CVE-2017-8226

Amcrest IPM-721S Credential Disclosure / Privilege Escalation

Severity Score

9.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices have default credentials that are hardcoded in the firmware and can be extracted by anyone who reverses the firmware to identify them. If the firmware version V2.420.AC00.16.R 9/9/2016 is dissected using binwalk tool, one obtains a _user-x.squashfs.img.extracted archive which contains the filesystem set up on the device that many of the binaries in the /usr folder. The binary "sonia" is the one that has the vulnerable function that sets up the default credentials on the device. If one opens this binary in IDA-pro, one will notice that this follows a ARM little endian format. The function sub_3DB2FC in IDA pro is identified to be setting up the values at address 0x003DB5A6. The sub_5C057C then sets this value and adds it to the Configuration files in /mnt/mtd/Config/Account1 file.

Los dispositivos Amcrest IPM-721S V2.420.AC00.16.R.20160909 tienen credenciales predeterminadas que están codificadas en el firmware y pueden ser extraídas por cualquiera que invierta el firmware para identificarlas. Si la versión del firmware V2.420.AC00.16.R 9/9/2016 se diseca con la herramienta binwalk, se obtiene un archivo _user-x.squashfs.img.extracted que contiene el sistema de archivos configurado en el dispositivo que muchos de los binarios en la carpeta / usr. El "sonia" binario es el que tiene la función vulnerable que configura las credenciales predeterminadas en el dispositivo. Si uno abre este binario en IDA-pro, notará que sigue un formato ARM en little endian. La función sub_3DB2FC en IDA pro se identifica para configurar los valores en la dirección 0x003DB5A6. El sub_5C057C luego establece este valor y lo agrega a los archivos de Configuración en el archivo / mnt / mtd / Config / Account1.

Amcrest IPM-721S suffers from credential disclosure, privilege escalation, and a long list of other vulnerabilities.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-04-25 CVE Reserved
2019-06-07 CVE Published
2019-06-07 First Exploit
2024-08-05 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-798: Use of Hard-coded Credentials

CAPEC

References (4)

URL	Tag	Source
http://packetstormsecurity.com/files/153224/Amcrest-IPM-721S-Credential-Disclosure-Privilege-Escalation.html	Third Party Advisory
https://seclists.org/bugtraq/2019/Jun/8	Mailing List

URL	Date	SRC
https://packetstorm.news/files/id/153224	2019-06-07
https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Amcrest_sec_issues.pdf	2024-08-05

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Amcrest Search vendor "Amcrest"	Ipm-721s Firmware Search vendor "Amcrest" for product "Ipm-721s Firmware"	<= 2.420.ac00.16.r.20160909 Search vendor "Amcrest" for product "Ipm-721s Firmware" and version " <= 2.420.ac00.16.r.20160909"	-	Affected	in	Amcrest Search vendor "Amcrest"	Ipm-721s Search vendor "Amcrest" for product "Ipm-721s"	-	-	Safe