- Jul 22, 2014
- 2,525
Server buffer overflow equals remote control
An insecure web server embedded in more than 35 models of internet-connected CCTV cameras leaves countless devices wide open to hijacking, it is claimed.
The gadgets can be commandeered from the other side of the world with a single HTTP GET request before any password authentication checks take place, we're told. If your camera is one of the at-risk devices, and it can be reached on the web, then it can be attacked, infected with malware and spied on. Network cameras typically use UPnPto drill through to the public internet automatically via your home router.
Proof-of-concept code to exploit the vulnerable web server in the cameras can be found right here on GitHub. It was published a few hours ago by a security pro going by the name of Slipstream, who reverse-engineered the cams' firmware and discovered the hole. Slip has previously appeared in these pages for exposing security shortcomings in UK school software, Dell computers and Microsoft's Secure Boot. The web server is present to allow owners to configure their cameras from their browsers.
It appears the exploited bug is thus: if the URL query string contains a parameter called "basic", its value is copied byte by byte from the URL into a fixed a 256-byte buffer on the stack. If you send a query longer than 256 bytes, you overflow the buffer and start overwriting the stack. An attacker can do this to prime the stack with memory addresses to control the flow of execution.
Instead of doing what its programmers told it to do, the server starts dancing to the hacker's tune – such as opening a remote-control backdoor. It's a textbook stack buffer overflow with return-oriented programming to hijack the server.
It gets better: the overflow happens before the server has time to authenticate the user, so even if someone has changed the default passwords, their gadget is still vulnerable. This is the vulnerable code:
// ptr = start of the query's parameter value string
while ((ptr != NULL) && (ptr != '&'))
{
queryval_cpy = ptr; // queryval_cpy is a 256-byte char array on the stack
i++;
}
Hang on, we're not done yet: whoever crafted the firmware shared by all these devices modified the Goahead embedded web server and seemingly introduced the bug. According to Slip, more than seven internet-of-things CCTV camera vendors use the dodgy firmware.
More in the link above.
An insecure web server embedded in more than 35 models of internet-connected CCTV cameras leaves countless devices wide open to hijacking, it is claimed.
The gadgets can be commandeered from the other side of the world with a single HTTP GET request before any password authentication checks take place, we're told. If your camera is one of the at-risk devices, and it can be reached on the web, then it can be attacked, infected with malware and spied on. Network cameras typically use UPnPto drill through to the public internet automatically via your home router.
Proof-of-concept code to exploit the vulnerable web server in the cameras can be found right here on GitHub. It was published a few hours ago by a security pro going by the name of Slipstream, who reverse-engineered the cams' firmware and discovered the hole. Slip has previously appeared in these pages for exposing security shortcomings in UK school software, Dell computers and Microsoft's Secure Boot. The web server is present to allow owners to configure their cameras from their browsers.
It appears the exploited bug is thus: if the URL query string contains a parameter called "basic", its value is copied byte by byte from the URL into a fixed a 256-byte buffer on the stack. If you send a query longer than 256 bytes, you overflow the buffer and start overwriting the stack. An attacker can do this to prime the stack with memory addresses to control the flow of execution.
Instead of doing what its programmers told it to do, the server starts dancing to the hacker's tune – such as opening a remote-control backdoor. It's a textbook stack buffer overflow with return-oriented programming to hijack the server.
It gets better: the overflow happens before the server has time to authenticate the user, so even if someone has changed the default passwords, their gadget is still vulnerable. This is the vulnerable code:
// ptr = start of the query's parameter value string
while ((ptr != NULL) && (ptr != '&'))
{
queryval_cpy = ptr; // queryval_cpy is a 256-byte char array on the stack
i++;
}
Hang on, we're not done yet: whoever crafted the firmware shared by all these devices modified the Goahead embedded web server and seemingly introduced the bug. According to Slip, more than seven internet-of-things CCTV camera vendors use the dodgy firmware.
More in the link above.
Last edited by a moderator:
