CVE-2017-8229 in IPM-721S
Summary
by MITRE
Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices allow an unauthenticated attacker to download the administrative credentials. If the firmware version V2.420.AC00.16.R 9/9/2016 is dissected using binwalk tool, one obtains a _user-x.squashfs.img.extracted archive which contains the filesystem set up on the device that many of the binaries in the /usr folder. The binary "sonia" is the one that has the vulnerable function that sets up the default credentials on the device. If one opens this binary in IDA-pro one will notice that this follows a ARM little endian format. The function sub_436D6 in IDA pro is identified to be setting up the configuration for the device. If one scrolls to the address 0x000437C2 then one can see that /current_config is being set as an ALIAS for /mnt/mtd/Config folder on the device. If one TELNETs into the device and navigates to /mnt/mtd/Config folder, one can observe that it contains various files such as Account1, Account2, SHAACcount1, etc. This means that if one navigates to http://[IPofcamera]/current_config/Sha1Account1 then one should be able to view the content of the files. The security researchers assumed that this was only possible only after authentication to the device. However, when unauthenticated access tests were performed for the same URL as provided above, it was observed that the device file could be downloaded without any authentication.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/17/2023
The vulnerability described in CVE-2017-8229 represents a critical authentication bypass flaw in Amcrest IPM-721S security cameras running firmware version V2.420.AC00.16.R.20160909. This issue stems from improper access controls within the device's web interface implementation, specifically in how it handles configuration file access. The vulnerability manifests through a misconfiguration in the device's filesystem structure where sensitive administrative credentials are stored in a location that remains accessible without proper authentication. Security researchers discovered that the firmware contains a squashfs filesystem archive which, when extracted, reveals the device's internal structure including binaries located in the /usr folder. The primary vulnerable component is identified as the "sonia" binary which contains a function named sub_436D6 responsible for device configuration setup. This function creates a symbolic link or alias relationship between the /current_config path and the /mnt/mtd/Config filesystem location, effectively exposing sensitive credential storage areas through the web interface.
The technical exploitation of this vulnerability occurs through a straightforward HTTP request mechanism that bypasses normal authentication requirements. When an attacker accesses the URL pattern http://[IPofcamera]/current_config/Sha1Account1 without providing valid credentials, the device responds with the contents of the credential files, including hashed passwords and account information. This represents a direct violation of the principle of least privilege and demonstrates a fundamental flaw in the device's access control implementation. The vulnerability is particularly concerning because it affects the default configuration of the device, meaning that all installations of this firmware version are potentially vulnerable regardless of local network configuration or physical security measures. The device's web server configuration fails to properly validate authentication status before serving sensitive configuration data, creating an information disclosure vulnerability that aligns with CWE-284 Access Control Issues.
The operational impact of this vulnerability extends beyond simple credential theft, as it provides attackers with complete administrative access to the security camera system. Once credentials are obtained, attackers can modify device settings, disable security features, access live video feeds, and potentially use the device as a pivot point for further network attacks. The vulnerability affects the device's ability to maintain secure configuration management and represents a significant risk to physical security infrastructure. The exposure of credential files through unauthenticated access means that any network-connected device with this firmware version becomes immediately compromised upon network discovery. This vulnerability directly relates to ATT&CK technique T1078 Valid Accounts, where attackers establish persistence through legitimate credentials, and T1046 Network Service Scanning, as the vulnerability can be discovered and exploited through automated scanning tools.
Mitigation strategies for this vulnerability should focus on immediate firmware updates provided by Amcrest to address the authentication bypass issue. Organizations should also implement network segmentation to isolate security camera devices from critical network segments, employ network monitoring to detect unusual access patterns, and consider disabling unnecessary network services on affected devices. The vulnerability highlights the importance of secure configuration management and proper access control implementation in embedded security devices. Regular firmware updates and security assessments are essential to prevent exploitation of similar vulnerabilities in IoT and security infrastructure devices. Network administrators should also consider implementing network access control lists to restrict access to these devices and monitor for unauthorized access attempts to configuration interfaces. The vulnerability serves as a reminder that embedded devices often lack proper security hardening and require careful attention to access control mechanisms throughout their design and deployment lifecycle.