## Vulnerability Key Information ### Summary KERUI K259 5MP Wi-Fi / Tuya Smart Security Camera firmware v33.53.87 contains a code execution vulnerability located in the boot/update logic. During startup, `/usr/sbin/anyka_service.sh` scans mounted TF/SD cards; if the file `/mnt/update.nor.sh` exists, it is copied to `/tmp/net.sh` and executed with root privileges, allowing an attacker with physical access to run arbitrary commands. ### Details - **Vulnerable Endpoints**: - `/usr/sbin/anyka_service.sh` - `/usr/bin/update_entry` - **Trigger File**: - `update.nor.sh` (placed in the root directory of a mounted TF/SD card) ### POC (Proof of Concept) 1. Create a file named `update.nor.sh` in the root directory of an SD/TF card with content: `/usr/sbin/telnetd -l /bin/sh &` 2. Insert the SD card and reboot the device. 3. Upon successful exploitation, the device copies `/mnt/update.nor.sh` to `/tmp/net.sh`, marks it as executable, and executes it, launching a telnet service (or any arbitrary command), granting root shell access. ### Impact - **Remote Command Execution and Persistent Backdoor**: Attackers can gain root shell access and install persistent mechanisms (e.g., cron, init, boot modifications). - **Network Pivot and Scanning**: Attackers can use the camera to scan and attack devices within the local network. - **Credential and Media Exfiltration**: Stored credentials, tokens, and recorded video/audio can be read and exfiltrated. - **Firmware/Boot Persistence and Tampering**: Attackers can modify firmware or boot components to bypass verification and survive reboots.