IP CAMERA VULNERABILITY REPORT

(CVE-2019-12288, CVE-2019-12289)

 

F1 Security / Senior Researcher : Simhyeon, Choe (SIMS)

Report Date : 19.03.14

 

1. Outline of vulnerabilities

 

1.1 Discovered vulnerabilities

 - Multiple vulnerabilities in VSTARCAM IPCAM

No

CVE-ID

Discovered

Date

F/W Type

F/W Version

Vulnerability summary

Potential Threats

1

CVE-2019-12289

19.01.30

System F/W

48.53.XX.119
48.53.XX120
48.53.XX.123

An exploitable remote command execution as root by updating system firmware

�� Remote control via stealing a credential file containing ID/PW values

(Unauthorized filming, video streaming, motion control)

�� System firmware destruction
�� Backdoor instrallation

2

CVE-2019-12288

19.02.15

Web UI F/W

KRXX.XX.XX.20

An exploitable firmware vulnerability by updating web UI firmware

 

1.2 Vulnerabilities Summary

- [CVE-2019-12289] An exploitable remote command execution as root by updating system firmware (Remote)

An attacker can execute arbitrary shell commands through a manipulated system firmware without any authentication. This is done by providing an empty loginuse and an empty loginpas parameter via

upgrade_firmware.cgi, which is in a web application on a custom-built GoAhead web server used on Vstarcam.

 

- [CVE-2019-12288] An exploitable firmware vulnerability by updating web UI firmware (Remote)

  An attacker can gain control through a forced firmware update without any authentication via upgrade_htmls.cgi in a web application on a custom-built GoAhead web server used on Vstarcam.

 

- File System containing vulnerabilites : JFFS2, SquashFS

- Binaries containing vulnerabilities : system/system/bin/encoder, bin/sysdepack

- CGI Profiles containing vulnerabilities : upgrade_firmware.cgi, upgrade_htmls.cgi

 

1.3 Target device and Firmware version

Manufacturer / Brand

China (WithNall) / VSTARCAM

 

 

 

 

MODEL

 

 

 

VSTARCAM-200V (C38S)

VSTARCAM-100T (C7824WIP)

 

System F/W version

CH-sys-48.53.203.119

CH-sys-48.53.75.119

CH-sys-48.53.203.120

CH-sys-48.53.75.120

CH-sys-48.53.203.123

CH-sys-48.53.75.123

Web UI F/W version

KR203.18.1.20

KR75.8.53.20

Linux Kernel version

3.4.35

-

GCC version

4.8.3

-

 

 

 

2. Vulnerabilities Description

 

2.1 [CVE-2019-12289] An exploitable firmware vulnerability by updating system firmware

 

2.1.1 Bypassing authentication by providing an empty loginuse and an empty loginpas parameter via upgrade_firmware.cgi profile.

- HTTP interface is provided by a custom-built HTTP server. In the case of authentication, the server checks that the URI contains the combination of CGI profile and parameters, commonly in the following format.

[Figure 1] The payload for remote command execution in system firmware

 
 


URI Format:

 

/[PROFILE_NAME].CGI?PARAM1=VALUE1&PARAM2=VALUE2&��&loginuse(user)=[ID]&loginpas(pwd)=[PW]&

 

Normally, if the URI request provides correct [ID] and [PASS], the custom-built HTTP server will respond as 'var result="ok";' .

In an abnormal case, the response will be 'var result="Auth Failed";'

For example,

http://TARGET_IP:PORT/get_params.cgi?loginuse&loginpas&

 

However, in case of upgrade_firmware.cgi, such authentication can be bypassed by providing an empty loginuse and an empty loginpas.

http://TARGET_IP:PORT//upgrade_firmware.cgi?loginuse&loginpas&

 

=> This means that the device can be updated, without any authentication, by the payloads of manipulated system firmware that is sent to the target device by an attacker.

 

2.1.2 Proof of concepts

* Things to be considered during payload configuration

- Placing commands and parameters to be executed after the next pipe string(|)

- After filling in the string of directory path with a size of 32 bytes, configure the path of file name

to be located without empty spaces

- Busybox shell command-based

 

* Payload Format (This structure is same as System F/W)

Field

Offset

Length

Remark

Head Signature

0x00

32B

Enter with a specified pattern

Directory Path

0x20

64B

A shell command to be executed remotely

File Name

0x60

64B

Version

0xA4

4B

A value of first byte over 100

ex) XX.XX.XX.[100]

End Sginature

EOF-0x20

32B

Enter with a specified pattern

 

* Actual attack payload configuration

[Figure 1] The payload for remote command execution in system firmware

 

 

1) Enter Host, FTP Server, IP Address of Target device and port number

 

[�׸�38] ȣ��Ʈ, FTP����, Ÿ�� ����̽��� IP �ּ�/��Ʈ �Է�

 
 (main)

 * Note that it is required you enter the account information of the FTP server which you have in the attached PoC code.

