CVE-2017-13719

Amcrest IPM-721S Credential Disclosure / Privilege Escalation

Severity Score

9.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The Amcrest IPM-721S Amcrest_IPC-AWXX_Eng_N_V2.420.AC00.17.R.20170322 allows HTTP requests that permit enabling various functionalities of the camera by using HTTP APIs, instead of the web management interface that is provided by the application. This HTTP API receives the credentials as base64 encoded in the Authorization HTTP header. However, a missing length check in the code allows an attacker to send a string of 1024 characters in the password field, and allows an attacker to exploit a memory corruption issue. This can allow an attacker to circumvent the account protection mechanism and brute force the credentials. If the firmware version Amcrest_IPC-AWXX_Eng_N_V2.420.AC00.17.R.20170322 is dissected using the binwalk tool, one obtains a _user-x.squashfs.img.extracted archive which contains the filesystem set up on the device that has many of the binaries in the /usr folder. The binary "sonia" is the one that has the vulnerable function that performs the credential check in the binary for the HTTP API specification. If we open this binary in IDA Pro we will notice that this follows an ARM little-endian format. The function at address 00415364 in IDA Pro starts the HTTP authentication process. This function calls another function at sub_ 0042CCA0 at address 0041549C. This function performs a strchr operation after base64 decoding the credentials, and stores the result on the stack, which results in a stack-based buffer overflow.

El Amcrest IPM-721S Amcrest_IPC-AWXX_Eng_N_V2.420.AC00.17.R.20170322 permite solicitudes HTTP que permiten habilitar varias funcionalidades de la cámara mediante API HTTP, en lugar de la interfaz de administración web que proporciona la aplicación. Esta API HTTP recibe las credenciales como base64 codificada en el encabezado HTTP de Autorización. Sin embargo, una verificación de longitud faltante en el código le permite a un atacante enviar una cadena de 1024 caracteres en el campo de contraseña, y le permite a un atacante aprovechar un problema de corrupción de memoria. Esto puede permitir a un atacante eludir el mecanismo de protección de la cuenta y forzar las credenciales. Si la versión del firmware Amcrest_IPC-AWXX_Eng_N_V2.420.AC00.17.R.20170322 se diseca con la herramienta binwalk, se obtiene un archivo _user-x.squashfs.img.extracted que contiene el sistema de archivos configurado en el dispositivo que tiene muchos de Los binarios en la carpeta / usr. El "sonia" binario es el que tiene la función vulnerable que realiza la comprobación de credenciales en el binario para la especificación de la API HTTP. Si abrimos este binario en IDA Pro, notaremos que esto sigue un formato ARM little-endian. La función en la dirección 00415364 en IDA Pro inicia el proceso de autorización HTTP. Esta función llama a otra función en sub_ 0042CCA0 en la dirección 0041549C. Esta función realiza una operación strchr después de que la base64 decodifique las credenciales, y almacena el resultado en la pila, lo que resulta en un desbordamiento de búfer stack-based.

Amcrest IPM-721S suffers from credential disclosure, privilege escalation, and a long list of other vulnerabilities.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-08-28 CVE Reserved
2019-06-07 CVE Published
2024-08-05 CVE Updated
2024-08-05 First Exploit
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CAPEC

References (3)

URL	Tag	Source
http://packetstormsecurity.com/files/153224/Amcrest-IPM-721S-Credential-Disclosure-Privilege-Escalation.html	Third Party Advisory
https://seclists.org/bugtraq/2019/Jun/8	Mailing List

URL	Date	SRC
https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Amcrest_sec_issues.pdf	2024-08-05

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Amcrest Search vendor "Amcrest"	Ipm-721s Firmware Search vendor "Amcrest" for product "Ipm-721s Firmware"	amcrest_ipc-awxx_eng_n_v2.420.ac00.17.r.20170322 Search vendor "Amcrest" for product "Ipm-721s Firmware" and version "amcrest_ipc-awxx_eng_n_v2.420.ac00.17.r.20170322"	-	Affected	in	Amcrest Search vendor "Amcrest"	Ipm-721s Search vendor "Amcrest" for product "Ipm-721s"	-	-	Safe