Mandar Satam

**Name of the Vulnerable Software and Affected Versions** Amcrest IPM-721S version V2.420.AC00.16.R.20160909 **Description** The Amcrest IPM-721S device has default credentials that are hardcoded in the firmware. These credentials can be extracted by reversing the firmware. The binary "sonia" contains the vulnerable function that sets up the default credentials on the device. The function `sub 3DB2FC` sets up the values at address `0x003DB5A6`, and the function `sub 5C057C` then sets this value and adds it to the Configuration files in `/mnt/mtd/Config/Account1` file. **Recommendations** For Amcrest IPM-721S version V2.420.AC00.16.R.20160909, consider changing the default credentials to prevent unauthorized access. As a temporary workaround, restrict access to the binary "sonia" to minimize the risk of exploitation. Avoid using the default credentials in the Configuration files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Amcrest IPM-721S version V2.420.AC00.16.R.20160909 **Description** The issue concerns a brute force attack vulnerability. When 30 incorrect password attempts are detected using the Web and HTTP API interface, a 5-minute timeout policy is enforced. However, this policy does not apply when the same brute force attempt is performed using the ONVIF specification, allowing an attacker to circumvent account protection and brute force credentials. The vulnerable function is located in the "sonia" binary, which performs credential checks for the ONVIF specification. This binary follows the ARM little endian format. The function at address 00671618 parses the WSSE security token header, and the sub 603D8 function performs the authentication check. If authentication fails, it passes to the sub 59F4C function, which prints "Sender not authorized." **Recommendations** For Amcrest IPM-721S version V2.420.AC00.16.R.20160909, as a temporary workaround, consider disabling the ONVIF specification until a patch is available to prevent brute force attacks. Restrict access to the "sonia" binary to minimize the risk of exploitation. Avoid using the ONVIF specification in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Amcrest IPM-721S version V2.420.AC00.16.R.20160909 **Description** The Amcrest IPM-721S device mishandles reboots within the past two hours, and Amcrest cloud services do not perform thorough verification when adding a new camera to a user's account. This allows an attacker who knows the serial number to add another user's camera to their cloud account and control it completely. The attack is possible if the camera is not part of an Amcrest cloud account or has been removed from the user's cloud account, and the user has rebooted the camera in the last two hours. A successful attack results in the attacker being able to view and listen to what the camera can see, change motion detection settings, and turn the camera off without the user's awareness. **Recommendations** For Amcrest IPM-721S version V2.420.AC00.16.R.20160909, as a temporary workaround, consider restricting access to the camera's cloud account and avoiding reboots within a two-hour window to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Amcrest IPM-721S version V2.420.AC00.16.R.20160909 **Description** The issue allows an unauthenticated attacker to download administrative credentials from the device. By dissecting the firmware version using the binwalk tool, a vulnerable binary named `sonia` is identified, which sets up the default credentials on the device. This binary follows the ARM little endian format. The function `sub 436D6` in IDA-pro sets up the device configuration, and the address `0x000437C2` reveals that `/current config` is an alias for the `/mnt/mtd/Config` folder. This folder contains files such as `Account1`, `Account2`, and `SHAACcount1`, which can be accessed without authentication via the URL `http://[IPofcamera]/current config/Sha1Account1`. **Recommendations** For Amcrest IPM-721S version V2.420.AC00.16.R.20160909, as a temporary workaround, consider restricting access to the `/current config` alias and the `/mnt/mtd/Config` folder to minimize the risk of exploitation. Avoid using the URL `http://[IPofcamera]/current config/Sha1Account1` until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Blipcare (affected versions not specified) **Description** The Blipcare device provides an open Wireless network called "Blip" for communicating with the device. This allows an attacker who is in vicinity of the Wireless signal to easily sniff the user's Wi-Fi credentials. Additionally, an attacker can connect to the open wireless network and modify the HTTP response to execute other attacks, such as convincing the user to download and execute a malicious binary that would infect a user's computer or mobile device with malware. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Blipcare Wifi blood pressure monitor BP700 version 10.1 **Description** The device allows memory corruption that results in Denial of Service. When connected to the "Blip" open wireless connection, if a large string is sent as part of the HTTP request in any part of the HTTP headers, the device could become completely unresponsive. This is due to the small memory footprint of the device, with the Wi-Fi module only having 256k of memory. An incorrect string copy operation using functions like `memcpy` or `strcpy` could result in filling up the memory space allocated to the function executing, leading to memory corruption. **Recommendations** For Blipcare Wifi blood pressure monitor BP700 version 10.1, as a temporary workaround, consider restricting access to the device's open wireless connection "Blip" to minimize the risk of exploitation. Avoid sending large strings as part of the HTTP request in any part of the HTTP headers until a fix is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** D-Link DCS-1100 (affected versions not specified) D-Link DCS-1130 (affected versions not specified) **Description** An