lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <d61cc815-7a9a-193b-ef51-4a9558708aa8@sec-consult.com>
Date: Tue, 6 Dec 2016 10:52:58 +0100
From: SEC Consult Vulnerability Lab <research@...-consult.com>
To: <fulldisclosure@...lists.org>, <bugtraq@...urityfocus.com>
Subject: [FD] SEC Consult SA-20161206-0 :: Backdoor vulnerability in Sony
 IPELA ENGINE IP Cameras

We have published an accompanying blog post to this technical advisory with
further information:
http://blog.sec-consult.com/2016/12/backdoor-in-sony-ipela-engine-ip-cameras.html


SEC Consult Vulnerability Lab Security Advisory < 20161206-0 >
=======================================================================
              title: Backdoor vulnerability
            product: Sony IPELA ENGINE IP Cameras
                     (multiple products, see Vulnerable / tested versions below)
 vulnerable version: see Vulnerable / tested versions below
      fixed version: see Vulnerable / tested versions below
         CVE number: -
             impact: Critical
           homepage: https://pro.sony.com/bbsc/ssr/mkt-security/
              found: 2016-10-08
                 by: Stefan Viehböck (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
                     Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Sony Professional Solutions (SPS) is a subsidiary of Japanese multinational
technology and media conglomerate Sony with main focus on professional
products. These range from broadcast software and video cameras to providing
Outside Broadcast Units and professional displays."

Source: https://en.wikipedia.org/wiki/Sony_Professional_Solutions


Business recommendation:
------------------------
Attackers are able to completely takeover the Sony IPELA ENGINE IP Camera
products over the network.

Sony has provided updated firmware which should be installed immediately.

SEC Consult recommends Sony and Sony customers to conduct a thorough
security review of the affected products.

It is essential to restrict access to IP cameras using VLANs, firewalls
etc. Otherwise the risk of being a botnet victim (e.g. Mirai) is high.


Vulnerability overview/description:
-----------------------------------
Sony IPELA ENGINE IP Cameras contain multiple backdoors that, among other
functionality, allow an attacker to enable the Telnet/SSH service for
remote administration over the network.

Other available functionality may have undesired effects to the camera
image quality or other camera functionality.

After enabling Telnet/SSH, another backdoor allows an attacker to gain
access to a Linux shell with root privileges!

The vulnerabilities are exploitable in the default configuration over the
network. Exploitation over the Internet is possible, if the web interface
of the device is exposed.


Proof of concept:
-----------------
The following application-level backdoor accounts exist:
- User debug, Passwort: popeyeConnection
- User primana, Passwort: primana

These accounts are allowed to access specific, undocumented CGI functionality!

Enabling Telnet:
Execute the following HTTP requests. Afterwards the Telnet service is running
(TCP port 23). The following command is for Gen5 products, verified on SNC-DH160:

   http://primana:primana@...T/command/prima-factory.cgi?foo=bar&Telnet=zKw2hEr9
   http://primana:primana@...T/command/prima-factory.cgi?foo=bar&Telnet=cPoq2fi4cFk

Note: This request may look a bit different for Gen6 cameras, the string
"himitunokagi" (Japanese, translated: "secret key") is involved in the HTTP
request processing. On Gen6 cameras, a SSH daemon exists and can be enabled as
well.

Furthermore an OS-level backdoor exists. This backdoor allows an attacker to
login via Telnet/SSH and access the Linux shell with root privileges!

Below are the password hashes for the OS-level backdoor user:

   root:$1$$mhF8LHkOmSgbD88/WrM790:0:0:5thgen:/root:/bin/sh (Gen5 cameras)
   root:iMaxAEXStYyd6:0:0:root:/root:/bin/sh (Gen6 cameras)

Note: The backdoor accounts likely allow an attacker with physical access to
the hardware to login via the serial port as well.


Vulnerable / tested versions:
-----------------------------
This vulnerability was verified on a SNC-DH160 camera with firmware
version V1.82.01 (snc-ch-dh-e-series-eb-em-zb-zm-1-82-01.zip).

The same vulnerabilities were found in firmware for Gen6 cameras
V2.7.0 (snc-g6-series-v2-7-0.zip) during automated firmware analysis with
SEC Technologies IoT Inspector.

According to Sony, at least the following products are affected:

SNC-CH115, SNC-CH120, SNC-CH160, SNC-CH220, SNC-CH260, SNC-DH120,
SNC-DH120T, SNC-DH160, SNC-DH220, SNC-DH220T, SNC-DH260, SNC-EB520,
SNC-EM520, SNC-EM521, SNC-ZB550, SNC-ZM550, SNC-ZM551

SNC-EP550, SNC-EP580, SNC-ER550, SNC-ER550C, SNC-ER580, SNC-ER585,
SNC-ER585H, SNC-ZP550, SNC-ZR550

SNC-EP520, SNC-EP521, SNC-ER520, SNC-ER521, SNC-ER521C

SNC-CX600, SNC-CX600W, SNC-EB600, SNC-EB600B, SNC-EB602R, SNC-EB630,
SNC-EB630B, SNC-EB632R, SNC-EM600, SNC-EM601, SNC-EM602R, SNC-EM602RC,
SNC-EM630, SNC-EM631, SNC-EM632R, SNC-EM632RC, SNC-VB600, SNC-VB600B,
SNC-VB600B5, SNC-VB630, SNC-VB6305, SNC-VB6307, SNC-VB632D, SNC-VB635,
SNC-VM600, SNC-VM600B, SNC-VM600B5, SNC-VM601, SNC-VM601B, SNC-VM602R,
SNC-VM630, SNC-VM6305, SNC-VM6307, SNC-VM631, SNC-VM632R, SNC-WR600,
SNC-WR602, SNC-WR602C, SNC-WR630, SNC-WR632, SNC-WR632C, SNC-XM631,
SNC-XM632, SNC-XM636, SNC-XM637, SNC-VB600L, SNC-VM600L, SNC-XM631L,
SNC-WR602CL


Vendor contact timeline:
------------------------
2016-10-11: Contacting vendor through Sony Prime Support,
            asking for product security contact.
2016-10-11: Response from Product Manager - Video Security.
2016-10-14: Vendor sets up secure document exchange.
2016-10-14: Uploading security advisory.
2016-10-14: Vendor confirms receipt of security advisory.
2016-10-24: Asking for update.
2016-11-08: Asking for update again.
2016-11-08: Vendor: advisory information has been sent to HQ Japan,
            they are already working on it.
2016-11-28: Sony releases updated firmware and informs SEC Consult.
2016-11-30: Asking Sony additional questions regarding the vulnerability
            (no answer).
2016-11-30: Informing CERT-Bund and CERT.at.
2016-12-01: CERT-Bund informs FIRST (Forum of Incident Response and
            Security Teams).
2016-12-06: Public release of security advisory.


Solution:
---------
The vendor provided the following URL to download firmware updates for the
affected devices. Updates should be installed immediately:

https://www.sony.co.uk/pro/article/sony-new-firmware-for-network-cameras

The Sony "SNC Tool Box" can be used to confirm the current firmware version and
update the device:
https://pro.sony.com/bbsc/ssr/mkt-security/resource.downloads.bbsccms-assets-cat-camsec-downloads-SecurityDownloadsIPCameraTools.shtml


Workaround:
-----------
None available.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Stefan Viehböck / @2016


Download attachment "smime.p7s" of type "application/pkcs7-signature" (3993 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