ID
VAR-201610-0719
TITLE
AVTECH device adcommand.cgi presence verification command injection vulnerability
Trust: 0.6
DESCRIPTION
AVTECH, founded in 1996, is one of the world's leading manufacturers of CCTV. The main products are monitoring equipment, network cameras, network video recorders and so on. The AVTECH device adcommand.cgi has a verification command injection vulnerability. The Avtech device includes an adcommand.cgi script to execute ActionD commands that can be accessed by authentication. In the new device, the ActionD daemon provides a system call that the DoShellCmd function uses to execute the specified parameters. Since the DoShellCmd function is not verified or whitelisted, the attacker can use the vulnerability to execute arbitrary commands of the system with root privileges.
Trust: 0.6
IOT TAXONOMY
| category: | ['Network device'] | sub_category: | - | Trust: 0.6 |
AFFECTED PRODUCTS
| vendor: | avtech | model: | dvr | scope: | - | version: | - | Trust: 0.6 |
| vendor: | avtech | model: | nvr | scope: | - | version: | - | Trust: 0.6 |
| vendor: | avtech | model: | ip camera | scope: | - | version: | - | Trust: 0.6 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | ||||||||||||||||||||||||||||||||||||||||||
|
|
EXTERNAL IDS
| db: | CNVD | id: | CNVD-2016-08742 | Trust: 0.6 |
REFERENCES
| url: | http://seclists.org/bugtraq/2016/oct/26 | Trust: 0.6 |
| url: | http://www.search-lab.hu/advisories/126-avtech-devices-multiple-vulnerabilities | Trust: 0.6 |
SOURCES
| db: | CNVD | id: | CNVD-2016-08742 |
LAST UPDATE DATE
2022-05-04T09:04:54.866000+00:00
SOURCES UPDATE DATE
| db: | CNVD | id: | CNVD-2016-08742 | date: | 2016-10-13T00:00:00 |
SOURCES RELEASE DATE
| db: | CNVD | id: | CNVD-2016-08742 | date: | 2016-10-13T00:00:00 |