Agent DVR Directory Traversal Vulnerability Leading to Unauthenticated Local Access, SSRF, and Command Injection

A directory traversal vulnerability has been identified in Agent DVR versions through 6.6.1.0. This vulnerability allows an unauthenticated local attacker to access sensitive information, perform server-side request forgery (SSRF), or execute operating system commands. The issue arises from the local API, which can be exploited to traverse directories and manipulate files on the server.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information, execution of arbitrary operating system commands, and potentially full remote code execution on Linux systems, as Agent DVR runs with root privileges by default.

Reproduction

To reproduce this vulnerability, add a new Network IP Camera through the Agent DVR interface. Once the camera is added, update the Source Type to include a payload that exploits the directory traversal vulnerability. This payload should traverse the file system to access sensitive files, such as the '/etc/passwd' file, and create a new file in the 'Commands' directory of Agent DVR. After the file is created, a new Action and Task can be set up to execute the file as a bash script, leveraging the command injection vulnerability to gain a root shell.