Sony IPELA Network Camera (ftpclient.cgi) Remote Stack Buffer Overflow

Title: Sony IPELA Network Camera (ftpclient.cgi) Remote Stack Buffer Overflow
Advisory ID: ZSL-2020-5596
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 30.09.2020
Summary
IPELA is Sony's vision of the ultimate workplace, designed to revolutionize the way business communicates over global IP networks. IPELA products can improve the efficiency of your organization by connecting people and places with high-quality audio and video. The SNC-DH120T is an indoor tamper proof, high definition (720p) minidome network security camera with Electronic Day/Night settings, DEPA analysis and is ONVIF compliant. It supports dual streaming of H.264, MPEG-4 and JPEG at full frame-rate.
Description
The vulnerability is caused due to a boundary error in the processing of received FTP traffic through the FTP client functionality (ftpclient.cgi), which can be exploited to cause a stack-based buffer overflow when a user issues a POST request to connect to a malicious FTP server. Successful exploitation could allow execution of arbitrary code on the affected device or cause denial of service scenario.
Vendor
Sony Electronics Inc. - https://pro.sony
Affected Version
SNC-DH120T v1.82.01
Tested On
gen5th/1.x
Vendor Status
[17.09.2019] Vulnerability discovered.
[28.10.2019] Vendor contacted.
[08.05.2020] Working with the vendor.
[03.06.2020] Vendor already produced a patch for this issue long time ago.
[30.09.2020] Public security advisory released.
PoC
sony_ipela_bof.py
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://packetstormsecurity.com/files/159444/
[2] https://www.exploit-db.com/exploits/48842
[3] https://cxsecurity.com/issue/WLB-2020100006
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/189208
Changelog
[30.09.2020] - Initial release
[06.10.2020] - Added reference [1], [2], [3] and [4]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk