Saturday, November 2, 2024
Latest:

Computer Security Articles

RSS Reader for Computer Security Articles

Independent Securiteam 

SSD Advisory – HiSilicon multiple vulnerabilities

admin

Credit to Author: Maor Schwartz| Date: Tue, 21 Feb 2017 07:44:16 +0000

Vulnerabilities Summary
The following advisory describes 2 vulnerabilities found in HiSilicon application-specific integrated circuit (ASIC) chip set firmware.

HiSilicon provides ASICs and solutions for communication network and digital media. These ASICs are widely used in over 100 countries and regions around the world. In the digital media field, HiSilicon has already released the SoC and solution for network surveillance, videophone, DVB and IPTV.

The vulnerabilities found in HiSilicon ASIC firmware are:

  1. Buffer overflow in built-in webserver
  2. Directory path traversal built-in webserver

The list of vendors working with HiSilicon is unknown. We manage to identify 55 different vendors, all of them are still vulnerable.

Here is example of 10 vendors using the HiSilicon application-specific integrated circuit (ASIC) chip set in their products (the full list can be found in the end of this report):

  1. http://www.vacron.com/products_CCTV_dvr.html
  2. http://www.gess-inc.com/gess/dvrs/
  3. http://www.jufenginfo.com/en/product-list.php?cid=10&pid=166&parid=175
  4. http://egpis.co.kr/egpis/product.php?category=AHD&category2=AHD_D
  5. http://optimus-cctv.ru/catalog/ahd-videoregistratory
  6. http://www.clearcftv.com.br/linha.php?l=5&ln=ahd
  7. http://click-cam.com/html2/products.php?t=2
  8. http://www.ccd.dn.ua/ahd-videoregistratory.html
  9. http://www.dhssicurezza.com/tvcc-ahd/dvr-ahd-720p/
  10. http://www.gigasecurity.com.br/subcategoria-gravadores-de-video-dvr

Credit
An independent security researcher Istvan Toth has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
We tried to communicate with the vendor through emails and twitter, over the course of several months, we were unable to get any response.

Vulnerabilities Details

Buffer overflow in built-in web server

The built-in web server is provided by the binary file Sofia, this binary is vulnerable to a buffer overflow and can be exploited to run shellcode (as root) on the device.

The web server does check the HTTP GET request size. To exploit the vulnerability, all you need to do is craft an HTTP GET request with an URL that contains “a”*299 + “xxxx” in it.

Where “xxxx” controls PC register (program flow). The hardware does not enable the NX bit, which makes it possible to execute the shellcode found in the “a”*299 section. However, a stack address leak is needed in order to defeat ASLR.

Directory traversal built-in web server
The built-in web server suffers from a directory path traversal vulnerability which can be exploited to leak arbitrary files.

The vulnerability is also found in the web server binary Sofia which is running with root privileges, therefore, exploiting this directory traversal can be used to read from device file system – which makes it easy to bypass the ASLR.

The web server do not filter HTTP GET request. To exploit the vulnerability, all you need to do is to craft HTTP GET request with “../../etc/passwd HTTP” to read file “/etc/passwd“. Furthermore, dir listing is enabled as well.

Proof of Concept
By exploiting the directory traversal built-in web server we can bypass ASLR needed to exploit the buffer overflow. The file system located at /proc contains a lot of information about running processes, e.g. contains memory mappings. Therefore requesting “GET ../../proc/[pid]/maps HTTP” will read the memory mapping of process whose pid is [pid]. By observing the memory mapping patterns it is enough to defeat ASLR (offset from mem map base is the same, even in different versions).

List of vulnerable vendors and products:
The following is a long list of vulnerable vendor/devices, it is by no means exhaustive or complete.

