Samsung SmartCam IP cameras are affected by a severe remote command execution flaw that can be exploited to hijack vulnerable devices, researchers have warned.
Samsung Electronics sold its security division, Samsung Techwin, to South Korean conglomerate Hanwha Group in 2014. However, Hanwha’s SmartCam products are still branded as “Samsung.”
Back in 2014, researchers at Exploitee.rs disclosed some SmartCam exploits that could have been used to execute arbitrary commands and change a device’s administrator password. A few months ago, Pen Test Partners also reported discovering nearly a dozen security issues in these products.
The vendor addressed most of the flaws by disabling SSH and local access to the web interface – users can now view and manage their videos via the SmartCloud online service. However, Exploitee.rs have once again analyzed the cameras and discovered a way to enable the telnet service and the local web interface.
This is possible due to a command injection vulnerability in a set of scripts that were not removed by the vendor. These scripts, associated with the iWatch webcam monitoring service, provide firmware update functionality.
“The iWatch Install.php vulnerability can be exploited by crafting a special filename which is then stored within a tar command passed to a php system() call,” researchers explained. “Because the web-server runs as root, the filename is user supplied, and the input is used without sanitization, we are able to inject our own commands within to achieve root remote command execution.”
Exploitee.rs has published proof-of-concept (PoC) code for the vulnerability, and it has shared a workaround that involves executing a command after exploiting the flaw itself. An official fix does not appear to be available and researchers have warned that enabling the web interface reintroduces some of the older weaknesses.
The exploit has been confirmed to work on the SNH-1011 model, but experts believe all Samsung SmartCam devices are affected.
Vulnerable IP cameras are a tempting target for Internet of Things (IoT) botnets. Critical flaws that are easy to exploit have been found in many products and, in some cases, the devices don’t include any firmware update capabilities, which makes them impossible to patch.