<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Multiple Vulnerabilities In NEO Coolcam's Webcam

Published on
3,166 Points
166 Views
Last Modified:
The NEO Coolcam's webcam bypasses the login and multiple remote code execution vulnerabilities bases on stack overflow and data analysis report.

1. Update Status



Version
Time
description
V1.0
2018/07/16
Multiple Vulnerabilities In NEO Coolcam's Webcam


2. Event Summary



Shenzhen NEO Coolcam electronics co. LTD is a new high-tech company that integrates the R&D, production, and marketing of network digital products. It's the pioneer in the field of Webcam in China. The company set up a domestic Camera R&D Center in 2004 and obtained many national patents. The products were authorized via the national quality supervision department and the international standard certification like CE and FCC.


As early as August 02, 2017, the security researcher of Bitdefender companies had pointed out that there are multiple buffer overflow vulnerabilities in devices such as NIP-22 and Wi-Fi iDoorbell. Thousands of related devices that leaked on the public network are threatened with potential security threats. The researchers also provided relevant reports. Around September 2017, we noticed the latest firmware released on the NEO Coolcam’s official English website, which fixed the overflow vulnerabilities.


On July 10, 2018, we used ZoomEye Cyberspace Search Engine to locate related devices and found 650,000 IP history records in the later risk assessment of IoT devices which are susceptible to this vulnerability. China has the largest number of devices with the vulnerability, about 167,000. In addition, we have the following findings:  


  • During the year between the release of the official updated version for the firmware by Coolcam and the publication of this article, most of the devices still didn't install the updated firmware. There are the following reasons: 1. The target device itself doesn't have an automatic upgrade mechanism. 2. Ordinary users could not realize the existence of vulnerabilities, thus manually update firmware.3. The updated firmware was only published on the official English website. 4. The equipment produced by other OEM manufacturers also had the same vulnerabilities.


  • In the process of target equipment firmware audit, we have found the bypass login vulnerability, which will be presented in the following sections.


This means that a large number of target devices are at risk.  The 404 Security Team has made an in-depth study of a series of buffer overflow vulnerabilities in NEO Coolcam's NIP-22FX cameras and executed remote code successfully from the buffer overflow, which confirmed that the vulnerability has the potential risk of being exploited by black products. Bypass login vulnerability has been found in the process of an audit at the same time, which is also a serious threat to user privacy.


3. Vulnerability analysis


3.1 Target equipment information


Device version: Neo Coolcam IPCam NIP-22FX

Vulnerability binary file: MD5 (ipc_server) = 312d924344364620d85099ed279a5f03

Firmware version: V7.7.4.1.1-20160701


The main program for web service and RTSP service is the ipc_server file, and the target system is an ARM, 32-bit small end architecture.  

The mitigation measure of buffer overflow is all closed.

 

3.2 Bypass login vulnerability


The Webcam Web service is based on HTTP basic authentication. There are three groups of default credentials which correspond to different permission levels. This app will only remind you of modifying the default password for your admin account when installing. Three groups of default credentials and corresponding operations are as follows:    

1、admin: admin

2、user: user

3、guest: guest

It is worth mentioning that the user and guest accounts can also view video streams and most users will not change the default password of these accounts, which lead to privacy leaks.


3.3 Remote Code execution vulnerability based on buffer overflow in web services (no Authentication required)

3.3.1 Vulnerability detail analysis


The overflow point is located near the address 0x0007DE80. The processing logic of this function is to call the libs_parsedata function to parse the usr and pwd in the URL, and then store them in two buffers of this function stack frame.


The prototype of the libs_parsedata function is:

int libs_parsedata(int a1, int a2, char *needle, int a4, int a5, int a6){}


It takes 6 parameters from left to right. The order is:

a1: The original string.

a2: Length of the original string.

needle: The point to match the beginning of a string to be intercepted.

a4: A delimiter used to intercept a string.

a6: The target buffer for storing the intercepted string.


The processing logic of this function is to use the string needle and delimiter a4 to intercept the original string a1. After intercepting, it writes the intercepted string into the buffer which referred as a6 by the strncpy() function. The writing’s length is similar to the intercepted string. Finally, it writes a byte of '\x00'. Because the length of the parameter GET is controllable, a buffer overflow will occur when an attacker inputs usr or pwd which oversteps the buffer length.


3.3.2 Exploit analysis


Buffer overflow measures of binary file ipc_server are all closed. This buffer overflow vulnerability is easy to exploit. In the process, we need to consider how to avoid the bad characters such as blank characters, &, \x00 and so on. Blank characters can be replaced by ${IFS}.

The following code is located at the 0x0004E4D8 address in ipc_server:

The attackers only need to let the return address point to the address 0x0004E4D8 with the command to be executed, which can lead to remote code execution from the buffer overflow. The libs_parsedata function will write a \x00 at the end of the string, so we can exploit two overflow vulnerabilities to write the return address and the instruction to be executed at the same time.


