CVE-2017-8229

Name of the Vulnerable Software and Affected Versions Amcrest IPM-721S version V2.420.AC00.16.R.20160909

Description The issue allows an unauthenticated attacker to download administrative credentials from the device. By dissecting the firmware version using the binwalk tool, a vulnerable binary named sonia is identified, which sets up the default credentials on the device. This binary follows the ARM little endian format. The function sub 436D6 in IDA-pro sets up the device configuration, and the address 0x000437C2 reveals that /current config is an alias for the /mnt/mtd/Config folder. This folder contains files such as Account1, Account2, and SHAACcount1, which can be accessed without authentication via the URL http://[IPofcamera]/current config/Sha1Account1.

Recommendations For Amcrest IPM-721S version V2.420.AC00.16.R.20160909, as a temporary workaround, consider restricting access to the /current config alias and the /mnt/mtd/Config folder to minimize the risk of exploitation. Avoid using the URL http://[IPofcamera]/current config/Sha1Account1 until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.