Bishop Fox Security Advisory: Multiple Security Vulnerabilities Discovered in SV3C L-Series HD Camera

The following write-up describes several vulnerabilities found within the SV3C L-Series HD Camera, version 2.3.4.2103-S50-NTD-B20170823B and below. This includes version V2.3.4.2103-S50-NTD-B20170508B, which is the version shipped on the camera by default.

Product Description

SV3C is a Chinese reseller of home and small business security cameras. The company’s official website is www.sv3c.com. The latest version of the application is V2.3.4.2103-S50-NTD-B20170823B, released on August 23, 2017.

Vulnerabilities List

A total of 10 vulnerabilities were identified within the SV3C Camera:

  • Improper Session Management
  • Improper Authentication
  • Use of Hard-coded Passwords
  • Improper Authorization
  • OS Command Injection
  • Password Exposure
  • Stored Cross-site Scripting
  • Information Disclosure
  • Cleartext Transmission of Sensitive Information
  • Open Redirect

These vulnerabilities are described in the following sections.

Affected Versions

Version: V2.3.4.2103-S50-NTD-B20170508B

Version: V2.3.4.2103-S50-NTD-B20170823B

Solution

No fix has been released yet.

SV3C L-Series HD Camera — Vulnerabilities

Improper Session Management

The Sv3C HD Camera is affected by an improper session management vulnerability that allows the camera login page to be bypassed. This vulnerability could be used to log in to the application without knowing the username and password set by the administrative user. The vulnerability affects version V2.3.4.2103-S50-NTD-B20170508B.

Vulnerability Details

CVE ID: CVE-2018-12666

Access Vector: Remote

Security Risk: Critical

Vulnerability: CWE-228

CVSS Base Score: 9.8

CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The SV3C Camera is vulnerable to improper session management due to a lack of proper session token generation. Users are identified only by the authentication level sent in the cookies. When the cookie was set with the name authLevel and the value 255 as shown below, the application allowed the user administrative access to the web application.

By setting the authLevel cookie, it is possible to bypass the login page and access all functionality within the application with the privilege level of 255, which is equivalent to an admin.

Improper Authentication

The SV3C HD Camera is affected by an improper authentication vulnerability that allows requests to be made to back-end CGI scripts without a valid session. This vulnerability could be used to read and modify the SV3C Camera configuration. The vulnerability affects all versions.

Vulnerability Details

CVE ID: CVE-2018-12667

Access Vector: Remote

Security Risk: Critical

Vulnerability: CWE-287

CVSS Base Score: 9.8

CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The SV3C Camera is vulnerable to improper authentication due to improper access checks. When expected requests were submitted to the application without any session cookies, no checks were performed and the application accepted the request as valid, as shown below:

The response to this request is shown below:

It is then possible to confirm within the application that the settings have been updated, as shown below:

This means that the camera does not do any kind of privilege checking and does not have any proper authentication or authorization checks in place.

Use of Hard-coded Passwords

The SV3C HD Camera is shipped with a root password that can be brute-forced. This password was also found to be documented online via external sources. The password could be used to log in to the exposed telnet service to gain root privileges on the affected devices.

This vulnerability exists on V2.3.4.2103-S50-NTD-B20170508B. The latest version of the software, V2.3.4.2103-S50-NTD-B20170823B, incudes a root account with the same password, but the telnet port has been closed.

Vulnerability Details

CVE ID: CVE-2018-12668

Access Vector: Remote

Security Risk: Critical

Vulnerability: CWE-259

CVSS Base Score: 9.8

CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The password used as the root login account is easily brute-forced as its complexity is weak. Additionally, the password can be found in publicly disclosed password databases such as RockYou. A successful login is shown below:

The password used, cat1029, is shipped on all SV3C HD Cameras. The credentials root:cat1029 can be used to log in to the exposed telnet service.

Improper Authorization

The SV3C camera is vulnerable to improper authorization due to its lack of enforced vertical and horizonal access controls. An attacker with remote access to the SV3C HD Camera web interface can change passwords set within the camera by sending a change password request to the endpoint. This vulnerability affects all versions.

Vulnerability Details

CVE ID: CVE-2018-12669

Access Vector: Remote

Security Risk: High

Vulnerability: CWE-285

CVSS Base Score: 8.8

CVSS Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

All accounts set within the SV3C HD Camera web interface can be reset by directly sending an updated password request to the web endpoint, as shown below:

The above proof of concept will update the username user0 to admin and the password to secretpass. The privilege level will then be set to 255, the highest privilege possible. This attack can be performed by any user.

OS Command Injection 

The SV3C HD Camera does not perform validation checks on user inputs and is vulnerable through the ping function, within the web interface, to OS command injection. This vulnerability can be used to run arbitrary commands on the affected system. The vulnerability affects all versions.

