AVTECH IP Cameras, DVRs, and NVRs Authentication Bypass Vulnerability

A vulnerability allowing authentication bypass has been identified in AVTECH IP cameras, DVR, and NVR devices. This issue resides within the streamd web server, where the strstr() function is used to bypass login controls. Unauthenticated access is granted to any request containing '/nobody' in the URL, allowing exploitation of various vulnerabilities, including command injection and information disclosure.

Impact

Exploitation of this vulnerability allows for authentication bypass, with subsequent access to sensitive information and the ability to execute commands on the device.

Reproduction

The vulnerability can be reproduced by sending a request to the streamd web server with '/nobody' included in the URL. This request will bypass authentication, allowing access to protected resources and functionalities. Once authenticated, the AVTECH CloudSetup.cgi and adcommand.cgi scripts can be used to execute arbitrary system commands with root privileges.

Remediation

Users are advised to change the default admin password and avoid exposing the web interface to the internet.