CVE-2014-8389
published 2017-12-28CVE-2014-8389: cgi-bin/mft/wireless_mft.cgi in AirLive BU-2015 with firmware 1.03.18 16.06.2014, AirLive BU-3026 with firmware 1.43 21.08.2014, AirLive MD-3025 with firmware…
PriorityP275critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
50.49%
98.8th percentile
cgi-bin/mft/wireless_mft.cgi in AirLive BU-2015 with firmware 1.03.18 16.06.2014, AirLive BU-3026 with firmware 1.43 21.08.2014, AirLive MD-3025 with firmware 1.81 21.08.2014, AirLive WL-2000CAM with firmware LM.1.6.18 14.10.2011, and AirLive POE-200CAM v2 with firmware LM.1.6.17.01 uses hard-coded credentials in the embedded Boa web server, which allows remote attackers to obtain user credentials via crafted HTTP requests.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| airlive | bu-2015_firmware | — | — |
| airlive | bu-3026_firmware | — | — |
| airlive | md-3025_firmware | — | — |
| airlive | poe-200cam_v2_firmware | — | — |
| airlive | wl-2000cam_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP requests to /cgi-bin/mft/wireless_mft.cgi or /cgi-bin/mft/wireless_mft containing a semicolon (;) in the 'ap' parameter, indicating OS command injection attempts. ↗
- →Monitor for HTTP Basic Auth attempts using the hard-coded credentials 'manufacture'/'erutcafunam' against AirLive camera web interfaces (Boa web server). ↗
- →Alert on HTTP requests to /cgi-bin/mft/wireless_mft* containing shell metacharacters (e.g., ';', '%3B') in query parameters, particularly the 'ap' parameter. ↗
- →Detect HTTP GET requests for /credentials on AirLive camera web roots, which may indicate an attacker retrieving exfiltrated Base64-encoded credential files after exploitation. ↗
- →Monitor for access to /var/www/secret.passwd on AirLive devices, as this file contains web server user credentials targeted by the exploit. ↗
- →The CGI endpoint cgi_test.cgi (for MD-3025, BU-3026, BU-2015) is accessible without authentication by default; detect unauthenticated requests to this path with injection patterns in write_mac, write_pid, write_msn, write_tan, or write_hdv parameters. ↗
- ·The wireless_mft.cgi command injection (CVE-2014-8389) requires authentication using hard-coded credentials ('manufacture'/'erutcafunam'); exploitation is only possible if the attacker knows or discovers these credentials. ↗
- ·The cgi_test.cgi injection (CVE-2015-2279) is unauthenticated by default; HTTPS enforcement (non-default) is the only configuration that restricts access. ↗
- ·Injection via cgi_test.cgi parameters is length-constrained due to strlen checks (e.g., write_pid checks for length 9), limiting but not preventing command injection. ↗
- ·Exfiltrated credentials from /var/www/secret.passwd are Base64-encoded; decoding them grants complete access to the device. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/132585/AirLive-Remote-Command-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Jul/29http://www.securityfocus.com/archive/1/535938/100/0/threadedhttp://www.securityfocus.com/bid/75559https://www.coresecurity.com/advisories/airlive-multiple-products-os-command-injectionhttp://packetstormsecurity.com/files/132585/AirLive-Remote-Command-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Jul/29http://www.securityfocus.com/archive/1/535938/100/0/threadedhttp://www.securityfocus.com/bid/75559https://www.coresecurity.com/advisories/airlive-multiple-products-os-command-injection
2017-12-28
Published