The target system doesn’t contain commands such as curl, nc, wget and so on. So we can redirect the command execution results to the Web directory and then access the HTTP interface to get the execution result. If the attacker and the camera are in the same network environment, the attacker also can open the telnetd service of the targeted system to achieve complete control of the vulnerable device. Because the file system of the target device is mounted in the manner of read-write, it has the risk of malicious tampering by an attacker.


The results on NIP-22FX are as followed:


3.3.3 Patch analysis


In the latest version of firmware (V7.7.4.1.1-20170828), a seventh parameter is added to the libs_parsedata function to control the target buffer writable length.

3.4 RTSP service's remote Code execution vulnerability based on buffer overflow (no Authentication required)

3.4.1 Vulnerability detail analysis


The overflow point is located at address 0x006C6D4, using the sscanf function to match key and value in the Authorization: Digest key=”value” in RTSP Header and saving them on the stack of this function. The stack is overflowed because both of the lengths cannot be checked.


3.4.2 Vulnerability exploitation analysis


The way to exploit this vulnerability is the same as the method in Section 3.2.2. The attacker can use two overflow vulnerabilities to write the instruction to be executed and the return address which can easily lead to remote code execute from buffer overflow. The results in NIP-22FX are as follows: The telnetd service of the target system is successfully opened by using the buffer overflow of the RTSP service.


3.4.3 Patch analysis


In the latest version of firmware (V7.7.4.1.1-20170828), the length constraint is added to the regular matching expression of sscanf, and the maximum of it is 255 bytes. The return address cannot be overwritten since there are 296 bytes left between buffer and stack bottom.


4. The scope within vulnerability impact


We found 651780 IP history data on ZoomEye's Cyberspace Search Engine by using 'keyword' related to CRT NIP-22 HD camera device.

We use the keyword, “Error: username or password error, please input again.”, to search on the ZoomEye's Cyberspace Search Engine, and get 651780 IP history record. After verification, there are 58,413 devices still alive.


The distribution of survival equipment countries is as follows. It can be observed that these vulnerabilities are mainly distributed in Korea, the United States, China and other countries. Because China's network IP changes rapidly, the number of relevant surviving devices is more than 5878 in China.

Further statistical analysis of the above surviving devices shows that most of the devices have at least one default credential. This shows that NEO Coolcam's HD camera devices generally have default credentials. Attackers can use the default credentials to access the video stream of the camera. It is worth mentioning that lots of the surviving devices also have admin: admin default credentials. The attacker can obtain the administrator identity and probably take over the target devices completely via uploading elaborate device firmware.


In the process of data analysis for devices that can be affected by the vulnerabilities, we found that a large number of devices were sold by OEM. Device firmware has great homology, and some devices between two different vendors are just simply changing LOGO.

Using the md5 value of the device page 'web/mainpage.HTML' to distinguish different OEM, statistical results are as follows:


MD5(Content(URL/web/mainpage.html))
LOGO
OEM manufacturer
dbbc680a6b5403bf30077438fb4b91e6
IP CAMERA
none
c69b8e84d46b78c85907e4622562997f
CloudLive
https://www.camcloud.com/
f4dc74d63125c9146f6f05b2e4e54fb8
Wanscam
http://www.wanscam.com/
97335b2578edc45f70e0326d5eb4105c
EasyN
http://www.easyn.com/
4485518e9995bf1fc92f5f65d4d6f5b0
Petzview
http://www.petstory.co/support/spt_main
2520381a9eb73097ad77a0e2439c86d5
TENVIS
https://www.tenvis.com/
23d1ce3422ef59fff1482d9ab6cc2854
CATCH VIEW
none
9236f9718fe81fa74bc027237d5fe076
QcamV
none
84a8000873d288fd7f6bd3824251ec99
Sineoji
http://sineoji.com/
8858353d658482304fa01aeb5fc3a689
Aztech
https://www.aztech.com/categories/aztech-datacom/ip-camera
dcc4a2bafe9850d0c07b4529b0fb10bd
Toc View
none
bcf1fb85eb7bb9a4dffd75a11d600fcc
FALCON EYE
http://www.falconeyecnv.com/
529ff91b3d55a903af3451c562fa48b3
bitron video
http://www.bitronvideo.eu/
4385c3e35bddf7ad1af65b8af9f0e6e4
NETCURY
https://www.netcury.com/main/index/
829ce8eb0a133fe51444da7182db7631
Intelkam
none
26746ac39c4257d8f436f7a1847d4d65
ZKTeco
https://www.zkteco.eu/index.php
f2a6e9e9f1aef461fc7c13ee74f48bb0
HOSAFE.COM
https://www.hosafe.com/
c43fd489a1a659dae2947fa1e78cdf83
bayit Home
http://www.bayithomeautomation.com/
f61401152a378a45ace64f0f38a19981
IPCAM CENTRAL
https://www.ipcam-central.com/
0a6b3872e3fada7c36b48d8ccd28b11a
SV plus
none
17c38847e9d7598bf027dc38cc066ccb
manhattan
http://www.manhattan-products.com/homecam-hd
7c9328d1950bbc0c91092cb0f2bf3e7c
COVERT
https://www.covertscoutingcameras.com/
120ae591ca18744c168ba71517caf4fa
NEO Coolcam
http://www.szneo.com/
0eedb3e49b5962180caa8e7d193aab47
RTX
none
d7998665ea8baaf6061e093491268c22
Seguros Falabella
none
bfb0589554d4922bc81cf37b0fe94583
HOMCA
http://homca.co.kr/
ec0ebcdeca5d561eb7c647577abcafb1
upCam
https://www.upcam.de/en/
43d8a0138e063d51ccd3a93884df99a4
TECH VIEW
none
bec41d3ac4c279e11ddab98b05c89919
kaicong
http://www.kaicong.net/
d1a79e614cbf0ee7fef1ac8d34e8d418
EMINENT
http://www.eminent-online.com/
6d18d6e3609d6ea678eded4afcd34121
CCTVJAPAN
https://security.panasonic.com/products/
f32d128c819832d5d2f3ab1e997450d7
NEXXT
https://www.nexxtsolutions.com/
5daba101ca98f4d3785cc9cdea15ecc6
Dericam
http://www.dericam.com/
c7b359118ac572dc0c512e20f8db342c
JSST
http://www.jieshun.cn/
8e7c109fbb6de2656d44307eba91aa68
Tenda
http://www.tenda.com.cn/product/category-197.html
1614158f65e4612b93818e33503e547e
Asgari
https://www.asgariofsweden.se/
722c3cb4321475e0b76aae96db3f34ef
IP202-2MP IPC
none
79da07aa50f5c0780f458e2d47b73dab
Jod-1
none
8596b015e13f96d2f6e4c7be38a78752
ZOELink
none


