Key Information Vulnerability Title: BEWARD N100 H.264 VGA IP Camera M2.1.6 Root Remote Code Execution Advisory ID: ZSL-2019-5512 Type: Remote / Local Impact: System Access, DoS Risk: (+B) Release Date: April 2, 2019 Summary The N100 compact color IP camera supports more efficient compression formats, suitable for low-bandwidth networks, enabling real-time image transmission with minimal latency. The camera supports switching to broadcast mode and can continue recording to a microSDHC memory card if communication with remote file storage is interrupted. The N100 is easy to install and configure, featuring all necessary tools for setting up a low-cost professional video surveillance system. Description The camera is affected by two authenticated command injection vulnerabilities. These issues can be triggered when calling the ServerName and TimeZone GET parameters. This can be exploited to inject arbitrary system commands and achieve root-level remote code execution. Vendor BEWARD R&D Co., Ltd - https://www.beward.net Affected Version M2.1.6.04C014 Test Environment Boa0.94.14rc21 Faraday ARM Linux 2.6 Vendor Status January 26, 2019: Vulnerability discovered. November 28, 世2018: Vendor contacted. March 3, 2019: No response from vendor. April 2, 2019: Public security advisory released. PoC beward_root.txt Acknowledgments Vulnerability discovered by Gjoko Krstic - References 1. https://www.exploit-db.com/exploits/46319 2. https://packetstormsecurity.com/files/151531 3. https://exchange.xforce.ibmcloud.com/vulnerabilities/156599 4. https://cxsecurity.com/issue/WLB-2019020042 Change Log April 2, 2019: Initial release October 2, 2019: Added references [1], [2], [3], and [4] Contact Zero Science Lab Website: http://www.zeroscience.mk Email: lab@zeroscience.mk