AVTECH DVR, NVR, and IP Camera OS Command Injection Vulnerability

A command injection vulnerability has been identified in AVTECH DVR, NVR, and IP camera devices. This vulnerability exists within the adcommand.cgi endpoint, which interacts with the ActionD daemon. Authenticated users can exploit this issue by invoking the DoShellCmd operation and passing arbitrary commands through the strCmd parameter. The lack of input sanitation allows these commands to be executed directly by the system shell with root privileges.

Impact

Exploitation of this vulnerability allows for unauthorized execution of commands on the affected device's operating system, with root privileges.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to the '/cgi-bin/supervisor/adcommand.cgi' endpoint. The request must include a 'DoShellCmd' parameter with the desired command to be executed. This can be done using a web application testing tool or script that automates the process of sending the request with the appropriate parameters.

Remediation

Users are advised to change the default admin password and avoid exposing the device's web interface to the internet.