Security researchers at Randorisec have uncovered numerous severe vulnerabilities in IP camera firmware from UDP Technology. UDP firmware is bundled in cameras from a variety of vendors including Geutebrück, VCA, Sprinx Technologies, and others. French security consultancy Randorisec said it had previously discovered several critical vulnerabilities in the firmware, ranging from authentication bypass to remote code execution (RCE).
Based on these earlier shortcomings, Randorisec took another pass at UDP technology, discovering a further 11 authenticated RCE and a complete authentication bypass vulnerabilities in the process. In a detailed technical blog post, Randorisec researchers offer a step-by-step explanation of how they discovered command injection and stack-based buffer overflow flaws. Further progress along the journey allowed them to uncover the authentication bypass vulnerabilities and develop proof-of-concept RCE exploits.
Randorisec disclosed the vulnerabilities in February and, following an extended disclosure engagement with Geutebrück, they were resolved with the release of a firmware update earlier this month.
This cleared the way for Randorisec to publish its blog post documenting the vulnerabilities.
These various flaws are tracked as CVE-2021-33543 through to CVE-2021-33554.
Got root? Davy Douhine, a security researcher at Randorisec, told The Daily Swig that exploiting any of the vulnerabilities opened up the door to all manner of mischief.
“Combining this authentication bypass [with] any of the RCE [vulnerabilities] gave us a root shell,” Douhine explained. “From there you can do whatever you want – the camera is ‘jailbroken’. [An attacker could] stop the video stream, change it, use it as a relay to the connected network.”
