Nozomi Networks Labs has identified the presence of a critical RCE vulnerability related to the web service of the Annke N48PBB NVR (network video recorder). Used in the critical infrastructure sector, the manipulation of the vulnerability may cause a stack-based buffer overflow that could allow an unauthenticated remote attacker access to sensitive information and execute arbitrary code.
The exploitation of the RCE (remote code execution) vulnerability might result in the loss of confidentiality, integrity, and availability of the device itself, as well as the data stored inside it, Nozomi Networks said in a blog post. Outcomes could potentially include a loss of employee privacy, a loss of confidentiality regarding valuable assets, or a shut down of the NVR at will. NVRs represent critical network targets, as the compromise of a single device could directly impact the security of the entire IP camera system, it added.
Nozomi shared the detection of the RCE vulnerability as part of a coordinated disclosure with ICS-CERT, which published an advisory, and Annke released new firmware that fixes the issue. The vulnerability was disclosed by Nozomi Networks to Annke on Jul. 11, and the company released new firmware which fixes the issue by Jul. 22. Andrea Palanca from Nozomi Networks reported the vulnerability to CISA.
Annke manufactures surveillance systems and solutions, producing a variety of IP cameras, NVRs, and accessories. NVRs are essential components of a company’s surveillance system, making them extremely attractive targets for criminals.
Nozomi’s analysis is focused on the Annke N48PBB NVR that is capable of showing and recording footage of up to eight Power over Ethernet (PoE) IP security cameras. The N48PBB, among its network services, exposes a web application that allows interaction with the device and the connected cameras. For instance, it is possible, among other things to watch camera live streams, search through the playback functionality and manage users.
The Annke N48PBB NVR playback functionality allows all enabled users (by default, all users) to search the camera footage stored on the NVR. To do so, an HTTP request is sent by the client. While fuzzing all possible fields of the HTTP request looking for security vulnerabilities, Nozomi noticed that sending a start time with trailing arbitrary characters, such as ‘AAAAAAAAAA…,’ would immediately cause the device to close the connection (without even sending an HTTP response), and initiate a reboot. Later, tests proved that this condition was systematically reproducible: a denial-of-service (DoS) vulnerability was found.
“This behavior is a strong hint of an underlying memory corruption issue, which could lead to more severe impacts. We then proceeded to analyze the vulnerability from the device standpoint, to precisely isolate the vulnerable function and assess the feasibility of other attack scenarios,” Nozomi said.
The Annke web interface allows enablement of an SSH service on the device, which provides access to a restricted number of commands, Nozomi said. To obtain fully unrestricted SSH access, it was necessary to properly debug the system by directly intervening at the hardware level. For that, there are three options: the firmware was extracted by physically attaching it to the device’s onboard memory, the firmware was modified to disable all SSH restrictions, and add several debugging tools, or the firmware was rewritten to the device’s memory, it added.
This allowed fully unrestricted SSH access to the device and access to the onboard tools needed to locate the root cause of the issue, according to Nozomi.
After identifying the binary involved in the web interactions with the device, ‘gdbserver’ was attached to the NVR, and program execution was debugged with IDA. This led to the discovery of the vulnerable function: a ‘sscanf’ configured to write the string of characters received from the input into a limited-size buffer on the stack, causing a stack-based buffer overflow.
Nozomi noticed that the return address of the function is located almost immediately after the buffer and that no canaries (which are special random values used to detect memory corruption attacks on the stack) are verified or any other checks were done, prior to performing the jump to the address. A quick look at the output of ‘ps’ confirmed that the binary runs with root privileges on the device, it added.
This means that the memory corruption bug, initially classified as a DoS, is actually an RCE vulnerability with root privileges. If exploited, this vulnerability could potentially lead to a full compromise of the device. As the search functionality is accessible by all users of the device by default, the vulnerability could be exploited (on unpatched NVRs) directly by malicious operators, or users, to elevate their privileges on the system.
Furthermore, as no anti-CSRF (Cross-Site Request Forgery) mitigations were found in the functionality, the vulnerability could be exploited indirectly by external attackers in ‘drive-by download’ attacks, according to Nozomi. It is sufficient for an administrator, operator, or user to browse a specifically crafted webpage, while simultaneously logged in to the web interface of the device, to potentially cause the execution of external malicious code on the device itself, it added.
Annke recommends users update to the latest version. Nozomi Networks has released specific updates to its Threat Intelligence service to detect exploitation attempts of the vulnerability.