CVE-2022-23382

Short description of CVE-2022-23382

Firmware developed by Shenzhen Hichip Vision Technology contains an intellectual property protection feature which was designed to deactivate cloned devices (IP cameras). Unfortunately this feature can be used to damage any device that uses this firmware. It could be activated by sending specially crafted multicast message. Firmware will remove three files from itself when receiving this message. After successful attack, the device is without its features like video streaming or embedded configuration website. There is no easy way to restore removed features from an attacked device. Vulnerability was tested on device with firmware V11.4.8.1.1-20170926.

Statement of Shenzhen Hichip Vision Technology

A specially crafted multicast message only can deactivate a given copyrighted camera and it's clone ones, but it can't deactivate other copyrighted cameras. We used this intellectual property protection feature only in some special kind of cameras in 2017 for a very short time, it only affects about several thousand 'clone' cameras. When we realized that it maybe hurt not only the illegal factory but also the innocent end users, we removed it soon.

Is my camera vulnerable?

Software created by Shenzhen Hichip Vision Technology is utilized in cameras rebranded by other companies. I have not discovered a straightforward, secure, and dependable method to verify your camera. If you trigger vulnerability then you will brick your camera. But… on the tested camera I found that vulnerable applications serve additional service on UDP port 8002. This service has another vulnerability - CVE-2020-9529. You can use the tool hisearcher.py to check if your camera has this service. If you found service on port 8002, then you can assume that you have also hidden service on UDP port 12129. As an alternative solution you could try to block sending data to port 12129 in your network router. If you are an advanced user you could try some binary patching of ipc_server on your own.

Details

The vulnerability can be found in an application located at /mnt/mtd/ipc/ipc_server. This program serves two hidden services. First on UDP port 8002 (which is affected by the bug CVE-2020-9529). Second on UDP port 12129, affected by the CVE-2022-23382. Service is waiting for multicast data sent to address 239.255.255.252. Full frame is constructed from 32 bytes of data:

magic value (0xf9f9f9f9),
3 bytes of random data,
first 8 bytes of Device-ID value (full Device-ID you can get with hisearcher.py tool),
1 byte checksum of the first part of the Device-ID (XOR),
last 8 bytes of Device-ID value,
1 byte checksum of the last part of the Device-ID (XOR),
7 bytes of random data.

If you send frame with modified first part of Device-ID (remember to recalculate checksum) the ipc_server will execute sequence:


unlink(”/mnt/mtd/ipc/modules/hi3518ebase.ko”);

unlink(”/mnt/mtd/ipc/conf/configencode.ini”);

unlink(”/mnt/mtd/ipc/chksensor”);

After reboot the device is bricked. The only way to repair the device is restoring these files (if you have a copy of them).

Proposed CVSS:

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H