The EFM ipTIME C200 IP Camera is affected by a Command Injection vulnerability in /login.cgi?logout=1 script. To exploit this vulnerability, an attacker can send a GET request that executes arbitrary OS commands via cookie value.

shodan:

html:LS_CAMINFO_MODEL

漏洞设备版本

v1.0.12

固件获取

c200_1_012.bin

漏洞分析

通过漏洞描述可知,漏洞发生在login.cgi,使用ida打开login.cgi,搜索字符串“logout”,然后交叉引用,发现只有主函数存在“logout”这个字符串,重点看下图位置

sub_404770的作用是将请求的参数按“&”进行分割,获取logout参数的值,如果请求中含有logout参数且值为1则进入sub_4062AC函数