cbcvebase.
CVE-2020-24219
published 2020-10-06

CVE-2020-24219: An issue was discovered on URayTech IPTV/H.264/H.265 video encoders through 1.97. Attackers can send crafted unauthenticated HTTP requests to exploit path…

PriorityP180high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
22.97%
97.5th percentile
An issue was discovered on URayTech IPTV/H.264/H.265 video encoders through 1.97. Attackers can send crafted unauthenticated HTTP requests to exploit path traversal and pattern-matching programming flaws, and retrieve any file from the device's file system, including the configuration file with the cleartext administrative password.

Affected

2 ranges
VendorProductVersion rangeFixed in
szurayiptv_h.264_video_encoder_firmware<= 1.97
szurayiptv_h.265_video_encoder_firmware<= 1.97

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<host>/../../sys/devices/media/13070000.jpgd/../../../..<path>
path/../../sys/devices/media/13070000.jpgd/../../../..
path/box/box.ini
  • Detect unauthenticated HTTP GET requests containing path traversal sequences targeting the specific intermediate path segment '13070000.jpgd' combined with '../' sequences, which is the fixed traversal gadget used in this exploit.
  • Alert on HTTP requests to URayTech/HiSilicon encoder devices that include '/sys/devices/media/13070000.jpgd' in the URI path, as this is the traversal anchor string unique to this exploit.
  • Monitor for unauthenticated HTTP requests retrieving '/box/box.ini', which contains the cleartext administrative password on affected devices.
  • The exploit requires curl's --path-as-is flag to prevent the HTTP client from normalizing the traversal sequences before sending; detect raw un-normalized '../' sequences in HTTP request URIs to these devices.
  • ·Affected firmware versions are up to and including 1.97; devices running version 1.97 or below should be treated as vulnerable.
  • ·The vulnerability is exploitable without any authentication; no credentials are required to retrieve arbitrary files including the admin password config file.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:C/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.