Talos Vulnerability Report

TALOS-2018-0687

Anker Roav A1 Dashcam HTTP Path Overflow Code Execution Vulnerability

May 13, 2019
CVE Number

CVE-2018-4016

Summary

An exploitable code execution vulnerability exists in the URL-parsing functionality of the Roav A1 Dashcam running version “RoavA1_SW_V1.9.” A specially crafted packet can cause a stack-based buffer overflow, resulting in code execution. An attacker can send a packet to trigger this vulnerability.

Tested Versions

Anker Roav A1 Dashcam RoavA1_SW_V1.9

Product URLs

https://goroav.com/products/roav-dash-cam-a1

CVSSv3 Score

8.0 - CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-121: Stack-based Buffer Overflow

Details

The Roav A1 Dashcam by Anker is a dashboard camera that allows users to connect using the Roav app for Android and iOS so that the users can toggle settings and download videos from the dashcam, along with a host of other features. In order to do this, users must first enable the “Wi-Fi AP” setting manually on the dashcam, and then connect to the “Roav_A1_” SSID, with the default password of “goroavcam.”

From here, the app interacts mainly with the dashcam via an eCOS webserver running on port 80 that requires no authentication. The standard HTTP POST, GET, and DELETE requests can be used to upload, download, or delete videos and pictures from the dashcam, but there’s also a separate interface used for configuration. When requesting any URL, a set of commands is accessed by providing the following HTTP query string: ?custom=1&cmd=<0000-9999>. It should be noted that only a subset of commands are implemented, the list of which can be found by accessing http://192.168.1.254/?custom=1&cmd=3012.

For the purposes of this writeup, we will not even be discussing any of the commands, but rather the file path of the HTTP request. When sending an HTTP GET request with a large file name (bigger than 0xA0), a function is called (most likely a derivative or earlier version of cyg_mtab_lookup()) which behaves like an unbounded strcpy. This function copies the path of the request into a size 0x80 buffer, stored on the top of the stack. The stack layout [1] is shown below:

ROM:800FA034 cyg_mtab_lookup?:      # CODE XREF: parse_url_1+44↑p
ROM:800FA034                        = # sub_800B9858+40↑p  ...
ROM:800FA034
ROM:800FA034 buff_0x80       = -0xA8    //[1]
ROM:800FA034 stores_a2       = -0x28
ROM:800FA034 var_20          = -0x20
ROM:800FA034 var_1C          = -0x1C
ROM:800FA034 var_18          = -0x18
ROM:800FA034 var_14          = -0x14
ROM:800FA034 var_10          = -0x10
ROM:800FA034 var_C           = -0xC
ROM:800FA034 var_8           = -8
ROM:800FA034 arg_4           = -4 

This will result in a stack-based buffer overflow if given a path that’s longer than 0x80 bytes.

For purposes of exploitation, there is another offset that is read and written to, besides the overwritten $ra, at ~buff+0x84.

Crash Output

*** CPU Exception!!! cause 0x05: Address error exception (store)
epc  - 0x800fa168
$ra  - 0x800b9768
$sp  - 0x80d424d0
$fp  - 0x80d425f0
general registers:
     $zero : 0x807d0000       $at : 0x00000000       $v0 : 0x0000002f       $v1 : 0x0000002f
       $a0 : 0x0000002f       $a1 : 0x0000002f       $a2 : 0x61616161       $a3 : 0x80d42447
       $t0 : 0x01010101       $t1 : 0x80808080       $t2 : 0xffffffe0       $t3 : 0x00000012
       $t4 : 0x00000008       $t5 : 0x807d2bb4       $t6 : 0x74706563       $t7 : 0x2f2a203a
       $s0 : 0x80d425a0       $s1 : 0x80d424e0       $s2 : 0x80d4259c       $s3 : 0x80000c20
       $s4 : 0x80000c20       $s5 : 0x80d5343c       $s6 : 0x80000b20       $s7 : 0x00000000
       $t8 : 0x05040018       $t9 : 0x05040019      null : 0x80d424c8      null : 0x800a1148
        gp : 0x8060f540        sp : 0x80d424d0        fp : 0x80d425f0        ra : 0x800b9768
co-processor registers:
   entrylo : 0x00000000    status : 0x00000014    vector : 0x0100c403       epc : 0x800fa168
     cause : 0x00000000  badvaddr : 0x00800014    hwrena : 0x61616161      prid : 0x00019655
   entrylo : 0x01645792
Thread(id) : 

