Critical Vulnerabilities Reported on Samsung SmartCam (Jan 27, 2017)

The SmartCam, originally developed by Samsung Techwin, is a security camera with cloud service support. It’s a popular IoT device that can monitor your house or baby.

In 8/14/2016, a remote code execution vulnerability was discovered on the SmartCam by PentestPartners, allowing remote attackers to get a root shell. Also several other vulnerabilities were reported, such as resetting the admin password, and insecure network communications.

Several months later in 1/17/2017, another batch of vulnerabilities was reported by exploitee.rs, all of which are critical vulnerability that could lead to total compromise of the device, as well as the users’ privacy.

All 3 vulnerabilities are caused by the insecure implementations of the PHP code in the firmware, which provides support for the camera’s web UI. An attacker can exploit those vulnerabilities by sending certain crafted HTTP requests. The exploitee.rs has provided the details:

The class_admin_privatekey.php Password Reset

The vulnerability allows the administrator password be changed without knowing the original. The vulnerability is triggered in the file /work/www/htdocs/classes/class_admin_privatekey.php in firmware “1.17_140507”, due to a logic error.

As is shown above, the code only checked if the POST parameter is “NEW” (creating new password during setup), but hasn’t check if the password has already been set.

To exploit this vulnerability, send the following request to the camera:

curl ‘http:///classes/class_admin_privatekey.php’ –data ‘data=NEW%3B‘

The iWatch install.php Remote Root Command Execution

This vulnerability allows remote command execution as the root user. In /mnt/custom/iwatch/web/install.php:

As is shown in the code above, the $tmpdir contains the path for temporary file upload, and will be passed to the system() function for execution. However, this variable is controllable by the user provided filename and not well-filtered. For example, the following filename could open a shell on port 9998:

;{busybox,telnetd,{echo,-l${HOME}bin${HOME}sh},-p9998};#1.bin

Wireless Network WEP Key Command Injection

In the procedures of setting a WEP Wifi Network, the “Password” field will be passed for commandline execution. That allows a privilege escalation after an attacker get access to the web UI.

SonicWALL Threat Research Team has released the following signatures to protect the customers.

• IPS 12581: Samsung SmartCam iWatch install.php Remote Root Command Execution
• IPS 12580: Samsung SmartCam Password Reset Vulnerability

References:

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.