In addition to the default credential problem, NEO Coolcam's HD camera NIP-22 also has a buffer overflow vulnerability that doesn't require authentication for Web services and RTSP services. This overflow vulnerability is not difficult to exploit and the attacker can execute arbitrary commands remotely based on it. The watchdog process will restart the entire system after an overflow problem occurs which can also be used by an attacker to cause the denial of service. Due to the homology of firmware. These two overflow vulnerabilities are also likely to exist in devices which produced by other OEM manufacturers.



5. Vulnerability Repair Recommendation


5.1 Users' repair recommendation


To avoid privacy leaks, it is recommended that users repair the series of vulnerabilities as soon as possible.


First of all, users can connect to the webcam Web management system and modify the username and password of three sets of default credentials on the following page.

What's more, if the device is NEO Coolcam's, it is recommended to download the latest version of the firmware from the NEO Coolcam's official website and manually update to repair the two overflow vulnerabilities. If the device is produced by other OEM vendor, you can try to contact the vendor to update firmware and isolate the device from the public network.

5.2 Manufacturer's repair recommendation


Because this series of vulnerability can affect dozens of OEM vendors at home and abroad, the vendors in the above list should check again to avoid the possible vulnerabilities, release patch firmware in time and notify their users to update the firmware.


6. Summary



1. Most of the surviving devices have default credentials, which is a serious threat to the privacy of users. Users should modify the default password in time.


2. This series of vulnerabilities may also affect dozens of OEM manufacturers at home and abroad. Embedded device firmware development usually uses the third-party's open source tools or general software. This common software is usually developed by a specific manufacturer, which leads to the homogeneity of many firmware devices. Different brands of devices may run the same or similar firmware and contain the same third-party libraries. After the disclosure of the vulnerabilities, many manufacturers’ products can be affected but not all vendors will release patches, so a great number of devices can’t be repaired.


3. In recent years, the security vulnerabilities of loT device such as a router, camera, video camera, NAS and intelligent wearable equipment emerge in endlessly. With more and more embedded devices connected to the network, the personal privacy of users is seriously threatened. On the one hand, manufacturers and developers should constantly improve the security of their own R & D equipment. On the other hand, vulnerabilities are unavoidable. For users, they should make effort to improve their security awareness and avoid exposing such devices directly on the network space. For all loT vendors, as more and more vulnerabilities are exposed, fixing the vulnerabilities in time and providing an automatic upgrade mechanism for products is the only effective way.



7. Reference



[1] Bitdefender vulnerability announcement

https://www.bitdefender.com/box/blog/ip-cameras-vulnerabilities/neo-coolcams-not-cool-buffer-overflow/

[2] Download address of the official update firmware

http://szneo.com/en/service/index.php

[3] Pocsuite

https://github.com/knownsec/Pocsuite


**********************************************************************************************
Thank you for reading our article, please leave valuable feedback. Your suggestions are welcome and will be helpful to us.

This article is completed by Knownsec 404 ZoomEye Team and just published on our own website. We are a mysterious team from China. If you want to publish or reprint it, please mark the source or our team's name and send a link to inform us.

If you liked our Vulnerability article and would like to see more articles, please follow us. 

Thank You. We are looking forward to hearing from you.
**********************************************************************************************

0
Comment
Author:404 Team
0 Comments

Featured Post

KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

Join & Write a Comment

This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month