← Advisories

Selea Targa IP OCR-ANPR Camera Developer Backdoor Config Overwrite

Critical

Advisory ID

ZSL-2021-5615

Release Date

21 January 2021

Vendor

Selea s.r.l. - https://www.selea.com

Affected Version

Model: iZero, Targa 512, Targa 504, Targa Semplice, Targa 704 TKM, Targa 805, Targa 710 INOX, Targa 750, Targa 704 ILB, Firmware: BLD201113005214, BLD201106163745, BLD200304170901, BLD200304170514, BLD200303143345, BLD191118145435, BLD191021180140, BLD191021180140, CPS: 4.013(201105), 3.100(200225), 3.005(191206), 3.005(191112)

CVE

N/A

Tested On

GNU/Linux 3.10.53 (armv7l), PHP/5.6.22, selea_httpd, HttpServer/0.1, SeleaCPSHttpServer/1.1

Summary

IP camera with optical character recognition (OCR) software for automatic number plate recognition (ANPR) also equipped with ADR system that enables it to read the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes this camera suitable for all installation conditions. Its built-in OCR software works as an automatic and independent system without the need of a computer, thus giving autonomy to the device even in the event of an interruption in the connection between the camera and the operations centre.

Description

There is a hard-coded password for a hidden and undocumented /dev.html page that enables the vendor to enable configuration upload / overwrite to the affected device using the checkManufacturer() function through an AJAX method.

Proof of Concept

selea_devbd.txtTXT

Disclosure Timeline

07.11.2020Vulnerability discovered.

09.11.2020Vendor contacted.

09.11.2020Vendor responds asking for explanation.

09.11.2020Asked vendor for security personnel and explained about security submissions and risk/impact.

10.11.2020Vendor responds asking for details.

11.11.2020Sent details to the vendor (high-level, asked for PGP).

14.11.2020Asked vendor for status update.

18.11.2020Vendor responds: We already reviewed and fixed most of the vulnerabilities you described in newer version of both camera firmware and the CarPlateServer software.

19.11.2020Replied to the vendor.

20.11.2020Vendor will get back to us.

06.12.2020Asked vendor for status update.

09.12.2020Vendor in final test phase for new releases. Estimated release date: End of year.

09.12.2020Replied to the vendor.

17.01.2021Asked vendor for status update.

20.01.2021No response from the vendor.

21.01.2021Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://www.exploit-db.com/exploits/49455

[2]https://packetstormsecurity.com/files/161055

[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/195500

[4]https://cxsecurity.com/issue/WLB-2021010164

Changelog

21.01.2021Initial release

26.01.2021Added reference [1], [2], [3] and [4]