Novatek NT9665X HTTP Upload Firmware Update Vulnerability

Summary

An exploitable firmware update vulnerability exists in the NT9665X Chipset firmware, running on Anker Roav A1 Dashcam version “RoavA1_SW_V1.9”. The HTTP server allows for arbitrary firmware binaries to be uploaded which will be flashed upon next reboot. An attacker can send an HTTP PUT request or upgrade firmware request to trigger this vulnerability.

Tested Versions

Anker Roav A1 Dashcam RoavA1_SW_V1.9

Product URLs

<https://goroav.com/products/roav-dash-cam-a1&gt;

CVSSv3 Score

10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-73: External Control of File Name or Path

Details

The Novatek NT96650 system on a chip (SOC) is a chipset used in an extremely large amount of consumer camera devices, most particularly in dashcams. The chip provides default firmware that is a fork of the Embeded Configurable Operating System (eCOS) project, which is found within the Roav A1 Dashcam, which is what will be discussed during the course of this advisory.

The Roav A1 Dashcam by Anker is a dashcam that allows users to connect using the Roav app for Android and IOS, such that the users can toggle settings and download videos from the dashcam, along with a host of other features. In order to do this, users must first enable the “Wi-fi AP” setting manually on the dashcam, and then connect to the “Roav_A1_” SSID, with the default password of “goroavcam”.

From here, the app interacts mainly with the dashcam via an eCOS webserver running on port 80 that requires no authentication. The standard HTTP POST, GET, and DELETE requests can be used to upload, download, or delete videos and pictures from the dashcam, but there’s also a separate interface used for configuration. When requesting any URL, a set of commands is accessed by providing the following HTTP query string: ?custom=1&cmd=<0000-9999>. It should be noted that only a subset of commands are implemented, the list of which can be found by accessing http://192.168.1.254/?custom=1&cmd=3012.

Through heuristic testing and the reversal of several different NT96650 chipsets, all the above functionality is found in a per-device instance. For example, the Wi-Fi AP might be strictly disabled for one dashcam, while requiring user interaction for another. It seems that most commands with a number <= 5001 implement similar or identical functionality as each other on different models, which is the cause of this bug being listed for the NT96650 chipset, as opposed to just the Roav A1 Dashcam.

It should be restated that HTTP GET, PUT, POST, and DELETE requests all work as a normal HTTP Server would handle them, allowing for users to upload, download and delete files apart from the normal “custom=1&cmd=XXXX” API that is used by the app. If a user sends an HTTP PUT request and uploads a firmware file that is named “FW96658A.bin,” the upload will occur at the root directory of the SD card inserted into the device.

Upon any boot of the Roav Dashcam (or any NT96650 device it is surmised), it will look for the “A:\FW96658A.bin” file and try to flash itself with the file. There’s no signature checking or any validation, asides from a checksum check on both the packed and unpacked version of the firmware.

Prior work has been done for the checksum: ntkcalk tool written by “Tobi@s” found at <http://dc.p-mc.eu/tools/novatek/cmd&gt;, and also for the packing and unpacking of the firmware (also written by “Tobi@s”) found at <http://git.p-mc.eu/ntk/bfc4ntk&gt;.

Please note that is the author’s opinion that the vulnerability lies in the fact that the HTTP webserver is mounted to the root of the SD card, and not the fact that a file on the SD card can cause a firmware update.

Credit

Discovered by Lilith (<_<) of Cisco Talos. http://talosintelligence.com/vulnerability-reports/

Timeline

2018-10-29 - Talos contacts vendor
2018-11-02 - Report disclosed to vendor
2018-12-04 - 30 day follow up
2019-01-18 - 60 day follow up - Talos reaches out to TWNCERT for assistance reaching vendor (Novatek)>br> 2019-01-22 - TWNCERT contacted Novatek and advised Novatek will check emails for reports
2019-03-06 - 90+ day follow up - Talos asks TWNCERT for direct point of contact for Novatek
2019-03-27 - Talos sends follow up to TWNCERT
2019-04-02 - Talos sends copies of email correspondence and reports to TWNCERT
2019-04-18 - Suggested pubic disclosure date of 2019-05-13 (171 days after initial disclosure)
2019-04-19 - Vendor fixed issue and provided patch to their IDH
2019-05-13 - Public disclosure