AVTECH DVR Devices Command Injection Vulnerability via Search.cgi

A command injection vulnerability has been identified in AVTECH DVR devices. This vulnerability allows unauthenticated attackers to execute arbitrary shell commands with root privileges. The issue arises in the Search.cgi component, specifically through the cgi_query action, which is vulnerable due to improper input sanitization. Exploitation can be achieved by injecting commands through the username or queryb64str parameters.

Impact

Exploitation of this vulnerability allows for unauthorized command execution on the affected device, with root privileges.

Reproduction

The vulnerability can be reproduced by sending a request to the Search.cgi script in the /cgi-bin/nobody directory. Include the action parameter set to cgi_query, and inject the desired command into the username parameter. The command injection is facilitated by the wget command, which executes the injected commands as root.

Remediation

Users are advised to change the default admin password and avoid exposing the device's web interface to the internet.