Command Injection Vulnerabilities Found in AirLive IP Cameras

Researchers have identified vulnerabilities affecting several IP camera models from AirLive, a Taiwan-based company that provides IP-enabled surveillance and networking solutions.

According to an advisory published by Core Security on Monday, AirLive’s MD-3025, BU-3026, BU-2015, WL-2000CAM and POE-200CAM cameras are plagued by flaws that can be exploited remotely for arbitrary command execution.

AirLive MD-3025, BU-3026 and BU-2015 cameras are affected by an operating system (OS) command injection bug (CVE-2015-2279) related to the cgi_test.cgi binary file. By sending a specially crafted request to this file, an unauthenticated attacker can inject arbitrary commands.

Researchers have pointed out that the attack is somewhat limited due to some checks put in place by the manufacturer. However, there are some commands that can be executed. For example, an attacker can leverage the vulnerability to obtain a device’s MAC address, model name, hardware and firmware versions, and other information.

The second vulnerability (CVE-2014-8389) is related to the wireless_mft.cgi binary file and it affects AirLive WL-2000CAM and POE-200CAM cameras. The flaw can be exploited by using hardcoded credentials found in the configuration file of the embedded Boa web server. A proof-of-concept published by researchers shows how an attacker can exploit the bug to obtain user credentials and gain complete access to the device.

Core Security has verified its findings on AirLive BU-2015 running firmware 1.03.18 16.06.2014, AirLive BU-3026 with firmware version 1.43 21.08.2014, AirLive MD-3025 with firmware version 1.81 21.08.2014, AirLive WL-2000CAM with firmware version LM.1.6.18 14.10.2011, and AirLive POE-200CAM v2 with firmware LM.1.6.17.01. Experts believe other camera models running other firmware versions may be affected as well.

Core Security has attempted to report its findings to the vendor on multiple occasions via several channels over the past two months. Since it didn’t get a response from AirLive, the security firm decided to publicly disclose the details of the vulnerabilities.

AirLive representatives told SecurityWeek that the company’s research and development team has determined that the information exposed by CVE-2015-2279 is for “production purposes” and it cannot be used to change settings on the device or view videos.

“The issues found by Core Security were commands used in the production process. The write commands do not work unless the hardware is put into debug mode on the PCB, which is only possible during the production process. Therefore, attackers cannot change settings or view video. We believe this does not constitute a threat to the security of the cameras,” AirLive said.

“Nevertheless, we have release patch firmwares on our website already to close those commands. We have also written to Core Security requesting them to revise their articles,” the company added.

Related: D-Link Patches Flaws in IP Cameras, Wireless Range Extenders

*Updated with information from AirLive.