issue was discovered where D-Link devices allow communication with D-Link apps on mobile devices and desktops without authentication. The device uses a custom version of base64 encoding to pass data between the apps and the device. However, this communication can be initiated by any process, including an attacker process, allowing a third party to retrieve the device's password without authentication by sending a single UDP packet with custom base64 encoding. The severity of this attack is increased due to the large number of D-Link devices, with over 100,000 devices potentially affected. **Recommendations** For D-Link DCS-1100, consider disabling communication with D-Link apps until a patch is available. For D-Link DCS-1130, restrict access to the custom base64 encoding functionality to minimize the risk of exploitation. As a temporary workaround, avoid using the device's password retrieval feature until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DCS-1100 (affected versions not specified) D-Link DCS-1130 (affected versions not specified) **Description** An issue was discovered on D-Link devices, where the binary `orthrus` in the `/sbin` folder handles UPnP connections. The binary performs a `sprintf` operation with the value in the command line parameter `-f` and stores it on the stack. Since there is no length check, this results in corrupting the registers for the function `sub A098`, leading to memory corruption. **Recommendations** For D-Link DCS-1100, consider disabling the `orthrus` binary in the `/sbin` folder as a temporary workaround until a patch is available. For D-Link DCS-1130, consider disabling the `orthrus` binary in the `/sbin` folder as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DCS-1100 (affected versions not specified) D-Link DCS-1130 (affected versions not specified) **Description** An issue was discovered on D-Link devices, where a custom telnet daemon as part of the busybox retrieves the password from the shadow file using the `getspnam` function. It then performs a `crypt` operation on the password retrieved from the user and checks if the password is correct or incorrect using `strcmp`. However, the /etc/shadow file is part of a CRAM-FS filesystem, which means the user cannot change the password. A hardcoded hash in /etc/shadow is used to match the credentials provided by the user, which is a salted hash of the string "admin" and acts as a password to the device. **Recommendations** For D-Link DCS-1100, consider disabling the telnet daemon until a patch is available. For D-Link DCS-1130, consider disabling the telnet daemon until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DCS-1100 D-Link DCS-1130 **Description** An issue was discovered in D-Link devices, where a custom daemon runs on UDP port 5978, handling a custom D-Link UDP-based protocol. This protocol allows D-Link mobile and desktop applications to discover devices on the local network. The binary processes received UDP packets in the `main` function, which contains a block of code that performs an unbounded copy operation, allowing a buffer overflow. The custom protocol follows a specific pattern, including `Packetlen`, `Type of packet`, `M` for MAC address, `D` for device type, `C` for base64 encoded command string, and `test`. The insecure copy operation using the `strcpy` function at address `0x0000DC88` results in overflowing the stack pointer after 1060 characters, allowing control of the PC register and resulting in code execution. A third-party application on the device can execute commands without authentication by sending a single UDP packet with custom base64 encoding. **Recommendations** For D-Link DCS-1100 and D-Link DCS-1130 devices, consider disabling the `dldps2121` daemon on UDP port 5978 as a temporary workaround until a patch is available. Restrict access to the custom D-Link UDP-based protocol to minimize the risk of exploitation. Avoid using the custom protocol to send UDP packets with base64 encoded command strings until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Blipcare device (affected versions not specified) **Description** The Blipcare device, a Wireless Blood pressure monitor, allows connection to its web management interface using a non-SSL connection and the plain text HTTP protocol. Users provide their Wi-Fi credentials through this interface, enabling the device to connect to the internet. An attacker connected to the device's wireless network can easily intercept these credentials and other sensitive information using a Man-In-The-Middle (MITM) attack. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DCS-1130 devices (affected versions not specified) **Description** An issue was discovered on D-Link DCS-1130 devices, where the device provides a user with the capability of setting a SMB folder for the video clippings recorded by the device. The POST parameters passed in this request result in being passed as commands to a "system" API in the function, thus resulting in command injection on the device. The library "libmailutils.so" has the vulnerable function "sub 1FC4" that receives the values sent by the POST request. The value set in POST parameter `receiver1` is extracted in function "sub 15AC" which is then passed to the vulnerable system API call. The vulnerable library function is accessed in "cgibox" binary at address 0x0008F598 which calls the "mailLoginTest" function in "libmailutils.so" binary, resulting in the vulnerable POST parameter being passed to the library and causing the command injection issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DCS-1130 (affected versions not specified) D-Link DCS-1100 (affected versions not specified) **Description** An issue was discovered in D-Link devices where the binary rtspd handles all rtsp connections. A flag called `Authenticate` indicates whether a user should be authenticated before allowing access to the video feed. By default, this flag is set to zero, allowing any attacker with the