 

2) Request the URI containing upgrade_firmware.cgi as a HTTP POST method by providing an empty loginuse and an empty loginpas

 

[�׸�39] Ÿ�� ����̽��� umgrade_firmware.cgi ��û

 
 (RemoteCommandExecution)

 

3) Send the attack payloads of system firmware and vulnerability exploitation on the target device (RemoteCommandExecution)

 

- A ftpput command which is embedded in the attack payloads is executed by firmware update routine on the target deivce after reboot.

- system.ini will be uploaded to temp.ini on the attacker's FTP server by executing a ftpput command.

- An exploitable remote command execution at marked red box as shown below. (sprintf function in sysdepack).

[Figure 2] firmware update routine in sysdepack

�� As seen in [Figure 2], The buffer s has a directory string(offset 0x20), and an arbitrary command is executed through the system() via buffer s. As a result, an additional command can be executed by pipe character.

 

4) Connect to FTP server and download system.ini (DownloadAuthFile)

- After requesting download in PASSIVE mode to FTP server, create an additional socket and receive packets and then save it to a file in the host.

- Access the account file and read specified ID/PW offset

5) After waiting for reboot, ID/PW acquisition from system.ini (WaitForBootSequence)

 

 

2.1.3 Vulnerability verification

- Vulnerability verification using the execution log of UART

- Checkable by using the function RemoteCommandExecution

 

 

[Figure 3] Successful execution of remote command through System F/W  update

�� temp.ini(system.ini) obtained (Uploaded to a specified FTP server)

 

 

 

 
[Figure 4] temp.ini uploaded to the FTP server

 

[Figure 5] Accessing to the ID/PW of the admnistrator account with the temp.ini file

 

 

2.2 [CVE-2019-12288] An exploitable firmware vulnerability by updating web UI firmware

2.2.1 Bypass authentication by providing an empty loginuse and an empty loginpas parameter via upgrade_htmls.cgi profile.

 

Same as above upgrade_firmware.cgi, it can be bypassed by providing an empty loginuse and an empty loginpas.

 

/upgrade_htmls.cgi?loginuse&loginpas&

 

Then, send the payloads of web UI firmware which is manipulated by an attacker.

 

1) Enter Host, IP Address of Target device and port number.

 

2) Request the URI containing upgrade_htmls.cgi using a HTTP POST method by providing an empty loginuse and an empty loginpas.

Send the attack payloads of web UI firmware and exploit the vulnerability of the target device.

- The payloads containing the system.ini that is manipulated by the attacker. (UpdateForceUIFW)

 

3) After waiting for reboot, accessible with manipulated ID/PW

 

 

2.2.2 Proof of concepts

(1) Manipulation of the ID/PW inside the system.ini file to a specific value in a web service of the dumped F/W image

- Assume that the ID/PW are manipulated to a specific value in system.ini by an attacker

(2) Compress www directory containing web ui files

(3) Assembly an image for web UI firmware

- Insert the pattern of head signature

- Write the total size of the compressed file at 0x20 offset in DWORD unit

- Insert the compressed /www image for web UI firmware

- Insert the pattern of end signature

=> Finish assembling manipulated web UI firmware (hack_app.bin)

   * Without the manufacturer��s permission, we do not provide the web UI firmware which have manipulated ID/PW on this report.

 (4) Attack a target device by updating web UI firmware

[Figure 6] List of image files of Web UI F/W

 

a. Payload Format (This format is same as Web UI F/W) 

Field

Offset

Length

Head Signature

0x00

32B

File Size

0x20

4B

Zip File List

0x24

File Size

End Sginature

EOF-0x20

32B

 

b. Actual payload format configuration (for attack)


                        [Figure 7] The payload for for Web UI firmware (hack_app.bin)

 

 

2.2.3 Vulnerability Verification

- Vulnerability verification using the execution log of UART

 

 

[Figure 8] Successful manipulation of ID/PW using Web UI F/W (hack_app.bin)

 

- CGI profile request processing with manipulated ADMIN account ID/PW

[Figure 9] Requesting/Response of CGI profile with a manipulated ID/PW

 

 

 

         [Figure 10] Web UI F/W Image manipulation & attack

 

2.3 Vulnerabilities exposed during the CGI Profile Processing Routine

�� upgrade_firmware.cgi and upgrade_htmls.cgi operates as an independent routine.

