{"id":6709,"date":"2017-02-21T14:19:15","date_gmt":"2017-02-21T22:19:15","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/02\/21\/news-526\/"},"modified":"2017-02-21T15:03:18","modified_gmt":"2017-02-21T23:03:18","slug":"news-526","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/02\/21\/news-526\/","title":{"rendered":"SSD Advisory \u2013 HiSilicon multiple vulnerabilities"},"content":{"rendered":"

Credit to Author: Maor Schwartz| Date: Tue, 21 Feb 2017 07:44:16 +0000<\/strong><\/p>\n

\n

Vulnerabilities Summary<\/strong>
The following advisory describes 2 vulnerabilities found in HiSilicon application-specific integrated circuit (ASIC) chip set firmware.<\/p>\n

HiSilicon provides ASICs and solutions for communication network and digital media. These ASICs are widely used in over 100 countries and regions around the world. In the digital media field, HiSilicon has already released the SoC and solution for network surveillance, videophone, DVB and IPTV.<\/p>\n

The vulnerabilities found in HiSilicon ASIC firmware are:<\/p>\n

    \n
  1. Buffer overflow in built-in webserver<\/li>\n
  2. Directory path traversal built-in webserver<\/li>\n<\/ol>\n

    The list of vendors working with HiSilicon is unknown. We manage to identify 55 different vendors, all of them are still vulnerable.<\/p>\n

    Here is example of 10 vendors using the HiSilicon application-specific integrated circuit (ASIC) chip set in their products (the full list can be found in the end of this report): <\/p>\n

      \n
    1. http:\/\/www.vacron.com\/products_CCTV_dvr.html<\/li>\n
    2. http:\/\/www.gess-inc.com\/gess\/dvrs\/<\/li>\n
    3. http:\/\/www.jufenginfo.com\/en\/product-list.php?cid=10&pid=166&parid=175<\/li>\n
    4. http:\/\/egpis.co.kr\/egpis\/product.php?category=AHD&category2=AHD_D<\/li>\n
    5. http:\/\/optimus-cctv.ru\/catalog\/ahd-videoregistratory<\/li>\n
    6. http:\/\/www.clearcftv.com.br\/linha.php?l=5&ln=ahd<\/li>\n
    7. http:\/\/click-cam.com\/html2\/products.php?t=2<\/li>\n
    8. http:\/\/www.ccd.dn.ua\/ahd-videoregistratory.html<\/li>\n
    9. http:\/\/www.dhssicurezza.com\/tvcc-ahd\/dvr-ahd-720p\/<\/li>\n
    10. http:\/\/www.gigasecurity.com.br\/subcategoria-gravadores-de-video-dvr<\/li>\n<\/ol>\n

      Credit<\/strong>
      An independent security researcher Istvan Toth has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program<\/p>\n

      Vendor response<\/strong>
      We tried to communicate with the vendor through emails and twitter, over the course of several months, we were unable to get any response.<\/p>\n

      <\/span><\/p>\n

      Vulnerabilities Details<\/strong><\/p>\n

      Buffer overflow in built-in web server<\/u><\/p>\n

      The built-in web server is provided by the binary file Sofia<\/em>, this binary is vulnerable to a buffer overflow and can be exploited to run shellcode (as root) on the device.<\/p>\n

      The web server does check the HTTP GET<\/em> request size. To exploit the vulnerability, all you need to do is craft an HTTP GET<\/em> request with an URL that contains “a”*299<\/em> + “xxxx<\/em>” in it.<\/p>\n

      Where “xxxx<\/em>” controls PC register (program flow). The hardware does not enable the NX bit<\/em>, which makes it possible to execute the shellcode found in the “a”*299<\/em> section. However, a stack address leak is needed in order to defeat ASLR.<\/p>\n

      Directory traversal built-in web server<\/u>
      The built-in web server suffers from a directory path traversal vulnerability which can be exploited to leak arbitrary files. <\/p>\n

      The vulnerability is also found in the web server binary Sofia<\/em><\/code> which is running with root privileges, therefore, exploiting this directory traversal can be used to read from device file system – which makes it easy to bypass the ASLR.<\/p>\n

      The web server do not filter HTTP GET<\/em> request. To exploit the vulnerability, all you need to do is to craft HTTP GET<\/em> request with “..\/..\/etc\/passwd HTTP<\/em>” to read file “\/etc\/passwd<\/em>“. Furthermore, dir listing is enabled as well.<\/p>\n

      Proof of Concept<\/u>
      By exploiting the directory traversal built-in web server we can bypass ASLR needed to exploit the buffer overflow. The file system located at \/proc<\/em> contains a lot of information about running processes, e.g. contains memory mappings. Therefore requesting “GET ..\/..\/proc\/[pid]\/maps HTTP” will read the memory mapping of process whose pid is [pid]. By observing the memory mapping patterns it is enough to defeat ASLR (offset from mem<\/em> map base is the same, even in different versions).<\/p>\n<\/p>\n

      \t\t<\/p>\n

      \n
      <\/span> \t\t\t<\/p>\n
      \n
      \n
      <\/div>\n<\/div>\n
      \n
      <\/div>\n<\/div>\n
      \n
      <\/div>\n<\/div>\n
      \n
      <\/div>\n<\/div>\n
      \n
      <\/div>\n<\/div>\n
      \n
      <\/div>\n<\/div>\n<\/div>\n<\/div>\n
      <\/div>\n