Talos Vulnerability Report

TALOS-2021-1421

Reolink RLC-410W cgiserver.cgi JSON command parser denial of service vulnerabilities

January 26, 2022

CVE Number

CVE-2021-44354,CVE-2021-44355, CVE-2021-44356, CVE-2021-44357, CVE-2021-44358, CVE-2021-44359, CVE-2021-44360, CVE-2021-44361, CVE-2021-44362, CVE-2021-44363, CVE-2021-44364, CVE-2021-44365, CVE-2021-44366, CVE-2021-44367, CVE-2021-44368, CVE-2021-44369, CVE-2021-44370, CVE-2021-44371, CVE-2021-44372, CVE-2021-44373, CVE-2021-44374, CVE-2021-44375, CVE-2021-44376, CVE-2021-44377, CVE-2021-44378, CVE-2021-44379, CVE-2021-44380, CVE-2021-44381, CVE-2021-44382, CVE-2021-44383, CVE-2021-44384, CVE-2021-44385, CVE-2021-44386, CVE-2021-44387, CVE-2021-44388, CVE-2021-44389, CVE-2021-44390, CVE-2021-44391, CVE-2021-44392, CVE-2021-44393, CVE-2021-44394, CVE-2021-44395, CVE-2021-44396, CVE-2021-44397, CVE-2021-44398, CVE-2021-44399, CVE-2021-44400,CVE-2021-44401, CVE-2021-44402,CVE-2021-44403,CVE-2021-44404,CVE-2021-44405, CVE-2021-44406, CVE-2021-44407, CVE-2021-44408, CVE-2021-44409, CVE-2021-44410, CVE-2021-44411, CVE-2021-44412, CVE-2021-44413, CVE-2021-44414, CVE-2021-44415, CVE-2021-44416, CVE-2021-44417, CVE-2021-44418, CVE-2021-44419

Summary

Multiple denial of service vulnerabilities exist in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability.

Tested Versions

reolink RLC-410W v3.0.0.136_20121102

Product URLs

RLC-410W - https://reolink.com/us/product/rlc-410w/

CVSSv3 Score

8.6 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE

CWE-20 - Improper Input Validation

Details

The reolink RLC-410W is a WiFi security camera. The camera includes motion detection functionalities and various methods to save the recordings.

The RLC-410W offers different APIs for different levels of authentication. One of these APIs has the purpose of rebooting the device; this API should be executed by administrator users only.

A specially-crafted HTTP request can lead to kill the cgiserver.cgi process and a consequentially to the reboot of the device, without the required permission.

The cgiserver.cgi manages the API requests, parsing the commands and parameters provided. One way to issue commands and parameters is by providing those in a JSON array in the body. A body with commands looks like the following:

[
    {
        "cmd":    <COMMAND NAME 1>,
        "action": <ACTION NUMBER 1>,
        "param":{
                  <COMMAND PARAMETERS 1>
        }
    },
    ...
    {
        "cmd":    <COMMAND NAME n>,
        "action": <ACTION NUMBER n>,
        "param":{
                  <COMMAND PARAMETERS n>
        }
    },
]

All the JSON elements inside a JSON object are going to be accessed using the subscription operator:

int __thiscall Json::Value::operator[](Value *this,char *key)

{
  [...]

  puVar4 = &_mips_gp0_value;
  if (this->type == null) {
    Value(aVStack64,7);
    operator=(this,aVStack64);
    ~Value(aVStack64);
  }
  else {
    if (this->type != object) {
                    /* WARNING: Subroutine does not return */
      __assert(s_type__==_nullValue_||_type__==_o_004e3084,
               "/home/mdq/new_svn/test/ipc/trunk/opensource/libjson/src/json_value.cpp",0x401);         [1]
    }
  }
 [...]
}

If the JSON element is neither of the type null or object, the program will assert. If this happens, the cgiserver.cgi process will not able to send its heartbeat. Eventually the entire device will be rebooted.

