LILIN DVR Command Injection Vulnerability

A command injection vulnerability has been identified in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207. The vulnerability arises from inadequate sanitization of the FTP and NTP Server fields in the service configuration. An attacker with access to the configuration interface can upload a malicious XML file containing injected shell commands in these fields. During subsequent configuration synchronization, these commands are executed with elevated privileges. This vulnerability has been exploited in the wild by the Moobot botnet.

Impact

Exploitation of this vulnerability allows for command injection, with injected commands executed with elevated privileges. This vulnerability has been exploited in the wild, leading to the deployment of DDoS botnet malware on the affected device, which was then used to attack other networked devices.

Reproduction

The vulnerability can be reproduced by logging into the DVR's web interface with a default or hard-coded username and password. Once logged in, upload a malicious XML file through the configuration interface that injects shell commands into the FTP or NTP Server fields. After the file is uploaded, the injected commands will be executed with elevated privileges during the next configuration sync.

Remediation

Users are advised to update their LILIN DVR devices to firmware version 2.0b60_20200207, which addresses the command injection vulnerability by properly sanitizing the FTP and NTP Server fields. The firmware update can be downloaded from the LILIN support website.