SmallCell Airspan AirSpot 5410 Buffalo BS-GS Series Buffalo BS-GSL2024/2016P/2016 Series VPN Buffalo VR-S1000 ChainIDE multichain IDE Contec FLEXLAN FXA2000 and FXA3000 series E-lins H685 Wireless Cellular Router F-logic DataCube3 FLIR AX8 Thermal Camera From upload feature to reverse shell, OctoBot Trading Bot | CVE-2021-36711 Hytec Inter HWL-2511-SS ISnex Series Network Monitoring System Ledger Live CSV Injection MultiversX Wallet Exploit MultiversX Web IDE Smart Contracts Playground Exploit Planex network camera CS-QR10 and CS-QR20 楽天 Rakuten 5G Turbo R2314M-JP Seiko Skybridge MB-A100/A110 series Seiko Skybridge MB-A200 series SoftBank Wi-Fi Mesh RP562B

[CVE-2022-38399 / CVE-2017-12576] SmaCam CS-QR10 and SmaCam Night Vision CS-QR20 vulnerability report

Product Description:

The Planex CS-QR10 smart camera (aka Sumakame) and the Planex CS-QR20 (aka Sumakame Night Vision) are network camera that allows to easily view camera images from a smartphone using a dedicated app.

device-image

Affected Products:

  • All Planex CS-QR10 devices from version 1.36 and under
  • All Planex CS-QR20 devices from version 1.34 and under.

CS-QR20 HOME-PAGE-VERSION

Vulnerability Summary:

[CVE-2022-38399] - Missing Protection Mechanism for Alternate Hardware Interface (CWE-1299).
Both Planex CS-QR10 and CS-QR20 smart camera devices were discovered to contain insecure protections for its UART console. This vulnerability allows a local attacker to connect to the UART port via a serial connection which allows command execution as the root user without authentication.

[CVE-2017-12576] - OS Command Injection via Hidden Functionality (CWE-912).
After reverse engineering the device's firmware, it was discovered that a hidden functionality exists using /goform/SystemCommand which is located in the binary file /bin/boa. This allows an attacker the ability to execute Linux commands on the device with root privileges. This allows an attacker to have access to all the system files. It is also possible to change the root password which gives another way for an attacker to gain full access on the device. This issue affects all Planex CS-QR10 smart camera devices from version 1.36 and under as well as Planex CS-QR20 smart camera devices from version 1.34 and under.

Reproduction Steps:

1.Missing Protection Mechanism for Alternate Hardware Interface (CWE-1299).
After opening the case of the camera, we found the UART port on the motherboard. As pins to connect to it were already soldered, we simply plugged in a serial cable to the UART port to connect to the device.
IMG_20220808_221803
After a few seconds upon turning on the camera, we see that we have access to the U-Boot boot loader interface.

UART-UBOOT
After waiting approximately one minute, we then have access to the shell with admin rights.

UART-SHELL

2.OS Command Injection via Hidden Functionality (CWE-912).
Once logged in to the web administration interface using the default credentials admin:password, it is possible to execute a POST request to a hidden endpoint /goform/SystemCommand, witch allows an attacker the ability to execute any Linux commands as the root user. For example, in the following screenshot below we were able to open the telnet port.
hidden-cmd-injection-step1
After completing this step, we could then login to the system as the admin user (root privileges).
hidden-cmd-injection-step2

Recommendation Fixes / Remediation:

  • Vulnerability 1: Disable/Remove the UART port entirely for production devices or use a hard soldering bulb to completely disable the UART port. If you want to keep the UART port open, require entering a password to login to the U-boot interface and avoid grouping the UART pins together.
  • Vulnerability 2: Remove/disable completely SystemCommand from the formDefineManagement() function. After doing this, it will not be possible to call the function from the web application.

    fixsytemcommand

Reference:

Thanks for reading this article! I hope you could learn something through our research! If you liked what you read, please share and follow us on twitter at @NeroTeamLabs

Security researchers