佚名MYHACK58:62201788327Shenzhen, China, a manufacturer of smart cameras exposed vulnerability: at least 17.5 million devices can be remote attack-vulnerability warning-the black bar safety net
Security firms Bitdefender and Checkmarx are released report, security researcher at a plurality of conventional smart cameras found in a remote intrusion vulnerability, relates to the VStarcam, the Loftek, as well as Neo IP camera. One of Neo IP camera is Shenzhen, China manufacturer beautiful Gull electronics Neo Electronics for the production of smart camera device, the security companies provide the report specifically listed the beautiful Gull electronic two products: the iDoorbell and the Neo Coolcam NIP-22 two cameras are exist a buffer overflow problem, the affected devices can be an attacker remote intrusion, execute arbitrary code and completely take over.
! [](/Article/UploadPic/2017-8/201783172012255. png? www. myhack58. com)
Key found
Shenzhen beautiful European electronics is a Chinese company, they provided intelligent sensors, alarms and cameras. Currently its products in iDoorbell and NIP-22 camera there are several buffer overflow vulnerabilities, some of which appear in the authentication. While other cameras are using the same software, and therefore researchers believe that the Shenzhen beautiful European electronic other products, may also have problems with the product, and not only is iDoorbell and the Neo Coolcam NIP-22 camera. Bitdefender using Shodan after the scan, think about 175000 a device using UPnP on the presence of an open port, may be the attacker used.
! [](/Article/UploadPic/2017-8/201783172012124. jpg? www. myhack58. com)
Checkmarx researchers also analyzed several sets of Loftek and VStarcam smart camera, found other security vulnerabilities as well as before exposure to the security issues. They Loftek CXS 2200 camera, found a CSRF vulnerability-the attacker can use this vulnerability to add a new administrator account, and can lead to DoS of the SSRF vulnerability, and execute arbitrary code XSS vulnerabilities and a file disclosure vulnerability; and in the VStarcam C7837WIP Camera, the researchers found that the storage type XSS, open redirection, and force a reset. These cameras can be directly processing the HTTP response, which will increase according toXSSattacks, page hijacking, Modify user information, cache poisoning and other problems occur the possibility.
Checkmarx pointed to the part of the vendors manufacture the cameras relatively simple and just uses very simple hardware and software. Surveys indicate more than 120 million devices is the possible presence of vulnerabilities.
Our initial scan results came out, we found that as long as your camera is capable of networking, you’re at risk. A malicious user can use your device to track your daily life, know that you are at home or out and about. They can steal your email information, access to your wireless connection, the other device permissions, monitor your dialogue.
– Checkmarx in the report wrote
Technical analysis
Shenzhen beautiful European electronic two camera problems may suffer two types of attacks, the first one is from a camera connected to the web service, the second is from the real-time streaming Protocol RSTP services.
web Services Exp
! [](/Article/UploadPic/2017-8/201783172012545. png? www. myhack58. com)
The HTTP service appears in the vulnerability may be through a login process a user name and password the wrong way to trigger. The user performing the authentication, they will be in the GET request passes “ http:///?usr=&pwd=
”The credentials. web authentication module attempts to parse these values all the time,“libs_parsedata”is copied on the stack of the two parameters of the content without checking the actual storage capacity, it throws an out of bounds write issue.
! [](/Article/UploadPic/2017-8/201783172012565. png? www. myhack58. com)
Since enabled full ASLR mechanism loads the binary file the address is always random. However, since the binary itself is not PIE position independent executable program is a protection technology that allows the binary and all its dependencies at the time when the application is executed in virtual memory is loaded into the random location, that is every time it will still be loaded at the same address.
! [](/Article/UploadPic/2017-8/201783172012510. png? www. myhack58. com)
In the simulated attack, the researchers used two overflow to call the“system”function, and specify to execute the command. To this end, they will use is located at the address 0x0007EDD8 the ROP tool. This will stack the address pointer to R0 after a call to a system function. Jump to the ROP, the stack pointer will point to the return address.
! [](/Article/UploadPic/2017-8/201783172012406. png? www. myhack58. com)
In order to execute the command, the researchers first need to use 0x0007EDD8 overwrite the return address, and the address after the write command. By the username parameter of the overflow, you can overwrite on the stack of all contents, including the return value, then you can use the 204 byte space for the write command. Then, you can use the password to this part of the overflow to cover the 328 bytes of the return address. Since the string must be null-terminated, so this byte is automatically attached, the gadget of the address left in the stack. Finally, the payload should look as follows:
GET /? usr=204bytes>&pwd=328bytes>0xD8ED07> HTTP/1.1
This command must not contain null, ’ & nbsp; ’character or empty space. But here’s the limit You can use the internal field separator ${IFS} to easily achieve. Code execution after the service crashes, but the protection process will continue to restart the camera. Since the file system is read-write mount, so you can TFTP download the binary file and modify the rcS file to start when you keep persistent.
Camera the RSTP service EXP
! [](/Article/UploadPic/2017-8/201783172012929. png? www. myhack58. com)