[CVE-2022-38399 / CVE-2017-12576] SmaCam CS-QR10 and SmaCam Night Vision CS-QR20 vulnerability report.

Product Description: 产品描述：

The Planex CS-QR10 smart camera (aka Sumakame) and the Planex CS-QR20 (aka Sumakame Night Vision) are network camera that allows to easily view camera images from a smartphone using a dedicated app.
Planex CS-QR10 智能相机（又名 Sumakame）和 Planex CS-QR20（又名 Sumakame 夜视）是网络相机，允许使用专用应用程序轻松查看智能手机上的相机图像。

Affected Products: 受影响的产品：

• All Planex CS-QR10 devices from version 1.36 and under
  所有 Planex CS-QR10 及以下版本 1.36 的设备
• All Planex CS-QR20 devices from version 1.34 and under.
  所有 Planex CS-QR20 1.34 及以下版本的设备。

Vulnerability Summary: 漏洞摘要：

[CVE-2022-38399] – Missing Protection Mechanism for Alternate Hardware Interface (CWE-1299).
[CVE-2022-38399] – 缺少备用硬件接口的保护机制 （CWE-1299）。
Both Planex CS-QR10 and CS-QR20 smart camera devices were discovered to contain insecure protections for its UART console. This vulnerability allows a local attacker to connect to the UART port via a serial connection which allows command execution as the root user without authentication.
Planex CS-QR10 和 CS-QR20 智能相机设备都被发现包含对其 UART 控制台的不安全保护。此漏洞允许本地攻击者通过串行连接连接到 UART 端口，从而允许以 root 用户身份执行命令而无需身份验证。

[CVE-2017-12576] – OS Command Injection via Hidden Functionality (CWE-912).
[CVE-2017-12576] – 通过隐藏功能注入操作系统命令 （CWE-912）。
After reverse engineering the device’s firmware, it was discovered that a hidden functionality exists using /goform/SystemCommand which is located in the binary file /bin/boa. This allows an attacker the ability to execute Linux commands on the device with root privileges. This allows an attacker to have access to all the system files. It is also possible to change the root password which gives another way for an attacker to gain full access on the device. This issue affects all Planex CS-QR10 smart camera devices from version 1.36 and under as well as Planex CS-QR20 smart camera devices from version 1.34 and under.
对设备的固件进行逆向工程后，发现存在隐藏功能，该功能位于 /goform/SystemCommand 二进制文件中 /bin/boa 。这允许攻击者以 root 权限在设备上执行 Linux 命令。这允许攻击者访问所有系统文件。也可以更改 root 密码，这为攻击者提供了另一种获得设备完全访问权限的方法。此问题会影响所有 Planex CS-QR10 智能相机设备及以下版本 1.36 ，以及 Planex CS-QR20 智能相机设备 1.34 。

Reproduction Steps: 繁殖步骤：

1.Missing Protection Mechanism for Alternate Hardware Interface (CWE-1299).
1.缺少备用硬件接口保护机制（CWE-1299）。
After opening the case of the camera, we found the UART port on the motherboard. As pins to connect to it were already soldered, we simply plugged in a serial cable to the UART port to connect to the device.
打开相机外壳后，我们在主板上找到了UART端口。由于连接它的引脚已经焊接好，我们只需将串行电缆插入 UART 端口即可连接到设备。

After a few seconds upon turning on the camera, we see that we have access to the U-Boot boot loader interface.
打开相机几秒钟后，我们看到我们可以访问 U-Boot 引导加载程序界面。


After waiting approximately one minute, we then have access to the shell with admin rights.
等待大约一分钟后，我们就可以使用管理员权限访问 shell。

2.OS Command Injection via Hidden Functionality (CWE-912).
2.通过隐藏功能（CWE-912）注入操作系统命令。
Once logged in to the web administration interface using the default credentials admin:password, it is possible to execute a POST request to a hidden endpoint /goform/SystemCommand, witch allows an attacker the ability to execute any Linux commands as the root user. For example, in the following screenshot below we were able to open the telnet port.
一旦使用默认凭据 admin:password 登录到 Web 管理界面，就可以对隐藏的端点执行 POST 请求 /goform/SystemCommand ，女巫允许攻击者以 root 用户身份执行任何 Linux 命令。例如，在下面的屏幕截图中，我们能够打开 telnet 端口。

After completing this step, we could then login to the system as the admin user (root privileges).
完成此步骤后，我们可以以管理员用户（root 权限）身份登录系统。

Recommendation Fixes / Remediation:
建议修复/修正：

• Vulnerability 1: Disable/Remove the UART port entirely for production devices or use a hard soldering bulb to completely disable the UART port. If you want to keep the UART port open, require entering a password to login to the U-boot interface and avoid grouping the UART pins together.
  漏洞 1：完全禁用/移除生产设备的 UART 端口，或使用硬焊灯完全禁用 UART 端口。如果要保持UART端口打开，则需要输入密码才能登录U-boot接口，并避免将UART引脚组合在一起。
• Vulnerability 2: Remove/disable completely SystemCommand from the formDefineManagement() function. After doing this, it will not be possible to call the function from the web application.
  漏洞 2：从 formDefineManagement() 函数中完全 SystemCommand 删除/禁用。执行此操作后，将无法从 Web 应用程序调用该函数。
  
  

Reference: 参考：

• https://jvn.jp/en/vu/JVNVU90766406/index.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38399
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12576

Thanks for reading this article! I hope you could learn something through our research! If you liked what you read, please share and follow us on twitter at @NeroTeamLabs
感谢您阅读本文！我希望您能通过我们的研究学到一些东西！如果您喜欢您阅读的内容，请在 Twitter 上分享并关注我们 @NeroTeamLabs

Security researchers 安全研究人员

• Thomas Knudsen (@Knudsec)
  托马斯·克努森 （ @Knudsec）
• Samy Younsi (@0xSamy_)
  萨米·尤恩斯 （ @ 0xSamy _）

原文始发于NSLabs：[CVE-2022-38399 / CVE-2017-12576] SmaCam CS-QR10 and SmaCam Night Vision CS-QR20 vulnerability report.