Jump to content
Fi8sVrs

Backdoor in Sony IPELA Engine IP Cameras

Recommended Posts

  • Active Members

SEC Consult has found a backdoor in Sony IPELA Engine IP Cameras, mainly used professionally by enterprises and authorities. This backdoor allows an attacker to run arbitrary code on the affected IP cameras. An attacker can use cameras to take a foothold in a network and launch further attacks, disrupt camera functionality, send manipulated images/video, add cameras into a Mirai-like botnet or to just simply spy on you. This vulnerability affects 80 different Sony camera models. Sony was informed by SEC Consult about the vulnerability and has since released updated firmware for the affected models.


Further information about the backdoor, disclosure timeline, affected devices and updated firmware can be found in our advisory. This blog post has some highlights from the vulnerability analysis.

This advisory is the result of research that started by uploading a recent firmware update file from a Sony camera into our cloud based firmware analysis system IoT Inspector.

 

After a few minutes the analysis results were available. One result immediately caught our attention:

 

1_results_password_hashes.png

Excerpt from IoT Inspector results

So here we have two password hashes, one is for the user admin and was cracked immediately. The password is admin. This is no surprise as the default login credentials are admin:admin.


The second password hash is much more interesting, it’s for the user root and it was found in two different files: 

/etc/init.d/SXX_directory and /usr/local/lib/libg5_usermanage.so.0.0.0



We can use the file system browser of IoT Inspector to have a look at the SXX_directory.

 

2_etc_passwd.png

Excerpt from IoT Inspector filesystem browser

 

It looks like this startup script (called by /sbin/init/rcS during boot) is responsible for creating and populating the file /tmp/etc/passwd (/etc/passwd is a symlink to this file). A line for the user including a password hash is added, the shell is /bin/shNot good!

 

So, what can we do if we can crack the hash? At this point we can assume that it's very likely we can login using UART pins on the PCB. This of course requires us to have physical access and to disassemble the device.

 

The other locations where we could possibly use the password are Telnet and SSH, but both services are not available on the device … or are they? A quick string search in the firmware's filesystem for “telnet” shows that a CGI binary called prima-factory.cgi contains this string a few times. IDA Pro to the rescue! It seems this CGI has the power to do something with Telnet:

 

3_pirma-factory.png

 

The code in 

g5::cgifactory::factorySetTelnet()

 (in decompiled form below) is pretty straight forward. Based on input, the inetd daemon is killed or started:

 

4_pirma-factory_code.png

 

The inetd daemon gets its configuration from /etc/inetd.conf and inetd.conf is set up to launch Telnet

 

5_etc_inetd.png

 

So how can we reach this CGI functionality? The answer lies in the lighttpd binary. Lighttpd is an open source web server that was modified by Sony. Some custom code for HTTP request handling and authentication was added. Below is an excerpt from a data structure that maps the URI /command/prima-factory.cgi to the CGI in the file system. The authentication function is HandleFactory.

 

6_lighttpd_http_handler.png

 

HandleFactory decodes the HTTP Basic Authentication header and compares it to the username/password primana:primana.

 

7_handle_factory.png

 

Now we have all ingredients to craft an attack that looks like this:

 

  1. Send HTTP requests to /command/prima-factory.cgi containing the “secret” request values cPoq2fi4cFk and zKw2hEr9and use primana:primana for HTTP authentication. This starts the Telnet service on the device.
  2. Login using the cracked root credentials via Telnet. Note: We have not cracked the root password, but it's only a matter of time until someone will.


The user primana has access to other functionality intended for device testing or factory calibration(?). There is another user named debug with the password popeyeConnection that has access to other CGI functionality we didn't analyze further.

We believe that this backdoor was introduced by Sony developers on purpose (maybe as a way to debug the device during development or factory functional testing) and not an "unauthorized third party" like in other cases (e.g. the Juniper ScreenOS Backdoor, CVE-2015-7755).

We have asked Sony some questions regarding the nature of the backdoor, intended purpose, when it was introduced and how it was fixed, but they did not answer.

For further information regarding affected devices and patched firmware, see our advisory. IoT Inspector now comes with a plugin that detects this vulnerability.

For further information regarding affected devices and patched firmware, see our advisoryIoT Inspector now comes with a plugin that detects this vulnerability.

 

Source

  • Upvote 1
Link to comment
Share on other sites

"We believe that this backdoor was introduced by Sony developers on purpose (maybe as a way to debug the device during development or factory functional testing)"

 

"We have asked Sony some questions regarding the nature of the backdoor, intended purpose, when it was introduced and how it was fixed, but they did not answer."

 

How about mass-fucking-surveillance??

Let's not forget: https://www.theguardian.com/uk/2013/jun/21/gchq-cables-secret-world-communications-nsa and  https://www.theguardian.com/uk/2013/jun/21/gchq-mastering-the-internet

 

----

"last year (2012) GCHQ was handling 600m "telephone events" each day, had tapped more than 200 fibre-optic cables and was able to process data from at least 46 of them at a time."

 

"Each of the cables carries data at a rate of 10 gigabits per second, so the tapped cables had the capacity, in theory, to deliver more than 21 petabytes a day"

 

"The GCHQ mass tapping operation has been built up over five years by attaching intercept probes to transatlantic fibre-optic cables where they land on British shores carrying data to western Europe from telephone exchanges and internet servers in north America."

 

"This was done under secret agreements with commercial companies, described in one document as "intercept partners"

 

"The papers seen by the Guardian suggest some companies have been paid for the cost of their co-operation and GCHQ went to great lengths to keep their names secret. "

 

"The source with knowledge of intelligence said on Friday the companies were obliged to co-operate in this operation. They are forbidden from revealing the existence of warrants compelling them to allow GCHQ access to the cables."

Edited by QuoVadis
  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...