[CVE-2022-38399 / CVE-2017-12576] SmaCam CS-QR10 and SmaCam Night Vision CS-QR20 vulnerability report.

Product Description:

The Planex CS-QR10 smart camera (aka Sumakame) and the Planex CS-QR20 (aka Sumakame Night Vision) are network camera that allows to easily view camera images from a smartphone using a dedicated app.

device-image

Affected Products:

  • All Planex CS-QR10 devices from version 1.36 and under
  • All Planex CS-QR20 devices from version 1.34 and under.

CS-QR20 HOME-PAGE-VERSION

Vulnerability Summary:

[CVE-2022-38399] - Missing Protection Mechanism for Alternate Hardware Interface (CWE-1299).
Both Planex CS-QR10 and CS-QR20 smart camera devices were discovered to contain insecure protections for its UART console. This vulnerability allows a local attacker to connect to the UART port via a serial connection which allows command execution as the root user without authentication.

[CVE-2017-12576] - OS Command Injection via Hidden Functionality (CWE-912).
After reverse engineering the device's firmware, it was discovered that a hidden functionality exists using /goform/SystemCommand which is located in the binary file /bin/boa. This allows an attacker the ability to execute Linux commands on the device with root privileges. This allows an attacker to have access to all the system files. It is also possible to change the root password which gives another way for an attacker to gain full access on the device. This issue affects all Planex CS-QR10 smart camera devices from version 1.36 and under as well as Planex CS-QR20 smart camera devices from version 1.34 and under.

Reproduction Steps:

1.Missing Protection Mechanism for Alternate Hardware Interface (CWE-1299).
After opening the case of the camera, we found the UART port on the motherboard. As pins to connect to it were already soldered, we simply plugged in a serial cable to the UART port to connect to the device.
IMG_20220808_221803
After a few seconds upon turning on the camera, we see that we have access to the U-Boot boot loader interface.

UART-UBOOT
After waiting approximately one minute, we then have access to the shell with admin rights.

UART-SHELL

2.OS Command Injection via Hidden Functionality (CWE-912).
Once logged in to the web administration interface using the default credentials admin:password, it is possible to execute a POST request to a hidden endpoint /goform/SystemCommand, witch allows an attacker the ability to execute any Linux commands as the root user. For example, in the following screenshot below we were able to open the telnet port.
hidden-cmd-injection-step1
After completing this step, we could then login to the system as the admin user (root privileges).
hidden-cmd-injection-step2

Recommendation Fixes / Remediation:

  • Vulnerability 1: Disable/Remove the UART port entirely for production devices or use a hard soldering bulb to completely disable the UART port. If you want to keep the UART port open, require entering a password to login to the U-boot interface and avoid grouping the UART pins together.
  • Vulnerability 2: Remove/disable completely SystemCommand from the formDefineManagement() function. After doing this, it will not be possible to call the function from the web application.

    fixsytemcommand

Reference:

Security researchers:

Thanks for reading this article! I hope you could learn something through my research! If you liked what you read, please share and follow my twitter at @0xSamy_