Shulou(Shulou.com)05/31 Report--

DLINK DCS-5020L wireless cloud camera remote code execution vulnerability example analysis, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Brief introduction

The main purpose is to show you how to find vulnerabilities in Internet of things (IOT) devices. The process of finding the following command injection can be divided into three steps, somewhat similar to 100 point CTF challenge: download the binary file, run the string, and trace the input from the system call to the origin.

DLINK DCS-5020L

"DCS-5020L Wireless N Day&Night head / tilt head camera is a round-the-clock webcam that easily connects to your existing home network and supports remote viewing on a variety of mobile devices. It has pan, tilt and digital zoom functions, allowing you to view a wider area with a single camera, built-in Wi-Fi expander, easy expansion of wireless coverage, night vision distance up to 5 meters, ultimate peace of mind for sound and motion detection, and H.264 video compression into high-quality images. "

Extract firmware

As with any Internet of things device, the first thing we need to do (if we have access to it) is to extract the file system from the firmware image. For this device, the first binwalk scan does not show anything:

What we are looking for is some form of embedded file system, such as squashfs. If it cannot be found, it is usually because it is used for hierarchical compression. All we need to do is run binwalk recursively using the-M option. Finally, we found the cpio file system under layer 2 compression.

Let's take a look at the httpd binaries responsible for the Web server.

File name: alphapd

Md5sum: ea622a926c435e4637f4852536aafa8c

Loopholes

As I said at the beginning of the article, let's first run a string on the binary and see what happens:

These look like commands passed to the system. The 'sed' command here is so interesting that it looks like it was entered from somewhere. The next step is to track the input and see if we can control it.

We can see that there are two functions that refer to the string we are interested in.

In turn, each function is referenced in setFormDefineManagement:

These are all POST forms that we can send requests to. For example, if we change the password in the following form, we send a POST request to setSystemAdmin:

It should be noted that you need to have administrator credentials to access this page, which will be described later. It is also important to note that setSystemUserModify forms always return a 404, so we insist on analyzing setSystemAdmin.

So, starting with sub_42DCCC, the code takes values from non-volatile RAM as well as websGetVar.

A key message here is the call to CheckSystemVar, which calls websGetVarCheck to handle a large number of input values, including AdminID.

Then websGetVarCheck calls checkVarString, as shown below:

This is obviously just a switch/case structure. The value we are interested in is AdminID, which we can see must be less than 13 bytes.

So we know that the constraint of AdminID is that it must be less than 13 bytes. When all this is done, the DoSystem is called through the AdminID parameter passed to us by the format string.

Obviously, an attacker can use a simple payload to evade the 'sed' command, such as' touch a`'. Another example is AdminID=a' `telnetd`, which allows users to log in as "a" and treats this as a new root account:

Notice that we log in with an empty password.

Further explanation

We also found that we can send a long password to web server segfault by sending a long password in most password fields. If we send 198 bytes, the service will have a segment error and will cause a bus error.

Unfortunately, I couldn't find a way to get gdbserver into the device, so I couldn't dump the core file and grab it.

The following is an example of making an POST request to / setSystemNetwork using the DDNSPassword parameter of 210A.

An attacker with credentials can exploit this vulnerability to cause a denial of service on the camera's Web interface. If we can find a way to debug binaries on the device, it is also possible to RCE.

Influence

Currently, nearly 7000 of these devices are connected to the Internet:

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.