CVE-2018-3938
An exploitable stack-based buffer overflow vulnerability exists in the 802dot1xclientcert.cgi functionality of Sony IPELA E Series Camera. A specially crafted POST can cause a stack-based buffer overflow, resulting in remote code execution. An attacker can send a malicious POST request to trigger this vulnerability.
Sony IPELA E series G5 firmware 1.87.00
9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE-120: Buffer Copy without checking size of input (‘Classic Buffer Overflow’)
Sony IPELA Cameras are network-facing cameras used for monitoring and surveillance.
One of the endpoints available on the IPELA cameras is 802dot1xclientcert.cgi. This endpoint is designed to handle everything related to certificate management for 802.1x.
Before processing the incoming data, this endpoint trims data via the CONTENT_TYPE header [0].
(fcn) sym.g5::clientcertcgi::trim_stuffed_data
0x00009770 push {r4, r5, r6, r7, r8, sl, lr}
0x00009774 sub sp, sp, 0x440
0x00009778 sub sp, sp, 4
0x0000977c mov sl, r0
0x00009780 ldr r0, [pc, 0x230] ; [0x99b8:4]=0xac1c str.CONTENT_TYPE LEA loc._d_19 ; loc._d_19
0x00009784 mov r7, r1
0x00009788 mov r8, r2
0x0000978c bl sym.imp.getenv [0]
When the CONTENT_TYPE header has been found, boundary= is searched for via strstr.
0x00009798 ldr r1, [pc, 0x21c] ; [0x99bc:4]=0xac2c str.boundary=
0x0000979c bl sym.imp.strstr
The length of the data is then checked via strlen in preparation for copying the data locally.
0x000097a8 mov r0, r5 ; Points to the data after boundary=
0x000097ac bl sym.imp.strlen
This data is directly copied to a local buffer via memcpy.
0x000097b4 ldr r3, [pc, 0x204]
0x000097b8 rsb ip, r5, r4
0x000097bc mov r2, sp
0x000097c0 mov r1, r4
0x000097c4 strh r3, [r2], 2
0x000097c8 mov r6, sp
0x000097cc rsb r4, ip, r0
0x000097d0 mov r0, r2
0x000097d4 mov r2, r4
0x000097d8 bl sym.imp.memcpy
Because this strlen length is not checked against a safe value, the memcpy overflows the buffer, resulting in a stack-based buffer overflow. This overflow also allows the attack to remotely execute commands on the device.
Program received signal SIGSEGV, Segmentation fault.
0x5a5a5a58 in ?? ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────
*R0 0x0
*R1 0xbe8b8450 ◂— 0x61356135 ('5a5a')
*R2 0xbe8b9453 ◂— 0x0
*R3 0x0
*R4 0x5a5a5a5a ('ZZZZ')
*R5 0x5a5a5a5a ('ZZZZ')
*R6 0x5a5a5a5a ('ZZZZ')
*R7 0x5a5a5a5a ('ZZZZ')
*R8 0x5a5a5a5a ('ZZZZ')
*R9 0x0
*R10 0x5a5a5a5a ('ZZZZ')
*R11 0x0
*R12 0x2d
*SP 0xbe8b88b0 ◂— 0x5a5a5a5a ('ZZZZ')
*PC 0x5a5a5a58 ('XZZZ')
─────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────
Invalid address 0x5a5a5a58
─────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────
00:0000│ sp 0xbe8b88b0 ◂— 0x5a5a5a5a ('ZZZZ')
... ↓
───────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────
► f 0 5a5a5a58
f 1 9800
Program received signal SIGSEGV (fault address 0x37a2)
+pwndbg> hexdump sp
+0000 0xbe8b88b0 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a │ZZZZ│ZZZZ│ZZZZ│ZZZZ│
..
+0040 0xbe8b88f0
2018-06-04 - Vendor disclosure
2018-07-19 - Vendor patched
2018-07-20 - Public Release
Discovered by Cory Duplantis of Cisco Talos.