The two vulnerabilities can be expoited in the folllowing flow of operation as [Figure 11].

[Figure 11] upgrade_firmware.cgi / upgrade_htmls.cgi Execution Process

 

 

2.4 Major Vulnerable Text Section Areas

- System F/W version : 48.53.XX.123

No

Related

CGI

File

System

Path

Binary

Test

Address

Type

Symbol

Cause of Vulnerability

1

upgrade_

firmware.cgi

JFFS2

/system/

system/bin

encoder

0x27CE4

Function

-

No ADMIN Certification

2

upgrade_

firmware.cgi

Squash

/bin

sysdepack

0x9050

String

www.object-camera.com.by.hongzx.

Plain Text Pattern

 Check

3

upgrade_

firmware.cgi

Squash

/bin

sysdepack

0x91A4

String

.xzgnoh.yb.moc.aremac-tcejbo.www

Plain Text Pattern

 Check

4

upgrade_

firmware.cgi

Squash

/bin

sysdepack

0x8E64

Function

system(&command);

Execution of Command

5

upgrade_

htmls.cgi

JFFS2

/system/

system/bin

encoder

0x2684C

Function

wifi-camera-app-qazwsxedcrfvtgba

Plain Text Pattern

 Check

6

upgrade_

htmls.cgi

JFFS2

/system/

system/bin

encoder

0x26880

Function

wifi-camera-end-yhnujmzaqxswcdef

Plain Text Pattern

 Check

7

upgrade_

htmls.cgi

JFFS2

/system/

system/bin

encoder

0x76074

Function

 

-

Deleting Web Service Files

 

1) [JFFS2] [system/system/bin/encoder]

 [Figure 12] upgrade_firmware.cgi routine without account certification

2) [SquashFS] [bin/sysdepack]

 [Figure 13] System F/W Head Signature Check

3) [SquashFS] [bin/sysdepack] (cont.)

 [Figure 14] System F/W End Signature Check

4) [SquashFS] [bin/sysdepack] (cont.)

 [Figure 15] Creating a drectory for System F/W

 

 

 

 

5) [JFFS2] [system/system/bin/encoder]

 [Figure 16] Web UI F/W Head Signature Check

 

6) [JFFS2] [system/system/bin/encoder]

[Figure 17] Web UI F/W End Signature Check

 

7) [JFFS2] [system/system/bin/encoder]

 

 

                                [Figure 18] Web UI F/W Update major operating codes

 

3. Vulnerability Exploitation Scenario

 

3.1 Exploitation scenario of the ��update vulnerability��

[Figure 19] Attack scenario of remote vulnerability

 

3.2 Range of Threat

- Illegal acquisition of an ADMIN account : Unauthorized filming, video streaming, motion control

- F/W Update : Manipulation and destruction of IP camera F/W

- Execution of a remote command : DDoS attack, backdoor installation

 

3.3 Vulnerability Impact Range

No

Model

Type

Execution of remote
command through
System F/W Update

Web UI F/W

Update

Remarks

1

VSTARCAM-200V

Same Manufacturer

O

O

Same F/W binary format

2

VSTARCAM-100T

O

O

Same CGI I/F and processing routine

 

4. How to solve issues

Security Elements

Level

How to solve issues

Confidentiality

Web

Verify certification token and ID/PW at upgrade_firmware.cgi, upgrade_htmls.cgi just like other CGI interfaces.

F/W

Set a password to prevent the automatic acquisition of an ADMIN account when connecting to UART

F/W

Need to fix vulnerabilities which allows logging in with the ADMIN account even when the intruder had failed to authenticate for 3 times

Integrity

F/W

Obfuscation/Anti-reversing

F/W

Require hash values to be checked in case of firmware updates

Shell

Do not allow execution when special symbols or empty tokens -which does not fit the directory and file format- are included in system() function

Shell

Limit the execution of internal FTP commands

Web

Encryption of param/login.cgi, w/system.ini, www/network.ini files which is stored in the form of plain texts

TCP/UDP

Packet monitoring Control packet Identification (IP/MAC ADDRESS)

TCP/UDP

Encryption of control packet Symmetric key/Non-symmetric key

Availability

TCP/UDP

Check Time Stamp for large traffic transmission (DDoS) from target device