Diviotec Professional Series IP Cameras Command Injection Vulnerability Allowing Remote Code Execution

A vulnerability has been identified in the Diviotec professional series IP cameras, including models nbr222p, nbr222pv, nbr224p, nbr225p, nbr226p, nbf232p, nbf233p, ndr252p, and ndr255p. All versions of these cameras are affected. The vulnerability arises from arbitrary command injection in a CGI script called 'camctrl.cgi', which is executed by the 'apache' user. This script improperly sanitizes user input, allowing remote attackers to inject commands that are executed with elevated privileges. Additionally, the cameras use hardcoded passwords, which can be exploited to bypass authentication and access the vulnerable endpoint.

Impact

Exploitation of this vulnerability allows remote, unauthenticated attackers to execute arbitrary commands on the affected IP cameras with the privileges of the 'apache' user. This can be escalated to root access without a password, leading to full control over the device.

Reproduction

The vulnerability can be reproduced by sending a POST request to the 'camctrl.cgi' endpoint with injected commands in the 'digitalzoom_num' parameter. Authentication is required, but default credentials can be used to bypass this requirement.

Remediation

Affected cameras should be isolated from the Internet, default or weak passwords replaced, and a firmware update requested from Diviotec or Nexcomm. After applying the update, CGI scripts should be re-audited for proper input sanitization and unnecessary sudo privileges for the 'apache' user removed.