Uniview PreAuth RCE

Original Post:
Uniview PreAuth RCE
We discussed this vulnerability during Episode 112 on 18 January 2022

The inital vulnerability here is an unbounded sscanf into a stack variable. In terms of discovery just checking those format strings for unbounded string reads will find plenty of bugs out there in the world. Looking at the exploit I assume the stack was not executable since they use a minimal rop chain, though its not explicitly stated.

Using this to launch telnetd with the default credentials (root:123456) results in a restricted shell (uvsh) that can write to /tmp only.

In theory this might be sufficent, but, for any developers out there, if you’re going to use a restricted shell, you probably shouldn’t store important scripts under /tmp also…One could modify the script at /tmp/bin/reboot.sh to get execution in an unrestricted context.