CVE-2015-2279
published 2017-07-25CVE-2015-2279: cgi_test.cgi in AirLive BU-2015 with firmware 1.03.18, BU-3026 with firmware 1.43, and MD-3025 with firmware 1.81 allows remote attackers to execute arbitrary…
PriorityP275critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
17.62%
96.8th percentile
cgi_test.cgi in AirLive BU-2015 with firmware 1.03.18, BU-3026 with firmware 1.43, and MD-3025 with firmware 1.81 allows remote attackers to execute arbitrary OS commands via shell metacharacters after an "&" (ampersand) in the write_mac write_pid, write_msn, write_tan, or write_hdv parameter.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| airlive | bu-2015_firmware | — | — |
| airlive | bu-3026_firmware | — | — |
| airlive | md-3025_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://<host>/cgi-bin/mft/wireless_mft?ap=testname;cp%20/var/www/secret.passwd%20/web/html/credentials↗
- →Monitor HTTP requests to cgi_test.cgi containing shell metacharacters (semicolons, pipes, etc.) after an ampersand in the write_mac, write_pid, write_msn, write_tan, or write_hdv parameters — these indicate exploitation attempts of CVE-2015-2279. ↗
- →The CGI endpoint cgi_test.cgi requires no authentication by default (only blocked if HTTPS-only mode is explicitly configured), making it directly accessible to unauthenticated remote attackers. ↗
- →Detect exploitation of wireless_mft.cgi by monitoring for requests using the hard-coded credentials (manufacture/erutcafunam) combined with shell metacharacters in the 'ap' parameter. ↗
- →Alert on HTTP requests to /credentials on AirLive camera web servers, which may indicate an attacker has already exfiltrated the Base64-encoded credential file via the wireless_mft.cgi injection. ↗
- →The injection payload uses a semicolon after the ampersand symbol to chain OS commands; pattern-match on URL query strings containing '&;' targeting these CGI endpoints. ↗
- →The vulnerable device typically exposes the CGI on port 8080; monitor for exploitation attempts on that port targeting cgi_test.cgi. ↗
- ·Injection via cgi_test.cgi parameters is length-constrained per parameter; for example, write_pid checks that the value length equals 9 characters, limiting but not preventing exploitation. ↗
- ·The cgi_test.cgi vulnerability is only blocked if the camera is explicitly configured to require HTTPS for all communications, which is NOT the default setting. ↗
- ·Other AirLive devices beyond the tested models (BU-2015, BU-3026, MD-3025, WL-2000CAM, POE-200CAM v2) may also be affected but were not verified. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/132585/AirLive-Remote-Command-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Jul/29http://www.securityfocus.com/archive/1/535938/100/0/threadedhttp://www.securityfocus.com/bid/75559https://www.coresecurity.com/advisories/airlive-multiple-products-os-command-injectionhttps://www.exploit-db.com/exploits/37532/http://packetstormsecurity.com/files/132585/AirLive-Remote-Command-Injection.htmlhttp://seclists.org/fulldisclosure/2015/Jul/29http://www.securityfocus.com/archive/1/535938/100/0/threadedhttp://www.securityfocus.com/bid/75559https://www.coresecurity.com/advisories/airlive-multiple-products-os-command-injectionhttps://www.exploit-db.com/exploits/37532/
2017-07-25
Published