Each one of the provided commands is parsed by the body_request_to_command:

  undefined body_request_to_command(cgi_request *req,cgi_cmd *cgi_cmd,Value *json_element)

  {
    [...]
    pVVar3 = (Value *)Json::Value::operator[](json_element,"cmd");                                      [2]
    [...]
  }

In [2] the json_element represents one of the elements of the array that contains the commands.

Instead, each param object is parsed individually for each API. But the code that passes the param JSON object, as argument for the function, is the same for all the APIs. The API-specific param parser is called in the cgi_param_parse function:

int cgi_param_parse(cgi_cmd *cgi_cmd,cgi_session *session)

      {
        [...]

        Json::Reader::Reader(json_reader);
        Json::Value::Value(&body_as_json,0);
        pcVar1 = cgi_cmd->associated_request;
        if (pcVar1->is_commands_in_body == 0) {
          API_command = cgi_cmd->command_ID;
      CHECK_PERMISSIONS:
          iVar3 = check_channel_if_command_require_it(API_command,cgi_cmd->query_string[channel]);
          if (iVar3 == 0) {
            AVar4 = cgi_check_ability(cgi_cmd->command_ID,session,cgi_cmd->query_string[channel]);      [3]
            dVar5 = 0;
            if (AVar4 == ~not exist) goto LAB_0043ca18;
          }
          else {
            AVar4 = check err;
          }
        }
        else {
          if (pcVar1->CONTENT_LENGTH == 0) {
            API_command = cgi_cmd->command_ID;
            goto CHECK_PERMISSIONS;
          }
          std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string
                    ((char *)body_data_as_string,(allocator *)pcVar1->body_data);
          is_valid_json = Json::Reader::parse(json_reader,body_data_as_string,&body_as_json,true);
          std::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string
                    ((basic_string<char,std::char_traits<char>,std::allocator<char>> *)body_data_as_string
                    );
          if (is_valid_json != 0) {
            command_struct = (command_struct *)get_command_struct_by_id(cgi_cmd->command_ID);
            j2s_function = command_struct->j2s;
            pVVar2 = (Value *)Json::Value::operator[](&body_as_json,cgi_cmd->idx_in_array_command);
            pVVar2 = (Value *)Json::Value::operator[](pVVar2,"param");                                  [4]
            dVar5 = (*j2s_function)(pVVar2,cgi_cmd);                                                    [5]
            if (dVar5 != 0) goto LAB_0043ca18;
            API_command = cgi_cmd->command_ID;
            goto CHECK_PERMISSIONS;
          }
        [...]
      }

At [4] the param element is taken and passed at [5] to the API-specific JSON parser that will parse the parameters. After the parsing, at [3], it is checked that the user who requested the API has the correct permission for performing it.

Both the code at [2] and the code called to parse the param JSON element at [5] assume that the JSON passed are JSON objects, but this is not always the case. For example with:

curl --request POST \
     --data "[{\"cmd\": \"<CMD_NAME>\",\"action\": 0,\"param\":  \"\"}]" \
     http://<CAMERA_IP>/cgi-bin/api.cgi\?cmd\=<CMD_NAME>&token\=<SESSION_TOKEN>

Based on the CMD_NAME, this request could crash the device, because at [5] the param JSON element is taken and passed to the CMD_NAME API-specific parameters parser. In various APIs, that requires param. The parser code will assume, erroneously, that the JSON element of param is an object, accessing it with the subscription operator, leading to the assert at [1].

Note that, while most of this requires a logged-in user, it’s possible to use TALOS-2021-1420 to perform these API calls without authentication.

CVE-2021-44354 - JSON command is not object

The body_request_to_command function will expect JSON objects as elements of the JSON array. If the following request’s body is provided:

[
   ""
]

The cgiserver.cgi will reach the assert at [1] and consequently the reboot of the camera. Note that, this issue does not require a logged-in user.

CVE-2021-44355 - SetMdAlarm param is not object

The SetMdAlarm’s JSON param parser will assume that the param JSON element is an object, accessing it using subscription operator. If the following request’s body is provided:

[
    {
        "cmd": "SetMdAlarm",
        "action": 0,
        "param":  ""
    }
]