Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Fwd: Remote command injection vulnerability in Rosewill RSVA11001 (Hi3515 based)
From: Eric Urban <hydrogen18 () gmail com>
Date: Mon, 25 Mar 2013 11:12:35 -0400

Rose will just responds to me with engrish when I email them. I have no
point of contact for hi silicon. I would gladly assist the manufacturer in
addressing this hole if put into contact with the right people.
On Mar 25, 2013 8:56 AM, "Henri Salo" <henri () nerv fi> wrote:

On Sun, Mar 24, 2013 at 05:43:43PM -0400, Eric Urban wrote:
I have been hacking on a Rosewill RSVA11001 for a while now, something to
suck up my free time. I had pulled apart the firmware previously but did
not succeed in finding a way to get a shell on the device. The box is
Hi3515 based, I found an exploit for another similar box (Ray Sharp) but
it
did not work. The Rosewill firmware seems to use an executable that
listens
on two ports rather one when communicating with the Windows-based control
software. Port 8000 is now the command port rather 9000, 9000 is used for
video only. After playing with the included Windows application I
eventually did a strings on the 'hi_dvr' exectuable that is the user
space
program that controls the interface to thing. I found this gem:

/mnt/ntpdate -q %s > /tmp/tmpfs/ntptmp

So I used the windows software to set the NTP host to

a;/usr/bin/nc -l -p 5555 -e /bin/sh&

Did you report this to the vendor?

--
Henri Salo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlFQSZIACgkQXf6hBi6kbk/jpACePQuP3jtEBZe+YzVZ2y0zXSNW
YPcAoLQAmb9yBU14PRpI8RKCeE+XjRfG
=bybp
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]