CVE-2024-31799

Vulnerability

The GNCC GC2 Indoor Security Camera 1080P exposes a UART debugging port that transmits the Wi-Fi credentials in clear text during the boot process. No authentication is required to view this information. Additionally, the device allows an attacker to bypass the interactive shell login prompt by modifying bootloader settings, granting root shell access with the same root password across all devices [1].

Exploitation

An attacker with physical access to the camera must connect to the device's UART port while the camera is switched off. After powering on, the attacker continuously presses the [RETURN] key to enter the bootloader settings. From there, a specific command (setenv boot_normal ...) changes the boot arguments to boot directly into a root shell [1]. The attacker then runs run boot_normal to complete the boot process and gain root access.

Impact

Successful exploitation allows the attacker to read the Wi-Fi credentials (passphrase) transmitted in clear text from the UART port, and to obtain a root shell on the device. From the shell, the attacker can view the /etc/shadow file, revealing the root password hash, which is the same across all devices. This can lead to full compromise of the camera and potential lateral movement into the network (e.g., reusing Wi-Fi credentials) [1].

Mitigation

No official fix or advisory has been released by GNCC as of the publication date. The vendor was notified but did not acknowledge the vulnerabilities. The device is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. Until a patch is available, physical access to the device must be restricted to prevent exploitation. Removing or disabling the UART port is a potential hardware workaround [1].