CVE-2024-31798

Vulnerability

All GNCC GC2 Indoor Security Camera 1080P devices use a single, hardcoded root password that is identical across the entire product line. An attacker with physical access to the device can, after exploiting a bootloader bypass to enter a root shell, read /etc/shadow and discover the password hash. The vendor (GNCC) has not acknowledged the issue, and no firmware update has been released as of the advisory date. [1]

Exploitation

The attacker requires physical access to the device and a serial connection to its exposed UART port. By powering on the camera while repeatedly pressing the [RETURN] key, the attacker enters the bootloader settings. A specific command (setenv boot_normal ...) changes the boot arguments to launch an interactive shell directly as root. From this root shell, the attacker runs cat /etc/shadow to extract the password hash. [1]

Impact

Once the root password hash is obtained (and because it is the same on all devices), the attacker can remotely log in via SSH, telnet, or any other network-accessible service as root on any GC2 camera they can reach. This grants full control over the device, including the ability to read the camera feed, modify settings, intercept Wi-Fi credentials, and use the device as a pivot point inside the network. [1]

Mitigation

The vendor GNCC has not acknowledged the vulnerabilities and has not released a patch. No mitigation or workaround is provided in the available references. If continued use of the device is necessary, it should be isolated on a separate VLAN, network access strictly limited, and physical access controls enforced to prevent UART connection. [1]