HiddenLayer, a Gartner recognized Cool Vendor for AI Security, is the leading provider of Security for AI. Its security platform helps enterprises safeguard the machine learning models behind their most important products. HiddenLayer is the only company to offer turnkey security for AI that does not add unnecessary complexity to models and does not require access to raw data and algorithms. Founded by a team with deep roots in security and ML, HiddenLayer aims to protect enterprise’s AI from inference, bypass, extraction attacks, and model theft. The company is backed by a group of strategic investors, including M12, Microsoft’s Venture Fund, Moore Strategic Ventures, Booz Allen Ventures, IBM Ventures, and Capital One Ventures.
Jul 19, 2024
Crafted WiFI network name (SSID) leads to arbitrary command injection
CVE Number
CVE-2024-37066
Summary
The net_service_thread function in libwyzeUtilsPlatform.so spawns a shell command containing a user-specified WiFi network name (SSID) in an unsafe way, which can lead to arbitrary command injection as root during the camera setup process.
Products Impacted
This vulnerability is present in Wyze Cam V4 firmware versions up to and including 4.52.4.9887.
CVSS Score: 6.8
AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE Categorization
CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Details
This vulnerability is caused by the net_service_thread function in the /system/lib/libwyzeUtilsPlatform.so library.
00004604 snprintf(&str, 0x3fb, "iwlist wlan0 scan | grep \'ESSID:\"%s\"\'", 0x18054, var_938, var_934, var_930, err_21, var_928);
00004618 int32_t $v0_6 = exec_shell_sync(&str, &var_918);The net_service_thread function is used by the init_net_service function which is invoked by /system/bin/iCamera during the camera setup process. The purpose of this function is to initialize the camera’s wireless networking.
The user-specified WiFi network name (SSID) provided during the camera setup is passed to a shell command without sanitization. An attacker within Bluetooth range of the camera can exploit this by specifying a network name containing a command enclosed in single quotes followed by a semicolon.
To replicate this vulnerability, the Wyze app can send the camera a crafted WiFi network name containing the command to execute.
After hitting the Connect button, the command will be sent to the camera over Bluetooth and executed through the exec_shell_exec function. In the example pictured above, the command whoami is executed, and the output is piped to a file named pwned.txt on the root of the camera’s SD card.
The command injection is saved to the camera’s config and persists across reboots. During our testing, we found that it was possible to brick the camera by providing it with a WiFi network name containing the reboot command.
This resulted in the camera going into an endless reboot loop that we could not exit.
