360 Netlab

**Name of the Vulnerable Software and Affected Versions** LILIN Digital Video Recorder (DVR) versions prior to 2.0b60 20200207 **Description** A command injection issue exists due to insufficient sanitization of the FTP and NTP Server fields in the service configuration. An attacker with access to the configuration interface can upload a malicious XML file with injected shell commands in these fields. Upon subsequent configuration syncs, these commands are executed with elevated privileges. This issue was exploited in the wild by the Moobot botnets. **Recommendations** Update to firmware version 2.0b60 20200207 or later.

**Name of the Vulnerable Software and Affected Versions** LILIN Digital Video Recorder (DVR) versions prior to 2.0b60 20200207 **Description** An unauthenticated arbitrary file read issue exists in LILIN Digital Video Recorder (DVR) devices. This allows attackers to read sensitive configuration files, such as `/zconf/service.xml`, potentially leading to further attacks like command injection. The `/z/zbin/net html.cgi` endpoint is the entry point for this issue. This vulnerability has been exploited in the wild by botnets, including FBot and Moobot. **Recommendations** Update LILIN Digital Video Recorder (DVR) to version 2.0b60 20200207 or later.

**Name of the Vulnerable Software and Affected Versions** LILIN Digital Video Recorder (DVR) versions prior to 2.0b60 20200207 **Description** A command injection issue exists in LILIN Digital Video Recorder (DVR) devices. The web service at `/z/zbin/dvr box` does not properly sanitize input provided to the `Server` field within the NTPUpdate configuration. This allows remote attackers to inject and execute arbitrary commands as root by supplying crafted XML data to the DVRPOST interface. **Recommendations** Update LILIN Digital Video Recorder (DVR) to version 2.0b60 20200207 or later.