The remote code-execution vulnerability has been confirmed in the Samsung SmartCam SNH-1011. The flaw allows attackers to inject commands into a Web interface built into the devices. The bug resides in PHP code responsible for updating a video monitoring system known as iWatch. It stems from the failure to properly filter malicious input included in the name of uploaded files. As a result, attackers who know the IP address of a vulnerable camera can exploit the vulnerability to inject commands that are executed with unfettered root privileges.
“The iWatch Install.php vulnerability can be exploited by crafting a special filename which is then stored within a tar command passed to a php system() call,” the researchers wrote in a blog post published to the Exploitee.rs website. “Because the webserver runs as root, the filename is user supplied, and the input is used without sanitization, we are able to inject our own commands within the achieve root remote command execution.”
The researchers provided more technical details here and also included the following video demonstration:
Down this road before
It’s not the first time researchers have targeted the Web interface used to manage Samsung cameras to achieve root access. A few years ago, the same group of researchers showed how they could abuse the interface to change the administrator password. In response, the manufacturer took steps to remove access to the interface, a move that required owners to use a smartphone connecting to the Samsung SmartCloud website to manage their devices. Many users who found the Web-based management tool more convenient than the cloud tool took the removal as an affront.
It turns out that the PHP functions driving the iWatch monitoring system were left untouched, the researchers discovered. Their exploit first restores the interface and then exploits vulnerabilities in it to gain root access.
It’s only the latest critical vulnerability to hit an Internet-connected camera. Over the past 16 months, the Internet of things—the name given to everyday appliances that are given network-management capabilities—has emerged as one of the weakest parts of the Internet ecosystem. Among other things, the devices are becoming the engines that run next-generation botnets attacks that a few years ago were almost unimaginable. As the Samsung SmartCam exploit demonstrates, Internet-of-things insecurities also pose a major security and privacy threat to owners.
People who use a Samsung camera can download a DIY patch released by the researchers, but that remedy will understandably be unsuitable for those who don’t want to run untrusted code on their devices. It may also be possible to mitigate the vulnerability by keeping the devices behind a network firewall.