Re: Fwd: Remote command injection vulnerability in Rosewill RSVA11001 (Hi3515 based)

[Henri Salo <henri () nerv fi>]

On Sun, Mar 24, 2013 at 05:43:43PM -0400, Eric Urban wrote:
> I have been hacking on a Rosewill RSVA11001 for a while now, something to
> suck up my free time. I had pulled apart the firmware previously but did
> not succeed in finding a way to get a shell on the device. The box is
> Hi3515 based, I found an exploit for another similar box (Ray Sharp) but it
> did not work. The Rosewill firmware seems to use an executable that listens
> on two ports rather one when communicating with the Windows-based control
> software. Port 8000 is now the command port rather 9000, 9000 is used for
> video only. After playing with the included Windows application I
> eventually did a strings on the 'hi_dvr' exectuable that is the user space
> program that controls the interface to thing. I found this gem:
>
> /mnt/ntpdate -q %s > /tmp/tmpfs/ntptmp
>
> So I used the windows software to set the NTP host to
>
> a;/usr/bin/nc -l -p 5555 -e /bin/sh&

Did you report this to the vendor?

--
Henri Salo

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/