Samsung SmartCam IP cameras are affected by a serious vulnerability that could be exploited by remote attackers to execute commands and hijack vulnerable devices.

Samsung Electronics sold the Samsung Techwin security division to the Hanwha Group in 2014, but Hanwha SmartCam products are still distributed as Samsung.

In 2014 at DEFCON 22, security experts at Exploitee.rs revealed a number of exploits that could have been used to execute arbitrary commands on Samsung SmartCam. An attacker could use the exploits to change device settings, including the administrator password.

A few months ago, the experts from Pen Test Partners also reported security issues in Samsung SmartCam products.

The researcher focused their analysis on the Samsung branded indoor IP camera SNH-6410BN, they noticed for example that the device still has SSH and a web server running on it, potentially open doors for hackers.

Samsung decided to solve the issue by disabling SSH and local access to the web interface. Actually, users can access the Samsung SmartCam via the SmartCloud online service.

Researchers Exploitee.rs conducted a new test session on the device and discovered a way to enable the Telnet service and the local web interface by exploiting a command injection flaw in a collection of scripts that were not removed by the vendor.

“Today we’re re-visiting a device that we’ve hacked in a previous session. At DEFCON 22, we released exploits for the Samsung Smartcam network camera in our “Hack All The things” presentation. These exploits allowed for remote command execution and the ability to arbitrarily change the camera’s administrator password.” states the analysis published Exploitee.rs.

These scripts exploited by the hackers are related to the iWatch webcam monitoring service and are used for firmware update functionality. The researchers discovered an iWatch Install.php root command execution issue.

“The iWatch Install.php vulnerability can be exploited by crafting a special filename which is then stored within a tar command passed to a php system() call,” researchers explained. “Because the web-server runs as root, the filename is user supplied, and the input is used without sanitization, we are able to inject our own commands within to achieve root remote command execution.”

Researchers at Exploitee.rs have also released a proof-of-concept (PoC) code for the vulnerability, and a fix. The exploit works with the SNH-1011 model, but researchers believe all Samsung SmartCam devices are affected.

“The vulnerability can be patched by first logging in to the server after spawning a shell with the POC curl command above, then running the following command.”

sed -i -e 's/" . $file . "/" . escapeshellarg($file) . "/' /mnt/custom/iwatch/web/install.php

Researchers have warned that enabling the web interface reintroduces some of the older vulnerabilities previously discovered.

Pierluigi Paganini

(Security Affairs – Samsung SmartCam, hacking)