SADProtocol goes to Hollywood

Faraday’s researchers Javier Aguinaga and Octavio Gianatiempo have investigated on IP cameras and two high severity vulnerabilities.

This research project began when Aguinaga’s wife, a former Research leader at Faraday Security, informed him that their IP camera had stopped working. Although Javier was initially asked to fix it, being a security researcher, opted for a more unconventional approach to tackle the problem. He brought the camera to their office and discussed the issue with Gianatiempo, another security researcher at Faraday. The situation quickly escalated from some light reverse engineering to a full-fledged vulnerability research project, which ended with two high-severity bugs and an exploitation strategy worthy of the big screen.

They uncovered two LAN remote code execution vulnerabilities in EZVIZ’s implementation of Hikvision’s Search Active Devices Protocol (SADP) and SDK server:


CVE-2023-34551: EZVIZ’s implementation of Hikvision’s SDK server post-auth stack buffer overflows (CVSS3 8.0 – HIGH)

CVE-2023-34552: EZVIZ’s implementation of Hikvision’s SADP packet parser pre-auth stack buffer overflows (CVSS3 8.8 – HIGH)

The affected code is present in several EZVIZ products, which include but are not limited to:

Product Model
Affected Versions

CS-C6N-B0-1G2WF
Versions below V5.3.0 build 230215

CS-C6N-R101-1G2WF
Versions below V5.3.0 build 230215

CS-CV310-A0-1B2WFR
Versions below V5.3.0 build 230221

CS-CV310-A0-1C2WFR-C
Versions below V5.3.2 build 230221

CS-C6N-A0-1C2WFR-MUL
Versions below V5.3.2 build 230218

CS-CV310-A0-3C2WFRL-1080p
Versions below V5.2.7 build 230302

CS-CV310-A0-1C2WFR Wifi IP66 2.8mm 1080p
Versions below V5.3.2 build 230214

CS-CV248-A0-32WMFR
Versions below V5.2.3 build 230217

EZVIZ LC1C
Versions below V5.3.4 build 230214

These vulnerabilities affect IP cameras and can be used to execute code remotely, so they drew inspiration from the movies and decided to recreate an attack often seen in heist films. The hacker in the group is responsible for hijacking the cameras and modifying the feed to avoid detection. Take, for example, this famous scene from Ocean’s Eleven:

Exploiting either of these vulnerabilities, Javier and Octavio served a victim an arbitrary video stream by tunneling their connection with the camera into an attacker-controlled server while leaving all other camera features operational.
A deep detailed dive into the whole research process, can be found in these slides and code. It covers firmware analysis, vulnerability discovery, building a toolchain to compile a debugger for the target, developing an exploit capable of bypassing ASLR. Plus, all the details about the Hollywood-style post-exploitation, including tracing, in memory code patching and manipulating the execution of the binary that implements most of the camera features.

This research shows that memory corruption vulnerabilities still abound on embedded and IoT devices, even on products marketed for security applications like IP cameras. Memory corruption vulnerabilities can be detected by static analysis, and implementing secure development practices can reduce their occurrence. These approaches are standard in other industries, evidencing that security is not a priority for embedded and IoT device manufacturers, even when developing security-related products. By filling the gap between IoT hacking and the big screen, this research questions the integrity of video surveillance systems and hopes to raise awareness about the security risks posed by these kinds of devices.