PTZOptics and ValueHD Cameras Hard-Coded Password Vulnerability with Remote Code Execution Risk

A vulnerability exists in PTZOptics and other ValueHD-based pan-tilt-zoom cameras, all versions prior to 6.3.40, excluding certain models, which use hard-coded default administrative passwords. These passwords, easily cracked, grant access to the admin web interface and, when combined with other vulnerabilities, allow for remote code execution. Many of these cameras have SSH or telnet enabled by default, listening on all interfaces. The default passwords for SSH and telnet can be easily cracked, but users cannot change these passwords or disable the SSH or telnet services. The vulnerability arises from improper authentication and the use of hard-coded credentials, which can be exploited to access sensitive data and execute arbitrary commands on the devices.

Impact

Exploitation of this vulnerability could lead to unauthorized access to the camera's administrative interface, allowing attackers to manipulate video feeds, disable camera functions, and execute arbitrary commands on the device. Additionally, the cameras could be integrated into a botnet for conducting denial-of-service attacks. This vulnerability also poses a risk of broader network exploitation, as extracted network details could facilitate lateral movement into the device's local network, potentially compromising other connected systems.

Reproduction

The vulnerability can be reproduced by sending a request to the camera's CGI API without an Authorization header. This request can include commands to access sensitive information, such as device configurations and password hashes. The hard-coded passwords can then be used to gain administrative access via SSH or telnet. Once access is obtained, the camera's NTP client can be manipulated to execute commands on the device, achieving remote code execution.

Remediation

PTZOptics has released firmware updates addressing these vulnerabilities. Affected users should contact ValueHD, multiCAM Systems, or SMTAV for guidance on securing their devices.