Advisory

Date 2024-08-06
Risk Medium
Vulnerability Type Exposed UART Port Transmits Wi-Fi Credentials, Interactive Shell Login Prompt Bypass, Same Root Password on All Devices
Affected Product GNCC GC2 Indoor Security Camera
Affected Versions no version specified by the vendor
Vendor Status Not Acknowledged
CVE ID CVE-2024-31798, CVE-2024-31799, CVE-2024-31800
Permalink NSIDE-SA-2024-001

The product is affected by multiple vulnerabilities that allow an attacker with physical access to the device to extract Wi-Fi credentials and access an administrative shell.

Introduction

During security research NSIDE discovered multiple vulnerabilities in the GC2 Indoor Security Camera sold by GNCC. These vulnerabilities are of medium severity and are only exploitable by an attacker with physical access to the camera. NSIDE notified the vendor but did not receive any acknowledgement of the vulnerabilities, therefore publishing this advisory.

Description

Exposed UART Port Transmits Wi-Fi Credentials:

The device exposes a UART port that transmits the clear text Wi-Fi credentials, during the boot process of the device. No authentication is required to view this information.

Interactive Shell Login Prompt Bypass:

The UART port drops into an interactive shell after entering a username and password. This password prompt can be bypassed by changing the device's bootloader settings. To exploit this vulnerability the following steps are required:

1. Connect to the devices UART port while the device is switched off.
2. Switch on the device and continuously press the [RETURN] key until landing in the bootloader settings.
3. Enter the following command to change the boot settings:

------------------------------------------------------------------------
setenv boot_normal env set bootargs console=ttySAK0,115200n8 root=/dev/mtdblock5 rootfstype=squashfs init=/bin/sh $ $ $\; run read_kernel\; bootm $ - $
------------------------------------------------------------------------

4. Continue the boot process by running the `run boot_normal` command, booting the device directly into a root shell.

Same Root Password on all Devices:

The administrative command line gained from the previous vulnerability enables an attacker to view the `/etc/shadow` file. This revealed the same hash for the root user account on two separate devices. This leads to the conclusion that all devices are set up with the same root password.

NSIDE decided to publish the vulnerabilities, since the vendor did not implement any remediation several months after being notified.

Risk

Exposed UART Port Transmits Wi-Fi Credentials:

If these cameras are used by small businesses or in private homes an attacker with physical access to the camera can obtain the credentials to the wireless network the camera is connected to. This could allow them to attack other devices in the network.

The Common Vulnerability Scoring System (CVSS) v3.1 rates this as a medium criticality vulnerability (5.1/10).

Interactive Shell Login Prompt Bypass:

This vulnerability allows an attacker with physical access to gain full control over the camera and to potentially backdoor it to interfere with its operations.
Furthermore, this allows attackers to efficiently analyze the device to identify further vulnerabilities.

The Common Vulnerability Scoring System (CVSS) v3.1 rates this as a medium criticality vulnerability (6.0/10).

Same Root Password on All Devices:

Although NSIDE was unable to recover the plain text password from this hash, it is in theory crackable and if an attacker cracks the password, they can gain root access to any camera he has physical access to, without disrupting its power supply. This can be achieved using the UART connection.

The Common Vulnerability Scoring System (CVSS) v3.1 rates this as a medium criticality vulnerability (6.0/10).

Solution/Mitigation

Since the vendor did not acknowledge these vulnerabilities, no official patch is available.

NSIDE recommends the following measures:

  • Restrict physical access to these cameras as much as possible.
  • Only connect these cameras to an isolated Wi-Fi network.

Disclosure Timeline

22.03.2024: Contacted vendor to ask for an encrypted channel to report the vulnerabilities, with a deadline of two weeks.
03.04.2024: Shared report via unencrypted email, because vendor did not meet the deadline. Start of 60-day deadline to respond.
04.06.2024: Reported vulnerabilities to CERT/CC.
04.06.2024: Asked vendor to acknowledge the finding.
06.06.2024: CERT/CC informed us that they won't take action.
11.06.2024: Reported vulnerabilities to the BSI (German Federal Office for Information Security).
24.06.2024: Received generic support ticket response by GNCC.
25.06.2024: GNCC closed the support ticket and asked for participation in customer satisfaction survey.
28.06.2024: Shared full report with the BSI.
26.07.2024: BSI acknowledged that they tried to contact GNCC multiple times, but did not get any response.
06.08.2024: Publication of the advisory.

Contact/Credits

The vulnerabilities were discovered during security research by Martin Steil and Paul Zenker of NSIDE ATTACK LOGIC GmbH.

Disclaimer

The information in this security advisory is provided „as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The most recent version of this security advisory can be found at NSIDE ATTACK LOGIC GmbH's website (https://www.nsideattacklogic.de/).