Jooan A5 2.3.36 FTP vulnerability - Full Device Compromise
CERT Contact July 27, 2017
Vendor Contact(No response) July 31, 2017
CVE Requested November 3, 2017
Public Disclosure November 17, 2017
Jooan A5 IP Camera
Risk / Severity Rating
CVSS Vector String
Vulnerability Description and Impact
The Jooan IP Camera has port 21 open by default on which it exposes a FTP server. This server asks for credentials but is not configured to deny access if not supplied. The connected user is provided with root access. This level of privilege allows for exfiltration of the entire local file system including the /etc/passwd and /etc/shadow files as well as recorded video and audio files. Furthermore, an attacker is able to edit and push an altered version of the password file, which includes an injected user account, to the device allowing for root access via telnet. Successful exploitation will result in persistent root level remote access to the device.
Caveats / Prerequisites
This attack can be executed remotely and can be performed without any authentication.
Proof of Concept
We have demonstrated post-exploitation activities that consist of, but are not limited to:
- Unauthenticated access to the capabilities provided by Realtime streaming protocol (rstp)
- Recording/power status-lights can be easily toggled with custom scripts located on the device e.g.
- Modify system files to allow backdoors to persist through system-resets.
No response from the vendor at this time.
Rooting and disabling services to remove this vector may significantly affect the useablility of this product.
David Sigmundson & Nebojsa Bajagic are graduates of the Honours Bachelor of Applied Information Sciences (Information Systems Security) program at Sheridan College. This vulnerability was discovered as part of larger IoT Security Research activities undertaken for their Graduation Capstone Project.