Advan VD-1 allows users to download arbitrary files

Vulnerability

A relative path traversal vulnerability exists in Advan VD-1 firmware versions up to v230. The issue resides in the cgibin/ExportSettings.cgi endpoint, where the Download parameter does not sanitize user input, allowing directory traversal sequences (e.g., ../) to access arbitrary files on the device. No authentication is required to trigger this vulnerability [1].

Exploitation

An attacker with network access to the device can send a crafted HTTP GET request to http:///cgibin/ExportSettings.cgi?Download=filepath, where filepath contains relative path traversal sequences to point to sensitive files (e.g., /../../etc/passwd). The vendor-provided proof-of-concept (PoC) uses the device IP 10.10.10.10 as the target [1]. No authentication, user interaction, or special privileges are needed.

Impact

Successful exploitation allows an unauthenticated attacker to download any file readable by the web server, including configuration files, credentials, or system files. The device is a security camera with face recognition and motion detection capabilities; attackers could exfiltrate sensitive data or gain insights to disable security monitoring [1].

Mitigation

The fixed version is not disclosed in the available references. As of the publication date (2019-08-29), users are advised to restrict network access to the device and apply any vendor-supplied firmware update when available. The affected firmware includes Advan VD-1 <= v230, Geovision GV-VR360 <= V1.10, and GeoVision GV-VD8700 <= V1.01 [1]. No known workaround is provided.