Author: Ta-Lun Yen, TXOne Research
Recently, a botnet cheekily named “Hail Cock” has been spotted by Akamai SIRT, using one of two bugs I discovered a while ago. I am publishing this blog post as this bug has since been exploited in the wild, despite it having been found and reported back in July 2023.
Executive Summary
Two post-authentication remote code execution bugs were found across unknown versions of DigiEver DVRs. At the time of this writing, the vendor has yet to release a fix nor an advisory. According to Akamai, one of the bugs is currently being actively exploited in the wild by a Mirai-type botnet.
The bugs are likely to affect most DigiEver devices and I cannot determine the exact model nor the exact affected version.
The bugs were assigned the following CVEs:
- CVE-2023-52163, time_tzsetup.cgi Command Injection
- CVE-2023-52164, access_device.cgi Arbitrary File Read
To exploit both vulnerabilities, the attacker must be logged into the device and perform a crafted request. There is no mitigation, nor any patches released by the vendor at the time of writing, but since the bugs are only exploitable after authentication, the following mitigations could be of use:
- Avoid exposing the device to the Internet. Apply a firewall or gateway to proxy the device’s management interface.
- Change the device’s default username and password.
The bugs can be detected by TXOne networking products:
- #1233322, WEB DigiEver DS-2105 Pro Command Injection
- #1236155, WEB Digiever DS-2105 Pro Authenticated Arbitrary File Read
Details
DigiEver DVRs use a shared code base across different devices. The bugs were found by dissecting its recovery image, which was available on the website.
After further examination, it appears that DigiEver implements a CGI gateway in /cgi-bin/cgi_main.cgi. All functions are proxied through this endpoint and different CGI scripts can be called via this endpoint.
Figure 1- CVE-2023-52163, time_tzsetup.cgi Command Injection
The bugs can be readily identifiable as textbook-style command injection and arbitrary file read.
Figure 2- CVE-2023-52164, access_device.cgi Arbitrary File Read
Mitigations
Since mitigation methods or advisories are not currently available from the vendor, we are providing the following Snort 3 rules to detect exploitation of both vulnerabilities.
For CVE-2023-52163 (Command Injection), use:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Digiever DS-2105 Pro Command Injection"; flow:to_server,established; http_uri; content:"/cgi-bin/cgi_main.cgi"; http_client_body; content:"cgiName=time_tzsetup.cgi"; pcre:"/ntp=[0-9a-zA-Z\.\s]*[|`\;]/"; reference:cve,2023-52163; classtype:web-application-attack; sid:1000001; rev:1;)
For CVE-2023-52164 (Arbitrary File Read), use:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Digiever DS-2105 Authenticated Arbitrary File Read"; flow:to_server,established; http_uri;content:"/cgi-bin/cgi_main.cgi"; http_client_body; content:"cgiName=access_device.cgi"; pcre:"/fileName=(\/|\w+\/\.\./)/"; reference:cve,2023-52164; classtype:web-application-attack; sid:1000002; rev:1;)
Disclosure Timeline
With no other options available, we proceeded with full public disclosure of these two bugs after receiving the following response from the vendor through TWCERT/CC:
This product has been off the shelf for five years.
| Date | Description |
| July 31st, 2023 | The bugs were disclosed to TWCERT/CC. |
| August 1st, 2023 | DigiEver closed the case, citing the device’s status as EOL for five years as their rationale. |
| Mid-December, 2023 | The CVE identifiers were reserved for the bugs. |
| December 19th, 2024 | Public disclosure by Akamai. |
