Advisory: Multiple Vulnerabilities in the GNCC GC2 Indoor Security Camera

The product is affected by multiple vulnerabilities that allow an attacker with
physical access to the device to extract Wi-Fi credentials and access an
administrative shell.


Details
=======

Affected Product: GNCC GC2 Indoor Security Camera
Affected Versions: no version specified by the vendor 
Vulnerability Types: Exposed UART Port Transmits Wi-Fi Credentials, Interactive Shell Login Prompt Bypass, Same Root Password on All Devices
Security Risk: MEDIUM
Vendor Status: NOT ACKNOWLEDGED
Fixed Version: none
Advisory Status: PUBLISHED 
Advisory URL: https://www.nsideattacklogic.de/advisories/NSIDE-SA-2024-001
Advisory URL (text only): https://www.nsideattacklogic.de/advisories/NSIDE-SA-2024-001.txt
CVE IDs: CVE-2024-31798, CVE-2024-31799, and CVE-2024-31800


Introduction
============

During security research NSIDE discovered multiple vulnerabilities in the GC2
Indoor Security Camera sold by GNCC. These vulnerabilities are of medium
severity and are only exploitable by an attacker with physical access to the
camera. NSIDE notified the vendor but did not receive any acknowledgement of the
vulnerabilities, therefore publishing this advisory.


Description
===========

Exposed UART Port Transmits Wi-Fi Credentials:

The device exposes a UART port that transmits the clear text Wi-Fi credentials,
during the boot process of the device. No authentication is required to view
this information.


Interactive Shell Login Prompt Bypass:

The UART port drops into an interactive shell after entering a username and
password. This password prompt can be bypassed by changing the device's
bootloader settings. To exploit this vulnerability the following steps are
required:

1. Connect to the devices UART port while the device is switched off.
2. Switch on the device and continuously press the [RETURN] key until landing in the bootloader settings.
3. Enter the following command to change the boot settings:

------------------------------------------------------------------------
setenv boot_normal env set bootargs console=ttySAK0,115200n8 root=/dev/mtdblock5 rootfstype=squashfs init=/bin/sh ${mtdparts} ${mem} ${memsize}\; run read_kernel\; bootm ${loadaddr} - ${fdtcontroladdr}
------------------------------------------------------------------------

4. Continue the boot process by running the `run boot_normal` command, booting
the device directly into a root shell.


Same Root Password on all Devices:

The administrative command line gained from the previous vulnerability enables
an attacker to view the `/etc/shadow` file. This revealed the same hash for the
root user account on two separate devices. This leads to the conclusion that all
devices are set up with the same root password.


NSIDE decided to publish the vulnerabilities, since the vendor did not implement
any remediation several months after being notified.


Risk 
====

Exposed UART Port Transmits Wi-Fi Credentials:

If these cameras are used by small businesses or in private homes an attacker
with physical access to the camera can obtain the credentials to the wireless
network the camera is connected to. This could allow them to attack other
devices in the network.

The Common Vulnerability Scoring System (CVSS) v3.1 rates this as a medium
criticality vulnerability (5.1/10).


Interactive Shell Login Prompt Bypass:

This vulnerability allows an attacker with physical access to gain full control
over the camera and to potentially backdoor it to interfere with its operations.
Furthermore, this allows attackers to efficiently analyze the device to identify
further vulnerabilities.

The Common Vulnerability Scoring System (CVSS) v3.1 rates this as a medium
criticality vulnerability (6.0/10).


Same Root Password on All Devices:

Although NSIDE was unable to recover the plain text password from this hash, it
is in theory crackable and if an attacker cracks the password, they can gain
root access to any camera he has physical access to, without disrupting its
power supply. This can be achieved using the UART connection.

The Common Vulnerability Scoring System (CVSS) v3.1 rates this as a medium
criticality vulnerability (6.0/10).

Solution/Mitigation 
===================

Since the vendor did not acknowledge these vulnerabilities, no official patch is
available.

NSIDE recommends the following measures:

- Restrict physical access to these cameras as much as possible.
- Only connect these cameras to an isolated Wi-Fi network.

Disclosure timeline 
===================

22.03.2024: Contacted vendor to ask for an encrypted channel to report the vulnerabilities, with a deadline of two weeks.
03.04.2024: Shared report via unencrypted email, because vendor did not meet the deadline. Start of 60-day deadline to respond.
04.06.2024: Reported vulnerabilities to CERT/CC.
04.06.2024: Asked vendor to acknowledge the finding.
06.06.2024: CERT/CC informed us that they won't take action.
11.06.2024: Reported vulnerabilities to the BSI (German Federal Office for Information Security).
24.06.2024: Received generic support ticket response by GNCC.
25.06.2024: GNCC closed the support ticket and asked for participation in customer satisfaction survey.
28.06.2024: Shared full report with the BSI.
26.07.2024: BSI acknowledged that they tried to contact GNCC multiple times, but did not get any response.
06.08.2024: Publication of the advisory.



Contact/Credits 
===============

The vulnerabilities were discovered during security research by Martin Steil and
Paul Zenker of NSIDE ATTACK LOGIC GmbH.


References 
==========

 



Disclaimer 
==========

The information in this security advisory is provided "as is" and without
warranty of any kind. Details of this security advisory may be updated in order
to provide as accurate information as possible. The most recent version of this
security advisory can be found at NSIDE ATTACK LOGIC GmbH's website
(https://www.nsideattacklogic.de/).