CVE-2017-8230

Amcrest IPM-721S Credential Disclosure / Privilege Escalation

Severity Score

8.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

On Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices, the users on the device are divided into 2 groups "admin" and "user". However, as a part of security analysis it was identified that a low privileged user who belongs to the "user" group and who has access to login in to the web administrative interface of the device can add a new administrative user to the interface using HTTP APIs provided by the device and perform all the actions as an administrative user by using that account. If the firmware version V2.420.AC00.16.R 9/9/2016 is dissected using binwalk tool, one obtains a _user-x.squashfs.img.extracted archive which contains the filesystem set up on the device that many of the binaries in the /usr folder. The binary "sonia" is the one that has the vulnerable functions that performs the various action described in HTTP APIs. If one opens this binary in IDA-pro one will notice that this follows a ARM little endian format. The function at address 0x00429084 in IDA pro is the one that processes the HTTP API request for "addUser" action. If one traces the calls to this function, it can be clearly seen that the function sub_ 41F38C at address 0x0041F588 parses the call received from the browser and passes it to the "addUser" function without any authorization check.

En los dispositivos Amcrest IPM-721S V2.420.AC00.16.R.20160909, los usuarios del dispositivo se dividen en 2 grupos "admin" y "usuario". Sin embargo, como parte del análisis de seguridad, se identificó que un usuario con pocos privilegios que pertenece al grupo de "usuarios" y que tiene acceso para iniciar sesión en la interfaz administrativa web del dispositivo puede agregar un nuevo usuario administrativo a la interfaz mediante HTTP Las API proporcionadas por el dispositivo y realizar todas las acciones como un usuario administrativo mediante el uso de esa cuenta. Si la versión del firmware V2.420.AC00.16.R 9/9/2016 se diseca con la herramienta binwalk, se obtiene un archivo _user-x.squashfs.img.extracted que contiene el sistema de archivos configurado en el dispositivo que muchos de los binarios en la carpeta / usr. El "sonia" binario es el que tiene las funciones vulnerables que realizan las diversas acciones descritas en las API de HTTP. Si uno abre este binario en IDA-pro, notará que sigue un formato ARM little endian. La función en la dirección 0x00429084 en IDA pro es la que procesa la solicitud de API HTTP para la acción "addUser". Si se rastrean las llamadas a esta función, se puede ver claramente que la función sub_ 41F38C en la dirección 0x0041F588 analiza la llamada recibida desde el navegador y la pasa a la función "addUser" sin ninguna verificación de autorización.

Amcrest IPM-721S suffers from credential disclosure, privilege escalation, and a long list of other vulnerabilities.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-04-25 CVE Reserved
2019-06-07 CVE Published
2024-08-05 CVE Updated
2024-08-05 First Exploit
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-264: Permissions, Privileges, and Access Controls

CAPEC

References (2)

URL	Tag	Source
http://packetstormsecurity.com/files/153224/Amcrest-IPM-721S-Credential-Disclosure-Privilege-Escalation.html	Third Party Advisory

URL	Date	SRC
https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Amcrest_sec_issues.pdf	2024-08-05

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Amcrest Search vendor "Amcrest"	Ipm-721s Firmware Search vendor "Amcrest" for product "Ipm-721s Firmware"	<= 2.420.ac00.16.r.20160909 Search vendor "Amcrest" for product "Ipm-721s Firmware" and version " <= 2.420.ac00.16.r.20160909"	-	Affected	in	Amcrest Search vendor "Amcrest"	Ipm-721s Search vendor "Amcrest" for product "Ipm-721s"	-	-	Safe