Researchers Exploitee.rs discovered a flaw in Samsung SmartCam IP cameras that could be exploited to execute commands and hijack vulnerable devices.
Samsung SmartCam IP cameras are affected by a serious vulnerability that could be exploitedÂ by remote attackers to execute commands and hijack vulnerable devices.
Samsung Electronics sold the Samsung Techwin security division to the Hanwha Group in 2014, but Hanwha SmartCam products are still distributed as Samsung.
In 2014 at DEFCON 22, security experts at Exploitee.rs revealedÂ a number of exploits that could have been used to execute arbitrary commands onÂ Samsung SmartCam. An attacker could use the exploits to changeÂ device settings, including theÂ administrator password.
A few months ago, the experts from Pen Test Partners also reported security issues in Samsung SmartCam products.
The researcher focused their analysis on the Samsung branded indoor IP camera SNH-6410BN, they noticed for example that the device still has SSH and a web server running on it, potentially open doors for hackers.
Samsung decided to solve the issue by disabling SSH and local access to the web interface. Actually, users can access the Samsung SmartCam via the SmartCloud online service.
Researchers Exploitee.rs conducted a new test session on the device and discovered a way to enable the Telnet service and the local web interface by exploiting a command injection flaw in a collection of scripts that were not removed by the vendor.
â€śToday weâ€™re re-visiting a device that weâ€™ve hacked in a previous session. At DEFCON 22, we released exploits for the Samsung Smartcam network camera in our â€śHack All The thingsâ€ť presentation. These exploits allowed for remote command execution and the ability to arbitrarily change the cameraâ€™s administrator password.â€ť states the analysis published Exploitee.rs.
These scripts exploited by the hackers are related to the iWatch webcam monitoring service and are used for firmware update functionality. The researchers discovered an iWatch Install.php root command execution issue.
â€śThe iWatch Install.php vulnerability can be exploited by crafting a special filename which is then stored within a tar command passed to a php system() call,â€ť researchers explained. â€śBecause the web-server runs as root, the filename is user supplied, and the input is used without sanitization, we are able to inject our own commands within to achieve root remote command execution.â€ť
Researchers at Exploitee.rs have also released aÂ proof-of-concept (PoC) code for the vulnerability, and a fix.Â The exploit works with the SNH-1011 model, but researchers believe all Samsung SmartCam devices are affected.
â€śThe vulnerability can be patched by first logging in to the server after spawning a shell with the POC curl command above, then running the following command.â€ť