Author: Knownsec 404 ZoomEye Team
Time: 2018/07/24
Chinese version: https://paper.seebug.org/655/
Background
Sony is a global leader in audiovisual, video games, communications products and information technology. It is the first pioneer in portable digital products and one of the largest electronics manufacturers in the world.
On July 20, 2018, the Sony IPELA E-series webcam was exposed to remote command execution vulnerabilities, and the details of the vulnerability were disclosed online. Because the series of cameras didn’t filter the user’s input and directly spliced into a command string and executes, the attacker could execute any command based on this and further completely take over the camera. The vulnerability is assigned the number CVE-2018-3937. The vulnerability is not difficult to exploit. According to the description in the original vulnerability details, Sony officially has released the patch for the vulnerability on September 19, 2018.
On September 24, 2018, the vulnerability was included in the Seebug vulnerability platform. The 404 Team followed up quickly and Vulnerability recurrened the vulnerability.
Vulnerability impact
We use the keyword, “app: SonyNetworkCamerahttpd”, to search on the ZoomEye’s Cyberspace Search Engine, and get 6468 IP history record. This vulnerability is not difficult to exploit.
转载请注明:IAMCOOL » ZoomEye Data Analysis Report – Sony IPELA E-Series Webcam RCE Vulnerability