vendor:
N100 H.264 VGA IP Camera
by:
Gjoko 'LiquidWorm' Krstic
8.8
CVSS
HIGH
Command Injection
78, 77
CWE
Product Name: N100 H.264 VGA IP Camera
Affected Version From: M2.1.6.04C014
Affected Version To: M2.1.6.04C014
Patch Exists: NO
Related CWE: N/A
CPE: h:beward:n100_h.264_vga_ip_camera
Metasploit:
N/A
Other Scripts:
N/A
Platforms Tested: Boa/0.94.14rc21, Farady ARM Linux 2.6
2019
BEWARD N100 H.264 VGA IP Camera M2.1.6 Root Remote Code Execution
The camera suffers from two authenticated command injection vulnerabilities. The issues can be triggered when calling ServerName or TimeZone GET parameters via the servertest page. This can be exploited to inject arbitrary system commands and gain root remote code execution.
Mitigation:
Ensure that user input is properly validated and sanitized before being used in system commands.
