updating can be found on the Selea website.