Vulnerability Details

CVE ID: CVE-2018-12670

Access Vector: Remote

Security Risk: Critical

Vulnerability: CWE-78

CVSS Base Score: 9.8

CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

An attacker could use a crafted URL to inject commands and run them on the system. A proof of concept of this vulnerability is shown below:

The above command performs the ping test against google.com, then runs the wget command against the IP 192.168.99.123. Other commands can be issued but are limited due to the use of BusyBox on the camera.

Password Exposure

An attacker with remote access to the SV3C HD Camera web interface can disclose information about the camera including all password sets set within the camera. This information can then be used to gain access to the web interface. This vulnerability affects all versions.

Vulnerability Details

CVE ID: CVE-2018-12671

Access Vector: Remote

Security Risk: High

Vulnerability: CWE-200

CVSS Base Score: 7.5

CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

An attacker with access to the camera could disclose information about the camera and its network by submitting requests to endpoints used within the web application.

The following request can be used to gain access to the set usernames and passwords:

The response to the above request is shown below:

This request discloses all usernames, passwords, and authentication levels that specify if an account is a user or admin.

Stored Cross-site Scripting

The SV3C HD Camera does not perform proper validation on user-supplied input and is vulnerable to cross-site scripting attacks. If proper authorization was implemented, this vulnerability could be leveraged to perform actions on behalf of another user or the administrator. The vulnerability affects version V2.3.4.2103-S50-NTD-B20170508B, which ships with the camera as default. It is unknown if the latest version is affected.

Vulnerability Details

CVE ID: CVE-2018-12672

Access Vector: Remote

Security Risk: High

Vulnerability: CWE-79

CVSS Base Score: 7.1

CVSS Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

An attacker could use a crafted URL to insert a JavaScript payload that could be leveraged to execute scripts within another user’s browser. Below is a proof of concept:

This proof of concept will insert a script into the camera name. When the name is loaded within the web interface (i.e., on the page found at Media > OSD), then the script is executed and an alert box pops up within the user’s browser, as shown below:

A user who loads this page will load the script, which could perform malicious actions against the camera under the logged-in user’s account.

Information Disclosure

An attacker with remote access to the SV3C HD Camera web interface can disclose information about the camera including camera hardware, wireless network, and local area network information. This vulnerability affects all versions.

Vulnerability Details

CVE ID: CVE-2018-12673

Access Vector: Remote

Security Risk: High

Vulnerability: CWE-200

CVSS Base Score: 7.5

CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

An attacker with access to the camera could disclose information about the camera and its network configuration it is on by submitting requests to endpoints used within the web application.

The following request can be used to gain access to information about the camera:

The response to the above request is shown below:

The following request can be used to gain information about the wireless network if the camera is Wi-Fi enabled and in use:

The following response is returned:

The following request can be used to gain access to information about the local area network:

Below is the response to the above request:

These requests can be used to gain additional information about the camera and its environment.

Cleartext Transmission of Sensitive Information

The SV3C HD Camera stores the username and password within the cookies of a session. If an attacker gained access to these session cookies, it would be possible to gain access to the username and password of the logged-in account. This vulnerability affects all versions.

Vulnerability Details

CVE ID: CVE-2018-12674

Access Vector: Remote

Security Risk: Medium

Vulnerability: CWE-319

CVSS Base Score: 5.7

CVSS Vector: AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

The SV3C HD Camera discloses the username and password via the cookies found in the session of the camera. By copying out and decoding the Base64 strings, it is possible to view the username and password of the account, as shown below:

The above strings, YWRtaW4%3D and d2FzZGFm, are Base64 encoded and can be decoded to the following:

Decoding the strings reveals the username and password of the session in use.

Open Redirect

The SV3C HD Camera does not perform origin checks on URLs that the camera’s web interface redirects a user to. This can be leveraged to send a user to an unexpected endpoint. This vulnerability affects all versions.

Vulnerability Details

CVE ID: CVE-2018-12675

Access Vector: Remote

Security Risk: Medium

Vulnerability: CWE-601

CVSS Base Score: 4.3

CVSS Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

A crafted URL can be leveraged to send a user to an unexpected endpoint via a crafted link. The following proof of concept will redirect a user to the Bishop Fox website:

This vulnerability can be used along with phishing campaigns and other vulnerabilities to further exploit a user.

Disclosure Timeline: 

  • Initial discovery: 4/16/2018
  • Vendor contacted 6/18/2018
  • Response from vendor 6/27/2018
  • Vulnerabilities report sent 7/3/2018
  • Vulnerability status requested, no response, 7/22/2018
  • Vulnerability status requested, no response, 8/20/2018

Researcher: 

Jefferino Siqueria, Security Analyst at Bishop Fox