Title: Sony IPELA Network Camera (ftpclient.cgi) Remote Stack Buffer Overflow
Advisory ID: ZSL-2020-5596
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 30.09.2020

Summary

IPELA is Sony's vision of the ultimate workplace, designed to revolutionize the way business communicates over global IP networks. IPELA products can improve the efficiency of your organization by connecting people and places with high-quality audio and video. The SNC-DH120T is an indoor tamper proof, high definition (720p) minidome network security camera with Electronic Day/Night settings, DEPA analysis and is ONVIF compliant. It supports dual streaming of H.264, MPEG-4 and JPEG at full frame-rate.

Description

The vulnerability is caused due to a boundary error in the processing of received FTP traffic through the FTP client functionality (ftpclient.cgi), which can be exploited to cause a stack-based buffer overflow when a user issues a POST request to connect to a malicious FTP server. Successful exploitation could allow execution of arbitrary code on the affected device or cause denial of service scenario.

Vendor

Sony Electronics Inc. - https://pro.sony

Affected Version

SNC-DH120T v1.82.01

Tested On

gen5th/1.x

Vendor Status

[17.09.2019] Vulnerability discovered.
[28.10.2019] Vendor contacted.
[08.05.2020] Working with the vendor.
[03.06.2020] Vendor already produced a patch for this issue long time ago.
[30.09.2020] Public security advisory released.

PoC

sony_ipela_bof.py

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://packetstormsecurity.com/files/159444/
[2] https://www.exploit-db.com/exploits/48842
[3] https://cxsecurity.com/issue/WLB-2020100006
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/189208

Changelog

[30.09.2020] - Initial release
[06.10.2020] - Added reference [1], [2], [3] and [4]

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk