Exploit for Infiray IRAY-A8Z3 1.0.957 Code Execution / Overflow / Hardcoded Credentials CVE-2022-31208 CVE-2022-31209 CVE-2022-31210 CVE-2022-31211

Name: Exploit for Infiray IRAY-A8Z3 1.0.957 Code Execution / Overflow / Hardcoded Credentials CVE-2022-31208 CVE-2022-31209 CVE-2022-31210 CVE-2022-31211
Rating: 5 (293 reviews)
2022-06-19 | CVSS 0.4
## https://sploitus.com/exploit?id=PACKETSTORM:167466
SEC Consult Vulnerability Lab Security Advisory < 20220607-0 >  
=======================================================================  
title: Multiple Vulnerabilities  
product: Infiray IRAY-A8Z3 thermal camera  
vulnerable version: V1.0.957  
fixed version: None  
CVE number: CVE-2022-31208, CVE-2022-31209, CVE-2022-31210,  
CVE-2022-31211  
impact: Critical  
homepage: http://www.infiray.com/  
found: 2021-02  
by: S. Robertz (Office Vienna)  
F. Lienhart  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult, an Atos company  
Europe | Asia | North America  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"IRay Technology Co., Ltd. is a wholly-owned subsidiary of Raytron Technology  
Co., Ltd. (SSE: 688002). As a high-tech enterprise, IRay Technology develops  
and manufactures infrared FPA detectors, thermal imaging modules, and other  
products, with completely independent intellectual property rights. We are  
committed to providing global customers with professional thermal imaging  
products and solutions. The main products include IRFPA detectors, thermal  
imaging cores, and terminal products for application."  
  
Source: http://www.infiray.com/about.html  
  
  
Business recommendation:  
------------------------  
The vendor was unresponsive during the disclosure process. Hence it is unclear  
whether patches are available. Customers are urged to approach their vendor  
contact and request security reviews and updates.  
  
SEC Consult recommends to perform a thorough security review of these  
products conducted by security professionals to identify and resolve all  
security issues.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Hardcoded Web Credentials (CVE-2022-31210)  
The binary file "/usr/local/sbin/webproject/set_param.cgi" contains hardcoded  
credentials to the web application. As these accounts cannot be deactivated  
or change their passwords, they are considered to be backdoor accounts.  
  
2) Authenticated Remote Code Execution (CVE-2022-31208)  
The webserver contains an endpoint that can execute arbitrary commands by  
manipulating the "cmd_string" URL parameter. The user can login using one  
of the backdoor accounts from issue 1.  
  
3) Potential Buffer Overflow (CVE-2022-31209)  
The firmware contains a potential buffer overflow by calling strcpy() without  
checking the string length beforehand.  
  
4) Telnet Root Shell without Password (CVE-2022-31211)  
The camera offers a shell through a telnet connection. The root user does not  
require a password per default. Thus, anyone on the local network can  
execute arbitrary commands as root on the camera.  
  
5) Multiple Outdated Software Components  
Multiple outdated software components containing vulnerabilities were found by  
the IoT Inspector (ONEKEY) firmware analysis platform.  
  
  
Proof of concept:  
-----------------  
1) Hardcoded Web Credentials (CVE-2022-31210)  
The following cgi program will be executed during the login process:  
  
http://<my_ip>:8080/set_param.cgi?&group_tag=hash_param_bridge  
&set_cmd=loading&length=35&name=<user>&password=<password>&access=0  
&0.3543773172371312  
  
The following de-compilation shows the code flow with the hardcoded passwords:  
-------------------------------------------------------------------------------  
[ PoC removed ]  
-------------------------------------------------------------------------------  
The authentication works by comparing the URL supplied username with the string  
"[removed]". Afterwards it will compare the password parameter to "[removed]" as well. If both  
string parameters match, a message will be removed from the messaging queue.  
Otherwise the function will just return. The same comparison holds for the admin account.  
  
Furthermore, string comparisons are made without checking the case. Hence,  
drastically improving the chances of brute-force attacks.  
  
  
2) Authenticated Remote Code Execution (CVE-2022-31208)  
The web application offers an option to view the device log. Opening following URL while  
logged in as admin (e.g. with hardcoded password from section 1) will trigger the request:  
  
http://<my_ip>:8080/cmd.cgi?cmd_tag=cmd_passthrough&cmd_string=[removed]  
  
By changing the "cmd_string" parameter, arbitrary commands can be executed with  
the rights of the webserver (www-data). The de-compiled code can be seen in following  
snippet:  
-------------------------------------------------------------------------------  
[ PoC removed ]  
-------------------------------------------------------------------------------  
The "cmd_string" parameter is directly passed into popen() and hence executed.  
  
  
3) Potential Buffer-Overflow (CVE-2022-31209)  
The firmware contains a potential buffer overflow vulnerability:  
-------------------------------------------------------------------------------  
[ PoC removed ]  
-------------------------------------------------------------------------------  
A pointer to the "next_url" parameter is supplied. A buffer of 64 bytes is  
allocated and the parameter value copied to it without checking the string  
length. Hence, a "next_url" parameter with more than 64 bytes could be  
supplied in order to overflow the buffer.  
Please note that this vulnerability is only based on firmware analysis and thus  
was not tested in a live scenario.  
  
  
4) Telnet Root Shell without Password (CVE-2022-31211)  
The camera has a telnetd server running on port 23 per default. The root  
password is empty. If the telnet port is exposed to the internet, an attacker  
could easily connect to the device and gain root access. The telnet server  
cannot be deactivated and the root password cannot be changed through the  
web interface.  
  
  
5) Multiple Outdated Software Components  
IoT Inspector (ONEKEY) recognized multiple outdated software components  
with known vulnerabilities:  
  
BusyBox 1.25.0: 6 CVEs  
curl 7.54.0: 13 CVEs  
Dnsmasq 2.76: 9 CVEs  
lighttpd 1.4.41: 2 CVEs  
Linux Kernel 3.10.104: 1004 CVEs  
hostapd 2.5: 22 CVEs  
wpa_supplicant 2.5-devel_rtw_r17190.20160415: 12 CVEs  
  
  
Vulnerable / tested versions:  
-----------------------------  
The following product/firmware version has been tested:  
* Infiray IRAY-A8Z3 V1.0.957  
  
It has to be assumed that further products or firmware versions are affected as well.  
  
  
Vendor contact timeline:  
------------------------  
2021-02-24: Contacting vendor through email address found on their website  
(sales@infiray.com)  
2021-03-11: Contacted vendor again through sales@infiray.com  
2021-04-12: Contacting vendor through sales@infiray.com and InfiRay.CS@iraytek.com  
2021-04-12: Response from Sales Director, does not understand what to do with the information  
2021-04-12: Requesting a contact to the product owner or developer  
2021-04-13: Sending unencrypted security advisory to two provided email addresses.  
2021-04-29: Requesting status from vendor, no reply.  
2022-04-05: Requested status from vendor, no reply.  
2022-06-07: Release of security advisory.  
  
  
Solution:  
---------  
The vendor was unresponsive during the disclosure process. Hence it is unclear  
whether patches are available. Customers are urged to approach their vendor  
contact and request security reviews and updates.  
  
  
Workaround:  
-----------  
None  
  
  
Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult, an Atos company  
Europe | Asia | North America  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
  
EOF S. Robertz, F. Lienhart / @2022