CVE-2017-8229

Amcrest IPM-721S Credential Disclosure / Privilege Escalation

Severity Score

9.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices allow an unauthenticated attacker to download the administrative credentials. If the firmware version V2.420.AC00.16.R 9/9/2016 is dissected using binwalk tool, one obtains a _user-x.squashfs.img.extracted archive which contains the filesystem set up on the device that many of the binaries in the /usr folder. The binary "sonia" is the one that has the vulnerable function that sets up the default credentials on the device. If one opens this binary in IDA-pro one will notice that this follows a ARM little endian format. The function sub_436D6 in IDA pro is identified to be setting up the configuration for the device. If one scrolls to the address 0x000437C2 then one can see that /current_config is being set as an ALIAS for /mnt/mtd/Config folder on the device. If one TELNETs into the device and navigates to /mnt/mtd/Config folder, one can observe that it contains various files such as Account1, Account2, SHAACcount1, etc. This means that if one navigates to http://[IPofcamera]/current_config/Sha1Account1 then one should be able to view the content of the files. The security researchers assumed that this was only possible only after authentication to the device. However, when unauthenticated access tests were performed for the same URL as provided above, it was observed that the device file could be downloaded without any authentication.

Los dispositivos Amcrest IPM-721S V2.420.AC00.16.R.20160909 permiten que un atacante no identificado descargue las credenciales administrativas. Si la versión del firmware V2.420.AC00.16.R 9/9/2016 se diseca con la herramienta binwalk, se obtiene un archivo _user-x.squashfs.img.extracted que contiene el sistema de archivos configurado en el dispositivo que muchos de los binarios en la carpeta / usr. El "sonia" binario es el que tiene la función vulnerable que configura las credenciales predeterminadas en el dispositivo. Si uno abre este binario en IDA-pro, notará que sigue un formato ARM little endian. La función sub_436D6 en IDA pro se identifica para configurar la configuración del dispositivo. Si uno se desplaza a la dirección 0x000437C2, se puede ver que / current_config se está configurando como ALIAS para la carpeta / mnt / mtd / Config en el dispositivo. Si se coloca un TELNET en el dispositivo y se navega a la carpeta / mnt / mtd / Config, se puede observar que contiene varios archivos como Account1, Account2, SHAACcount1, etc. Esto significa que si se navega a http: // [IPofcamera] / current_config / Sha1Account1 entonces uno debería poder ver el contenido de los archivos. Los investigadores de seguridad asumieron que esto solo era posible después de la autorización en el dispositivo. Sin embargo, cuando se realizaron pruebas de acceso no autenticado para la misma URL que se proporcionó anteriormente, se observó que el archivo del dispositivo podía descargarse sin ninguna autorización.

Amcrest IPM-721S suffers from credential disclosure, privilege escalation, and a long list of other vulnerabilities.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-04-25 CVE Reserved
2019-06-07 CVE Published
2024-08-05 CVE Updated
2024-08-05 First Exploit
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-255: Credentials Management Errors

CAPEC

References (3)

URL	Tag	Source
http://packetstormsecurity.com/files/153224/Amcrest-IPM-721S-Credential-Disclosure-Privilege-Escalation.html	Third Party Advisory
https://seclists.org/bugtraq/2019/Jun/8	Mailing List

URL	Date	SRC
https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Amcrest_sec_issues.pdf	2024-08-05

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Amcrest Search vendor "Amcrest"	Ipm-721s Firmware Search vendor "Amcrest" for product "Ipm-721s Firmware"	<= 2.420.ac00.16.r.20160909 Search vendor "Amcrest" for product "Ipm-721s Firmware" and version " <= 2.420.ac00.16.r.20160909"	-	Affected	in	Amcrest Search vendor "Amcrest"	Ipm-721s Search vendor "Amcrest" for product "Ipm-721s"	-	-	Safe