LILIN DVR Unauthenticated Arbitrary File Read Vulnerability

A vulnerability allowing unauthenticated arbitrary file read has been identified in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207. The issue arises in the '/z/zbin/net_html.cgi' endpoint, where attackers can access sensitive configuration files, such as '/zconf/service.xml'. This file can be exploited for further attacks, including command injection. This vulnerability has been observed being exploited in the wild by botnets such as FBot and Moobot.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive configuration files, which can be used to execute further attacks on the device, including command injection. According to the LILIN vendor advisory, this vulnerability has been assigned a CVSS v3.1 Base Score of 10.0, indicating its critical nature.

Reproduction

The vulnerability can be reproduced by sending a request to the '/z/zbin/net_html.cgi' endpoint on a vulnerable LILIN DVR device. This can be done without authentication, and the request will return sensitive files such as '/zconf/service.xml'.

Remediation

Users are advised to update their LILIN DVR devices to firmware version 2.0b60_20200207, which addresses this vulnerability. The firmware update can be downloaded from the LILIN support website.