U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Dozens of Sony cameras affected by a secret backdoor

Many Sony cameras could be hijacked by hackers and infected with Mirai-like malware due to the presence of a sort of secret backdoor. Sony has closed a sort of debug backdoor that was spotted in 80 web-connected surveillance cameras. The hardcoded logins in the firmware of the Sony cameras can be exploited to hijack the […]

Dozens of Sony cameras affected by a secret backdoor

Many Sony cameras could be hijacked by hackers and infected with Mirai-like malware due to the presence of a sort of secret backdoor.

Sony has closed a sort of debug backdoor that was spotted in 80 web-connected surveillance cameras. The hardcoded logins in the firmware of the Sony cameras can be exploited to hijack the devices and open the doors to Mirai like malware.

The flawed devices are branded Sony Professional Ipela Engine IP surveillance cameras.

The backdoor was discovered by Stefan Viehböck from SEC Consult in October, the expert reported the issue to Sony and the company fixed it with firmware updates.

“SEC Consult has found a backdoor in Sony IPELA Engine IP Cameras, mainly used professionally by enterprises and authorities. This backdoor allows an attacker to run arbitrary code on the affected IP cameras.” reads a blog post published by SEC Consult.”An attacker can use cameras to take a foothold in a network and launch further attacks, disrupt camera functionality, send manipulated images/video, add cameras into a Mirai-like botnet or to just simply spy on you. This vulnerability affects 80 different Sony camera models. Sony was informed by SEC Consult about the vulnerability and has since released updated firmware for the affected models.”

sony-cameras-backdoor

Sony thanked the experts for the support they provided.

“We are grateful to SEC Consult for their assistance in enhancing network security for our network cameras,” Sony said.

The expert spotted two hardcoded  permanently enabled application-level backdoor accounts in the web-based admin console:

  • User debug, Password: popeyeConnection
  • User primana, Password: primana

Both accounts are allowed to access specific, undocumented CGI functionality.

The expert explained that it is possible to remotely enable Telnet/SSH services and a backdoor allows an attacker to gain access to a Linux shell with root privileges.

“The vulnerabilities are exploitable in the default configuration over the network. Exploitation over the Internet is possible, if the web interface of the device is exposed.” continues the analysis.

The following URLs, once sent to a vulnerable web-facing device, will enable telnet access:

http://primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=zKw2hEr9
http://primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=cPoq2fi4cFk

The requests trigger the prima-factory.cgi in Sony’s fifth-generation Ipela Engine cameras to open the backdoor by starting the inetd, which runs a telnet daemon on port 23. Devices belonging to Gen6 generation use the magic string “himitunokagi” (Japanese for “secret key”).

Once the telnet or SSH service is enabled, attacker can login as root and get command-line-level access to the OS. Below are the password hashes for the OS-level backdoor user:

$1$$mhF8LHkOmSgbD88/WrM790 (gen-5 models)
iMaxAEXStYyd6 (gen-6 models)

Ill-intentioned could easily crack the above root passwords, the researchers avoided to do it in order to prevent their exploitation in the wild.

Experts suggest the application of the security updates for the following Sony cameras:

SNC-CX600, SNC-CX600W, SNC-EB600, SNC-EB600B, SNC EB602R, SNC-EB630, SNC-EB630B, SNC-EB632R, SNC-EM600, SNC-EM601, SNC-EM602R, SNC-EM602RC, SNC-EM630, SNC-EM631, SNC-EM632R, SNC-EM632RC, SNC-VB600, SNC-VB600B, SNC-VB600B5, SNC-VB630, SNC-VB6305, SNC-VB6307, SNC-VB632D, SNC-VB635, SNC-VM600, SNC-VM600B, SNC-VM600B5, SNC-VM601, SNC-VM601B, SNC-VM602R, SNC-VM630, SNC-VM6305, SNC-VM6307, SNC-VM631, SNC-VM632R, SNC-WR600, SNC-WR602, SNC-WR602C, SNC-WR630, SNC-WR632, SNC-WR632C, SNC-XM631, SNC-XM632, SNC-XM636, SNC-XM637, SNC-VB600L, SNC-VM600L, SNC-XM631L, SNC-WR602CL, SNC-CH115, SNC-CH120, SNC-CH160, SNC-CH220, SNC-CH260, SNC-DH120, SNC-DH120T, SNC-DH160, SNC-DH220, SNC-DH220T, SNC-DH260, SNC-EB520, SNC-EM520, SNC-EM521, SNC-ZB550, SNC-ZM550, SNC-ZM551, SNC-EP550, SNC-EP580, SNC-ER550, SNC-ER550C, SNC-ER580, SNC-ER585, SNC-ER585H, SNC-ZP550, SNC-ZR550, SNC-EP520, SNC-EP521, SNC-ER520, SNC-ER521, and SNC-ER521C.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Sony Cameras, backdoors)