  Hfs Session(260)
stack      : 
    range(0x80d3cef4 - 0x80d42ef4)
call stack :
  0 frame(0x80d424d0 - 0x80d42588) ............................ $pc : 0x800fa168
     + 0x80d424d0 : 0x00000002 0x807d2bac 0x807d2bac 0x807d2fbc 
     + 0x80d424e0 : 0x6364732f 0x2f647261 0x61616161 0x61616161 
     + 0x80d424f0 : 0x61616161 0x61616161 0x61616161 0x61616161 
     + 0x80d42500 : 0x61616161 0x61616161 0x61616161 0x61616161 
     + 0x80d42510 : 0x61616161 0x61616161 0x61616161 0x61616161 
     + 0x80d42520 : 0x61616161 0x61616161 0x61616161 0x61616161 
     + 0x80d42530 : 0x61616161 0x61616161 0x61616161 0x61616161 
     + 0x80d42540 : 0x61616161 0x61616161 0x61616161 0x61616161 
     + 0x80d42550 : 0x61616161 0x61616161 0x61616161 0x61616161 
     + 0x80d42560 : 0x61616161 0x61616161 0x61616161 0x61616161 
     + 0x80d42570 : 0x61616161 0x61616161 0x61616161 0x61616161 
     + 0x80d42580 : 0x00000000 0x800b9768 
  1 frame(0x80d42588 - 0x80d425b8) ............................ $pc : 0x800b9760
     + 0x80d42580 :                       0x00000008 0x80d430c6 
     + 0x80d42590 : 0x00000048 0x80d3cdc0 0x80000b20 0x00000000 
     + 0x80d425a0 : 0x80d5343c 0x00000048 0x80d3cdc0 0x80d43028 
     + 0x80d425b0 : 0x00000008 0x803ce1f4 
  2 frame(0x80d425b8 - 0x80d42e58) ............................ $pc : 0x803ce1ec
     + 0x80d425b0 :                       0xdeadbeef 0x80d43028 
     + 0x80d425c0 : 0x80afe8d4 0x80afe8b8 0x00000000 0x80d429c8 
     + 0x80d425d0 : 0x00000003 0xdeadbeef 0x0000c800 0xdeadbeef 
     + 0x80d425e0 : 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef 
     + 0x80d425f0 : 0x00000001 0xdeadbeef 0xdeadbeef 0xdeadbeef 
     + 0x80d42600 : 0x31363935 0xdead0039 0xdeadbeef 0x00000000 
     + 0x80d42610 : 0x00000000 0x00000000 0x00000000 0x00000000 
     + 0x80d42620 : 0x00000000 0x746e6f43 0x2d746e65 0x65707954 
     + 0x80d42630 : 0x2000203a 0xdeadbe00 0xdeadbeef 0xdeadbeef 
     + 0x80d42640 : 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef 
     + 0x80d42650 : 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef 
     + 0x80d42660 : 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef 
     + 0x80d42670 : 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef 
     + 0x80d42680 : 0xdeadbeef 0xdeadbeef 0x302e3232 0x3733322e 
     + 0x80d42690 : 0x3733322e 0xdeadbe00 0xdeadbeef 0xdeadbeef 
	[…]
     + 0x80d42950 : 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef 
     + 0x80d42960 : 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef 
     + 0x80d42970 : 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef 
     + 0x80d42980 : 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef 
     + 0x80d42990 : 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef 
     + 0x80d429a0 : 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef 
     + 0x80d429b0 : 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef 
     + 0x80d429c0 : 0xdeadbeef 0xdeadbeef 0x6364732f 0x2f647261 
     + 0x80d429d0 : 0x61616161 0x61616161 0x61616161 0x61616161 
     + 0x80d429e0 : 0x61616161 0x61616161 0x61616161 0x61616161 
     + 0x80d429f0 : 0x61616161 0x61616161 0x61616161 0x61616161 
     + 0x80d42a00 : 0x61616161 0x61616161 0x61616161 0x61616161 
     + 0x80d42a10 : 0x61616161 0x61616161 0x61616161 0x61616161 
     + 0x80d42a20 : 0x61616161 0x61616161 0x61616161 0x61616161 
     + 0x80d42a30 : 0x61616161 0x61616161 0x61616161 0x61616161 
     + 0x80d42a40 : 0x61616161 0x61616161 0x61616161 0x61616161 
     + 0x80d42a50 : 0x61616161 0x61616161 0x61616161 0x61616161 
     + 0x80d42a60 : 0x61616161 0x61616161 0xdeadbe00 0xdeadbeef 
     + 0x80d42a70 : 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef 
     + 0x80d42a80 : 0xdeadbeef 0xdeadbeef 0xdeadbeef 0xdeadbeef 
	[…]
  end
*** CPU Exception in Task[]! cause=0x00000005, addr=0x800fa168

Timeline

2018-10-29 - Vendor Disclosure
2018-11-02 - 2nd vendor contact
2018-11-05 - Vendor acknowledged & created ticket reference
2019-01-03 - 60 day follow up; Vendor closed ticket and advised issue under review with Engineering team; Talos requested point of contact for Engineering team
2019-03-06 - 90 + day follow up
2019-03-27 - Final notice of public disclosure
2019-04-18 - Suggested public disclosure date (171 days after initial disclosure) 2019-05-13 - Public Release

Credit

Discovered by Lilith ¯\_(ツ)_/¯ of Cisco Talos.