external IP address of the camera to view the live video feed without authentication. The device requires a valid username and password for the HTTP management interface but does not enforce the same restriction on RTSP URLs by default. There are over 100,000 D-Link devices potentially affected. **Recommendations** For D-Link DCS-1130, consider enabling the `Authenticate` flag to require authentication for RTSP connections. For D-Link DCS-1100, consider enabling the `Authenticate` flag to require authentication for RTSP connections. As a temporary workaround, consider restricting access to the RTSP URL to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** D-Link DCS-1130 devices (affected versions not specified) **Description** An issue was discovered where the device does not implement any cross-site request forgery protection mechanism. This allows an attacker to trick a user who is logged in to the web management interface to change the user's password. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DCS-1130 devices (affected versions not specified) **Description** An issue was discovered on D-Link DCS-1130 devices, where the device provides a user with the capability of setting a SMB folder for the video clippings recorded by the device. The GET parameters passed in this request result in being passed as commands to a "system" API in the function, thus resulting in command injection on the device. The binary "cgibox" contains the vulnerable function "sub 7EAFC" that receives the values sent by the GET request. The value set in GET parameter `user` is extracted in function `sub 7E49C` which is then passed to the vulnerable system API call. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DCS-1130 devices (affected versions not specified) **Description** An issue was discovered where the device does not enforce username and password restrictions on a specific URL, allowing attackers to view the live video feed. There are more than 100,000 D-Link devices potentially affected by this issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DCS-1100 (affected versions not specified) D-Link DCS-1130 (affected versions not specified) **Description** An issue was discovered in the binary rtspd in the /sbin folder of the devices, which handles all rtsp connections. The binary performs a memcpy operation at address 0x00011E34 with the value sent in the "Authorization: Basic" RTSP header and stores it on the stack. The number of bytes to be copied is calculated based on the length of the string sent in the RTSP header by the client. As a result, memcpy copies more data than it can hold on the stack, corrupting the registers for the caller function sub F6CC, resulting in memory corruption. This allows for a buffer overflow, enabling control of the PC register and resulting in arbitrary code execution on the device. **Recommendations** For D-Link DCS-1100, consider disabling the `rtspd` binary in the /sbin folder as a temporary workaround until a patch is available. For D-Link DCS-1130, consider disabling the `rtspd` binary in the /sbin folder as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DCS-1130 devices (affected versions not specified) **Description** An issue was discovered on D-Link DCS-1130 devices, where the device provides a user with the capability of setting a SMB folder for the video clippings recorded by the device. The POST parameters passed in this request result in being passed as commands to a "system" API in the function, thus resulting in command injection on the device. The library "libmailutils.so" has the vulnerable function "sub 1FC4" that receives the values sent by the POST request. The value set in POST parameter `receiver1` is extracted in function "sub 15AC" which is then passed to the vulnerable system API call. The vulnerable library function is accessed in "cgibox" binary at address 0x00023BCC which calls the "Send mail" function in "libmailutils.so" binary, resulting in the vulnerable POST parameter being passed to the library and causing the command injection issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DCS-1100 (affected versions not specified) D-Link DCS-1130 (affected versions not specified) **Description** An issue was discovered on D-Link devices, where a custom binary called mp4ts under the /var/www/video folder dumps the HTTP VERB in the system logs. The binary uses a vulnerable sprintf function in the function sub C210 to copy the HTTP VERB value into a string and then into a log file. Since there is no bounds check being performed on the environment variable, this results in a stack overflow and overwrites the PC register, allowing an attacker to execute buffer overflow or even a command injection attack. **Recommendations** For D-Link DCS-1100, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For D-Link DCS-1130, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DCS-1100 (affected versions not specified) D-Link DCS-1130 (affected versions not specified) **Description** An issue was discovered in D-Link devices, where a custom daemon runs on UDP port 5978, handling a custom D-Link UDP-based protocol. This protocol allows D-Link mobile and desktop applications to discover devices on the local network. The daemon processes received UDP packets, and if a packet is received with a specific type, the string passed in the `C` parameter is base64 decoded and executed by passing into a System API. This allows a third-party application on the device to execute commands without authentication by sending a single UDP packet with custom base64 encoding. **Recommendations** For D-Link DCS-1100, restrict access to the custom daemon on UDP port 5978 to minimize the risk of exploitation. For D-Link DCS-1130, consider disabling the `dldps2121` daemon until a patch is available. Avoid using the `C` parameter in the custom protocol to prevent command execution. As a temporary workaround, consider blocking UDP packets sent to port 5978 from untrusted sources.