  1. http://www.luxvision.com.br/category/dvr-ahd/
  2. http://www.yesccd.com/?products/DigitalVideoRecorder.html
  3. http://www.tvzsecurity.com.br/produtos/31/Stand-Alone
  4. http://showtec.com.br/dv-stand-alone/
  5. http://www.ecotroniccftv.com.br/index.php
  6. http://starligh.com/cctv/grabadoras.html
  7. http://www.activepixel.us/ap-0404-ahd.html
  8. http://j2000.ru/cat/DVR/
  9. http://partizan.global/product/ahd-video-surveillance/ahd-dvrs.html
  10. http://kenik.pl/index.php/tag/rejestrator/
  11. http://www.redebsd.com.br/categoria-25-gravacao-digital
  12. http://www.idvr.com.br/produtos-index/categorias/2374896/dvr___ahd_lancamento.html
  13. http://www.visagems.com.br/prd.asp?idP=1119575
  14. http://www.braskell.com.br/dvr.html
  15. http://www.segvideo.com/segvideo/nvr-hvr.html
  16. http://www.neocam.com.br/cameras-cftv/stand-alone
  17. http://www.venetian.com.br/categoria/dvr-hvr-04-canais/
  18. http://www.cctvkits.co.uk/oyn-x-orpheus-hdtvi-4-channel-dvr-1080p.html
  19. http://ecopower-brasil.com/produto/DVR-HSBS-HSBS%252d3604.html
  20. http://www.vixline.com.br/vitrine-de-produtos/dvrs/
  21. http://aliveelectronics.com.br/category/gravadores-de-video/
  22. http://www.issl.com.hk/CCTV_DVRCYVIEW1.htm
  23. http://idview.com/IDVIEW/Products/DVR/dvr-Analog.html
  24. http://www.vonnic.ca/products376e.html?cat=13
  25. http://polyvision.ru/polyvision/catalog_gibridnye.html
  26. http://altcam.ru/video/hd-videonabludenie/
  27. http://cyfron.ru/catalog/dvr/
  28. http://www.jassun.ru/home/products/f_FormFactor[like]=%D0%92%D0%B8%D0%B4%D0%B5%D0%BE%D1%80%D0%B5%D0%B3%D0%B8%D1%81%D1%82%D1%80%D0%B0%D1%82%D0%BE%D1%80&f_price[from]=2450&f_price[to]=49000&page=1&limit=0
  29. http://www.t54.ru/catalog/videoregistratory/ahd_analogovye_registratory/
  30. http://www.hiview.co.th/index.php?mo=3&art=42195125
  31. http://www.kkmoon.com/usb-fan-271/p-s413-uk.html
  32. http://qvisglobal.com/ahd-tvi-960h-hybrid
  33. https://www.beylerbeyiguvenlik.com.tr/kayitcihazlari-beylerbeyi.html
  34. http://www.novicam.ru/index.php?route=product/product&product_id=429
  35. http://www.espuk.com/uploads/catalogue/HDview%20catalogue%202015.pdf
  36. http://www.ebay.com/itm/SNOWDON-8-CHANNEL-PROFESSIONAL-CCTV-NETWORK-DVR-MACHINE-SYSTEM-H-264-1TB-500GB-/172250300884
  37. http://giraffe.by/catalog/tsifrovye-videoregistratory
  38. http://www.winpossee.com/en/list/?17_1.html
  39. http://tesamed.com.pl/rejestrator-cyfrowy-vtv-n-1016-vtvision-dvr-16-kanalowy-p-532.html
  40. http://hiq-electronics.ru/videoregistratory
  41. http://www.eltrox.pl/catalogsearch/result/?q=easycam+rejestrator&order=v_117002&dir=desc
  42. http://www.x5tech.com.tr/?cmd=UrunListe&GrupNo=265&t=0
  43. http://bigit.ro/dvr-16-canale-hybrid-full-d1-asrock-as-616tel.html
  44. http://secur.ua/videonablyudenie/ustroystva-zapisi/dvr/?brand_vreg=1557
  45. http://www.divitec.ru/videoregistratoryi-divitec-idvr/

https://blogs.securiteam.com/index.php/feed