CVE-2017-8227
Amcrest IPM-721S Credential Disclosure / Privilege Escalation
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices have a timeout policy to wait for 5 minutes in case 30 incorrect password attempts are detected using the Web and HTTP API interface provided by the device. However, if the same brute force attempt is performed using the ONVIF specification (which is supported by the same binary) then there is no account lockout or timeout executed. This can allow an attacker to circumvent the account protection mechanism and brute force the credentials. If the firmware version V2.420.AC00.16.R 9/9/2016 is dissected using binwalk tool, one obtains a _user-x.squashfs.img.extracted archive which contains the filesystem set up on the device that many of the binaries in the /usr folder. The binary "sonia" is the one that has the vulnerable function that performs the credential check in the binary for the ONVIF specification. If one opens this binary in IDA-pro one will notice that this follows a ARM little endian format. The function at address 00671618 in IDA pro is parses the WSSE security token header. The sub_ 603D8 then performs the authentication check and if it is incorrect passes to the function sub_59F4C which prints the value "Sender not authorized."
Los dispositivos Amcrest IPM-721S V2.420.AC00.16.R.20160909 tienen una política de tiempo de espera para esperar 5 minutos en caso de que se detecten 30 intentos de contraseña incorrectos mediante la interfaz web y API de HTTP proporcionada por el dispositivo. Sin embargo, si se realiza el mismo intento de fuerza bruta utilizando la especificación ONVIF (que es compatible con el mismo binario), entonces no se ejecuta el bloqueo de la cuenta o el tiempo de espera. Esto puede permitir a un atacante eludir el mecanismo de protección de la cuenta y forzar las credenciales. Si la versión del firmware V2.420.AC00.16.R 9/9/2016 se diseca con la herramienta binwalk, se obtiene un archivo _user-x.squashfs.img.extracted que contiene el sistema de archivos configurado en el dispositivo que muchos de los binarios en la carpeta / usr. El "sonia" binario es el que tiene la función vulnerable que realiza la verificación de credenciales en el binario para la especificación ONVIF. Si uno abre este binario en IDA-pro, notará que sigue un formato ARM little endian. La función en la dirección 00671618 en IDA pro es analizar el encabezado del token de seguridad WSSE. El sub_ 603D8 luego realiza la verificación de autorización y si es incorrecto pasa a la función sub_59F4C que imprime el valor "Remitente no autorizado".
Amcrest IPM-721S suffers from credential disclosure, privilege escalation, and a long list of other vulnerabilities.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-04-25 CVE Reserved
- 2019-06-07 CVE Published
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- 2024-12-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-254: 7PK - Security Features
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| http://packetstormsecurity.com/files/153224/Amcrest-IPM-721S-Credential-Disclosure-Privilege-Escalation.html | Third Party Advisory |
|
| https://seclists.org/bugtraq/2019/Jun/8 | Mailing List |
|
| URL | Date | SRC |
|---|---|---|
| https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Amcrest_sec_issues.pdf | 2024-08-05 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Amcrest Search vendor "Amcrest" | Ipm-721s Firmware Search vendor "Amcrest" for product "Ipm-721s Firmware" | <= 2.420.ac00.16.r.20160909 Search vendor "Amcrest" for product "Ipm-721s Firmware" and version " <= 2.420.ac00.16.r.20160909" | - |
Affected
| in | Amcrest Search vendor "Amcrest" | Ipm-721s Search vendor "Amcrest" for product "Ipm-721s" | - | - |
Safe
|