Executive Summary This report details a critical command injection vulnerability discovered in the CheapCTRL software running on CheapCAM 3000 IP cameras. The vulnerability allows remote attackers to execute arbitrary commands on the device with root privileges, potentially leading to complete system compromise. This vulnerability has been actively exploited in the wild, resulting in the installation of a persistent backdoor that communicates with a remote command-and-control (C2) server. Technical Details Vulnerability Description The command injection vulnerability exists in the CheapCTRL software's handling of HTTP requests on port 8080. When a specially crafted HTTP request is sent to the camera, the request's data is improperly parsed and executed as a shell command. This allows attackers to inject arbitrary commands into the command line, potentially leading to the execution of malicious code. Exploitation The vulnerability can be exploited by sending a carefully crafted HTTP request to the camera. The request must contain a specific payload that triggers the command injection. Once the payload is executed, the attacker can gain control of the camera and execute arbitrary commands. Impact The successful exploitation of this vulnerability can have severe consequences. An attacker could gain complete control of the camera, including the ability to: Access sensitive data stored on the camera Modify the camera's configuration Install malware Use the camera as a platform for launching attacks on other systems Indicators of Compromise (IOCs) The following indicators of compromise (IOCs) may be associated with this vulnerability and its exploitation: Network Traffic: Outbound connections from the camera to the C2 server (ZZ.ZZ.ZZ.ZZ) on port 443 or other TCP ports Unusual network traffic patterns, such as excessive data transfer or suspicious connections File System: The presence of the backdoor binary file (/tmp//camz) Modified crontab entries that schedule the execution of the backdoor System Logs: Failed login attempts from unauthorized users Successful login attempts by the camuser account Error messages related to command injection or script execution Mitigation The following steps can be taken to mitigate the risk of exploitation: Update CheapCTRL Software: The vendor of the CheapCTRL software should release a patch to address the vulnerability. Ensure that all affected cameras are updated with the latest version of the software. Restrict Network Access: Limit network access to the camera to trusted devices and users. Implement network segmentation to isolate the camera from other systems. Monitor Network Traffic: Use network monitoring tools to detect any suspicious activity on the camera's network interface. Review System Logs: Regularly review system logs for any signs of unauthorized access or malicious activity. Implement Security Best Practices: Follow general security best practices, such as using strong passwords, disabling unnecessary services, and keeping software up-to-date. Additional Considerations This vulnerability highlights the importance of security in IoT devices. Many IoT devices are shipped with default or weak credentials, making them vulnerable to attack. It is essential to regularly update the software on IoT devices to address security vulnerabilities. Consider using intrusion detection systems (IDS) or intrusion prevention systems (IPS) to detect and prevent attacks on IoT devices. Key advice for incident responders: 为了更好地理解漏洞的严重性,请参考以下中文解释: 该漏洞允许攻击者在摄像机上执行任意命令,从而完全控制设备。这可能导致敏感数据的泄露、恶意软件的安装以及其他严重后果。 为了降低风险,建议及时更新CheapCTRL软件,限制网络访问,监控网络流量,并遵循安全最佳实践。