Finding Credentials – CVE-2018-5560

Vulnerability

On 09/29/2018 during the 0DAYALLDAY Research Event, a vulnerability was discovered (CVE-2018-5560) in the Guardzilla Security Video System Model #: GZ521W.  The vulnerability lies within the design and implementation of Amazon Simple Storage Service (S3) credentials inside the Guardzilla Security Camera firmware.  

In this post, I plan to quickly go over the part of the finding that I worked on to show just how easily these vulnerabilities are to find if you have a little bit of knowledge and the right tools. If you’d like to read more you can find the full report here.

After working with Nick McClendon and Andrew Mirghassemi who provided me with the firmware dump for the Guardzilla, as well as, the binaries that were running on the firmware, I opened them up in IDA Pro to see what they were doing and started looking for vulnerabilities. While looking at the strings of the main.exe binary, I noticed some curious strings located near an s3.amazonaws.com string.

Thinking this might be important, I looked at the references of the string within the main.exe binary and see that they are exports labeled: accessKey, secretAccessKey, hostname, and bucket which lines up with how AWS S3 bucket keys are designed.

These keys were then verified by Chris to have unlimited access to all S3 buckets provisioned for that account.

Recommendations

  • Stop using this Guardzilla Camera until a patch has been released

Disclosure Timeline 

● Sat, Sep 29, 2018: Issue discovered at 0DayAllDay Research Event
● Wed, Oct 3, 2018: Issue disclosed to Rapid7 for coordinated disclosure
● Wed, Oct 24, 2018: Issue disclosed to vendor
● Thu, Nov 8, 2018: Issue disclosed to CERT/CC as VRF#18-11-NPPXC
● Fri, Dec 14, 2018: CVE-2018-5560 reserved
● Thu, Dec 27, 2018: Public disclosure

Researchers

  • Nick McClendon
  • Andrew Mirghassemi
  • INIT_6
  • Chris