← Advisories

Selea Targa IP OCR-ANPR Camera Unauthenticated Remote Code Execution

Critical
Advisory ID
ZSL-2021-5620
Release Date
21 January 2021
Vendor
Selea s.r.l. - https://www.selea.com
Affected Version
Model: iZero, Targa 512, Targa 504, Targa Semplice, Targa 704 TKM, Targa 805, Targa 710 INOX, Targa 750, Targa 704 ILB, Firmware: BLD201113005214, BLD201106163745, BLD200304170901, BLD200304170514, BLD200303143345, BLD191118145435, BLD191021180140, BLD191021180140, CPS: 4.013(201105), 3.100(200225), 3.005(191206), 3.005(191112)
CVE
N/A
Tested On
GNU/Linux 3.10.53 (armv7l), PHP/5.6.22, selea_httpd, HttpServer/0.1, SeleaCPSHttpServer/1.1
Summary

IP camera with optical character recognition (OCR) software for automatic number plate recognition (ANPR) also equipped with ADR system that enables it to read the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes this camera suitable for all installation conditions. Its built-in OCR software works as an automatic and independent system without the need of a computer, thus giving autonomy to the device even in the event of an interruption in the connection between the camera and the operations centre.

Description

Selea suffers from an authenticated command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the www-data user through the 'addr' and 'port' HTTP GET parameters in utils.php page. Chaining the unauthenticated LFI issue an attacker can grab credentials, authenticate and execute system commands.

/mnt/app/scripts/address_check.sh: ---------------------------------- 01: #!/bin/sh 02: . /mnt/app/scripts/env.sh 03: . /mnt/app/scripts/log.sh 04: 05: CMD="$1" 06: ADDR="$2" 07: PORT="$3" 08: 09: if [ "$CMD" == "ping" ]; then 10: RESULT=$(/bin/ping -I eth0 -W 1 -q -c 1 "$ADDR" 2>&1 ) 11: elif [ "$CMD" == "port" ]; then 12: log "/usr/bin/nc -w 1 -v -z $ADDR $PORT" 13: RESULT=$(/usr/bin/nc -w 1 -v -z "$ADDR" "$PORT" 2>&1 ) 14: fi 15: 16: echo -e "$RESULT"
Proof of Concept
selea_rce.shTXT
Disclosure Timeline
07.11.2020Vulnerability discovered.
09.11.2020Vendor contacted.
09.11.2020Vendor responds asking for explanation.
09.11.2020Asked vendor for security personnel and explained about security submissions and risk/impact.
10.11.2020Vendor responds asking for details.
11.11.2020Sent details to the vendor (high-level, asked for PGP).
14.11.2020Asked vendor for status update.
18.11.2020Vendor responds: We already reviewed and fixed most of the vulnerabilities you described in newer version of both camera firmware and the CarPlateServer software.
19.11.2020Replied to the vendor.
20.11.2020Vendor will get back to us.
06.12.2020Asked vendor for status update.
09.12.2020Vendor in final test phase for new releases. Estimated release date: End of year.
09.12.2020Replied to the vendor.
17.01.2021Asked vendor for status update.
20.01.2021No response from the vendor.
21.01.2021Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.zeroscience.mk/#/advisories/ZSL-2021-5616
[2]https://www.exploit-db.com/exploits/49460
[3]https://packetstormsecurity.com/files/161064
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/195505
Changelog
21.01.2021Initial release
26.01.2021Added reference [2], [3] and [4]