CYBER NEWS

iWatch Install.php Flaw in Samsung Smartcam Allows Root Access

Another day, another vulnerability! This time the culprit is Samsung Smartcam. The flaw, dubbed iWatch Install.php vulnerability, could allow attackers to gain root access to the device and control it remotely.

The iWatch Install.php Samsung Smartcam Vulnerability Explained

What is Samsung Smartcam? It’s an IP cam that allows the user to connect Samsung’s services and view live or recorded video from various locations. The cam also includes seamless baby or pet monitoring, business and home security and real-time notifications. The cam is user-friendly and easy to configure and use.

However, a problem has been discovered and it is regarding the security of the device. Vulnerabilities have been discovered several times in the past, and it appears that a new one should be added to the list.

According to exploitee.rs, the vulnerability allows gain root access, through a web server that has been previously reported vulnerable. Samsung has attempted to fix the flaws by removing the local web interface and making users access the SmartCloud website. In the meantime the local server was still running. Researchers have discovered that the flaw enables attackers to connect to the web interface as it follows:

The iWatch Install.php vulnerability can be exploited by crafting a special filename which is then stored within a tar command passed to a php system() call. Because the web-server runs as root, the filename is user supplied, and the input is used without sanitization, we are able to inject our own commands within to achieve root remote command execution.

Unfortunately, the vulnerability hasn’t been fixed yet.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...