CVE-2013-2568
published 2020-01-29CVE-2013-2568: A Command Injection vulnerability exists in Zavio IP Cameras through 1.6.3 via the ap parameter to /cgi-bin/mft/wireless_mft.cgi, which could let a remote…
PriorityP279critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
48.54%
98.7th percentile
A Command Injection vulnerability exists in Zavio IP Cameras through 1.6.3 via the ap parameter to /cgi-bin/mft/wireless_mft.cgi, which could let a remote malicious user execute arbitrary code.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zavio | f3105_firmware | <= 1.6.03 | — |
| zavio | f312a_firmware | <= 1.6.03 | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://192.168.1.100/cgi-bin/mft/wireless_mft?ap=travesti;cp%20/var/www/secret.passwd%20/web/html/credenciales↗
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Zavio IP Camera OS Command Injection Attempt Inbound (CVE-2013-2568)"; flow:established,to_server; http.uri; content:"/cgi-bin/mft/"; startswith; fast_pattern; content:"ap="; distance:0; content:"|3b|"; distance:0; pcre:"/[?&]ap=/U"; reference:cve,2013-2568; classtype:attempted-admin; sid:2038502; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_08_12, cve CVE_2013_2568, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2022_08_12, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
- →Exploit requests target URI path starting with '/cgi-bin/mft/' with an 'ap=' parameter containing a semicolon (0x3b) as a command separator — the Snort/Suricata rule keys on all three: URI prefix, 'ap=' parameter, and the semicolon byte. ↗
- →Exploitation of CVE-2013-2568 requires HTTP Basic Auth with the hard-coded manufacture account. Detect or alert on HTTP requests to '/cgi-bin/mft/' authenticated with credentials 'manufacture:erutcafunam'. ↗
- →Monitor HTTP requests to '/opt/cgi/view/param' for the 'General.Time.NTP.Server' parameter containing semicolons, which indicates exploitation of the related post-auth command injection (CVE-2013-2570) on the same device class. ↗
- ·The hard-coded credentials ('manufacture'/'erutcafunam') are embedded in 'boa.conf' and are not visible or removable via the user web interface, meaning patching the application layer is the only remediation path. ↗
- ·The vulnerability affects firmware v1.6.03 and below; the vendor did not provide a fixed version at time of disclosure. ↗
- ·CVE-2013-2568 can be exploited without prior authentication by leveraging the hard-coded manufacture credentials from CVE-2013-2567, making it effectively a pre-auth RCE chain. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT Possible Zavio IP Camera OS Command Injection Attempt Inbound (CVE-2013-2568)
suricata·2022-08-12·CVSS 9.8
CVE-2013-2568 [CRITICAL] ET EXPLOIT Possible Zavio IP Camera OS Command Injection Attempt Inbound (CVE-2013-2568)
ET EXPLOIT Possible Zavio IP Camera OS Command Injection Attempt Inbound (CVE-2013-2568)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Zavio IP Camera OS Command Injection Attempt Inbound (CVE-2013-2568)"; flow:established,to_server; http.uri; content:"/cgi-bin/mft/"; startswith; fast_pattern; content:"ap="; distance:0; content:"|3b|"; distance:0; pcre:"/[?&]ap=/U"; reference:cve,2013-2568; classtype:attempted-admin; sid:2038502; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_08_12, cve CVE_2013_2568, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2022_08_12, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_R
No writeups or analysis indexed.
http://www.securityfocus.com/bid/60190https://exchange.xforce.ibmcloud.com/vulnerabilities/84569https://packetstormsecurity.com/files/cve/CVE-2013-2568/page1/https://vulmon.com/vulnerabilitydetails?qid=CVE-2013-2568https://www.coresecurity.com/advisories/zavio-ip-cameras-multiple-vulnerabilitieshttp://www.securityfocus.com/bid/60190https://exchange.xforce.ibmcloud.com/vulnerabilities/84569https://packetstormsecurity.com/files/cve/CVE-2013-2568/page1/https://vulmon.com/vulnerabilitydetails?qid=CVE-2013-2568https://www.coresecurity.com/advisories/zavio-ip-cameras-multiple-vulnerabilities
2020-01-29
Published