Nahuel Riva, a research engineer from Core Security, discovered vulnerabilities in AirLive’s surveillance cameras designed for professional surveillance and security applications. He was able to invoke some CGIs without authentication, while backdoor accounts allowed him to execute arbitrary OS commands on the device.
An attacker who has compromised the camera could see the video stream the camera is transmitting and use the device to compromise other devices/computers on the network.
Vulnerable packages include:
- AirLive BU-2015 with firmware 1.03.18 16.06.2014
- AirLive BU-3026 with firmware 1.43 21.08.2014
- AirLive MD-3025 with firmware 1.81 21.08.2014
- AirLive WL-2000CAM with firmware LM.1.6.18 14.10.2011
- AirLive POE-200CAM v2 with firmware LM.1.6.17.01.
In the case of the MD-3025, BU-3026 and BU-2015 cameras, the vulnerability lies in the cgi_test.cgi binary file. In the case of the WL-2000CAM and POE-200CAM cameras, the command injection can be performed using the vulnerable wireless_mft.cgi binary file.
Core Security notified AirLive on May 4, but never received a response. You should apply a WAF (Web Application Firewall) rule that would filter the vulnerable request (either the CGI file or the parameters where the injection is performed) in order to avoid exploitation.