Talos Vulnerability Report

TALOS-2018-0605

Sony IPELA E Series Camera 802dot1xclientcert remote code execution vulnerability

July 20, 2018
CVE Number

CVE-2018-3938

Summary

An exploitable stack-based buffer overflow vulnerability exists in the 802dot1xclientcert.cgi functionality of Sony IPELA E Series Camera. A specially crafted POST can cause a stack-based buffer overflow, resulting in remote code execution. An attacker can send a malicious POST request to trigger this vulnerability.

Tested Versions

Sony IPELA E series G5 firmware 1.87.00

Product URLs

Firmware

CVSSv3 Score

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-120: Buffer Copy without checking size of input (‘Classic Buffer Overflow’)

Details

Sony IPELA Cameras are network-facing cameras used for monitoring and surveillance.

One of the endpoints available on the IPELA cameras is 802dot1xclientcert.cgi. This endpoint is designed to handle everything related to certificate management for 802.1x.

Before processing the incoming data, this endpoint trims data via the CONTENT_TYPE header [0].

(fcn) sym.g5::clientcertcgi::trim_stuffed_data
0x00009770      push {r4, r5, r6, r7, r8, sl, lr}
0x00009774      sub sp, sp, 0x440
0x00009778      sub sp, sp, 4
0x0000977c      mov sl, r0
0x00009780      ldr r0, [pc, 0x230]         ; [0x99b8:4]=0xac1c str.CONTENT_TYPE LEA loc._d_19 ; loc._d_19
0x00009784      mov r7, r1
0x00009788      mov r8, r2
0x0000978c      bl sym.imp.getenv [0]

When the CONTENT_TYPE header has been found, boundary= is searched for via strstr.

0x00009798      ldr r1, [pc, 0x21c]         ; [0x99bc:4]=0xac2c str.boundary=
0x0000979c      bl sym.imp.strstr

The length of the data is then checked via strlen in preparation for copying the data locally.

0x000097a8      mov r0, r5 ; Points to the data after boundary=
0x000097ac      bl sym.imp.strlen

This data is directly copied to a local buffer via memcpy.

0x000097b4      ldr r3, [pc, 0x204]
0x000097b8      rsb ip, r5, r4
0x000097bc      mov r2, sp
0x000097c0      mov r1, r4
0x000097c4      strh r3, [r2], 2
0x000097c8      mov r6, sp
0x000097cc      rsb r4, ip, r0
0x000097d0      mov r0, r2
0x000097d4      mov r2, r4
0x000097d8      bl sym.imp.memcpy

Because this strlen length is not checked against a safe value, the memcpy overflows the buffer, resulting in a stack-based buffer overflow. This overflow also allows the attack to remotely execute commands on the device.

Crash Information

Program received signal SIGSEGV, Segmentation fault.
0x5a5a5a58 in ?? ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────[ REGISTERS         ]────────────────────────────────────────────────────
*R0   0x0
*R1   0xbe8b8450 ◂— 0x61356135 ('5a5a')
*R2   0xbe8b9453 ◂— 0x0
*R3   0x0
*R4   0x5a5a5a5a ('ZZZZ')
*R5   0x5a5a5a5a ('ZZZZ')
*R6   0x5a5a5a5a ('ZZZZ')
*R7   0x5a5a5a5a ('ZZZZ')
*R8   0x5a5a5a5a ('ZZZZ')
*R9   0x0
*R10  0x5a5a5a5a ('ZZZZ')
*R11  0x0
*R12  0x2d
*SP   0xbe8b88b0 ◂— 0x5a5a5a5a ('ZZZZ')
*PC   0x5a5a5a58 ('XZZZ')
─────────────────────────────────────────────────────[ DISASM     ]─────────────────────────────────────────────────────
Invalid address 0x5a5a5a58

─────────────────────────────────────────────────────[ STACK   ]──────────────────────────────────────────────────────
00:0000│ sp  0xbe8b88b0 ◂— 0x5a5a5a5a ('ZZZZ')
... ↓
───────────────────────────────────────────────────[ BACKTRACE     ]────────────────────────────────────────────────────
 ► f 0 5a5a5a58
f 1     9800
Program received signal SIGSEGV (fault address 0x37a2)
+pwndbg> hexdump sp
+0000 0xbe8b88b0  5a 5a 5a 5a  5a 5a 5a 5a  5a 5a 5a 5a  5a 5a 5a 5a  │ZZZZ│ZZZZ│ZZZZ│ZZZZ│
..
+0040 0xbe8b88f0  

Timeline

2018-06-04 - Vendor disclosure
2018-07-19 - Vendor patched
2018-07-20 - Public Release

Credit

Discovered by Cory Duplantis of Cisco Talos.