Uniview PreAuth RCE
Original Post:
We discussed this vulnerability during Episode 112 on 18 January 2022
The inital vulnerability here is an unbounded sscanf
into a stack variable. In terms of discovery just checking those format strings for unbounded string reads will find plenty of bugs out there in the world. Looking at the exploit I assume the stack was not executable since they use a minimal rop chain, though its not explicitly stated.
Using this to launch telnetd with the default credentials (root:123456
) results in a restricted shell (uvsh
) that can write to /tmp
only.
In theory this might be sufficent, but, for any developers out there, if you’re going to use a restricted shell, you probably shouldn’t store important scripts under /tmp
also…One could modify the script at /tmp/bin/reboot.sh
to get execution in an unrestricted context.