Rose will just responds to me with engrish when I email them. I have no point of contact for hi silicon. I would gladly assist the manufacturer in addressing this hole if put into contact with the right people. On Mar 25, 2013 8:56 AM, "Henri Salo" <[email protected]> wrote:
> On Sun, Mar 24, 2013 at 05:43:43PM -0400, Eric Urban wrote: > > I have been hacking on a Rosewill RSVA11001 for a while now, something to > > suck up my free time. I had pulled apart the firmware previously but did > > not succeed in finding a way to get a shell on the device. The box is > > Hi3515 based, I found an exploit for another similar box (Ray Sharp) but > it > > did not work. The Rosewill firmware seems to use an executable that > listens > > on two ports rather one when communicating with the Windows-based control > > software. Port 8000 is now the command port rather 9000, 9000 is used for > > video only. After playing with the included Windows application I > > eventually did a strings on the 'hi_dvr' exectuable that is the user > space > > program that controls the interface to thing. I found this gem: > > > > /mnt/ntpdate -q %s > /tmp/tmpfs/ntptmp > > > > So I used the windows software to set the NTP host to > > > > a;/usr/bin/nc -l -p 5555 -e /bin/sh& > > Did you report this to the vendor? > > -- > Henri Salo > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > > iEYEARECAAYFAlFQSZIACgkQXf6hBi6kbk/jpACePQuP3jtEBZe+YzVZ2y0zXSNW > YPcAoLQAmb9yBU14PRpI8RKCeE+XjRfG > =bybp > -----END PGP SIGNATURE----- > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
