Critical Vulnerabilities Reported on Samsung SmartCam
The SmartCam, originally developed by Samsung Techwin, is a security camera with cloud service support. It's a popular IoT device that can monitor your house or baby.
In 8/14/2016, a remote code execution vulnerability was discovered on the SmartCam by PentestPartners, allowing remote attackers to get a root shell. Also several other vulnerabilities were reported, such as resetting the admin password, and insecure network communications.
Several months later in 1/17/2017, another batch of vulnerabilities was reported by exploitee.rs, all of which are critical vulnerability that could lead to total compromise of the device, as well as the users' privacy.
All 3 vulnerabilities are caused by the insecure implementations of the PHP code in the firmware, which provides support for the camera's web UI. An attacker can exploit those vulnerabilities by sending certain crafted HTTP requests. The exploitee.rs has provided the details:
The class_admin_privatekey.php Password Reset
The vulnerability allows the administrator password be changed without knowing the original. The vulnerability is triggered in the file /work/www/htdocs/classes/class_admin_privatekey.php in firmware "1.17_140507", due to a logic error.
As is shown above, the code only checked if the POST parameter is "NEW" (creating new password during setup), but hasn't check if the password has already been set.
To exploit this vulnerability, send the following request to the camera:
The iWatch install.php Remote Root Command Execution
This vulnerability allows remote command execution as the root user. In /mnt/custom/iwatch/web/install.php:
As is shown in the code above, the $tmpdir contains the path for temporary file upload, and will be passed to the system() function for execution. However, this variable is controllable by the user provided filename and not well-filtered. For example, the following filename could open a shell on port 9998:
Wireless Network WEP Key Command Injection
In the procedures of setting a WEP Wifi Network, the "Password" field will be passed for commandline execution. That allows a privilege escalation after an attacker get access to the web UI.
SonicWALL Threat Research Team has released the following signatures to protect the customers.
- IPS 12581: Samsung SmartCam iWatch install.php Remote Root Command Execution
- IPS 12580: Samsung SmartCam Password Reset Vulnerability