Executive Summary

This vulnerability exists in the firmware update mechanism of the Qianniao QN-L23PA0904 IP Security Camera, firmware version 20250721.1640. During the device's boot process, it automatically executes a shell script named iu.sh from an inserted SD card without verifying the script's integrity or authenticity.

An attacker with physical access to the SD card slot can place a malicious iu.sh script on the SD card. When the device boots, it copies this attacker-controlled script to the device and executes it with root privileges, allowing the attacker to run arbitrary commands as root.

This leads to a complete compromise of the device, enabling actions such as installing backdoors and exfiltrating data.

Useful 0 Not Useful 0

Impact Analysis

If you use the affected Qianniao QN-L23PA0904 IP Security Camera, this vulnerability allows an attacker with physical access to the device's SD card slot to gain full root access.

The attacker can install persistent backdoors, execute arbitrary commands, and exfiltrate sensitive data stored on the device.

This compromises the confidentiality, integrity, and availability of the device and any data it handles, potentially leading to unauthorized surveillance, data theft, or further network compromise.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the device's boot-time initialization script `/etc/init.d/S04app` is copying and executing an unverified `iu.sh` script from an SD card mounted at `/mnt/sd`.

Suggested commands to detect signs of exploitation or presence of the vulnerability include:

• Check if the SD card is mounted: `mount | grep /mnt/sd`
• Verify if the `/mnt/sd/upgrade` directory exists: `ls /mnt/sd/upgrade`
• Check if the malicious script `iu.sh` exists on the SD card: `ls -l /mnt/sd/iu.sh`
• Inspect the contents of the executed script copied to `/home/iu.sh`: `cat /home/iu.sh`
• Review the boot initialization script for the copy and execution commands: `cat /etc/init.d/S04app`

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include preventing unauthorized physical access to the SD card slot to stop attackers from inserting a malicious SD card.

Additional steps to reduce risk:

• Disable or restrict the automatic execution of scripts from the SD card during boot if possible.
• Remove or restrict write permissions to the `/usr/bin/iu.sh` and `/home/iu.sh` scripts to prevent overwriting.
• Monitor the device for unexpected files or scripts on the SD card mount point.
• Apply firmware updates or patches from the vendor once available that address this vulnerability.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker with physical access to the device to gain root access, install backdoors, and exfiltrate data from the device. Such unauthorized access and data exfiltration can lead to breaches of sensitive personal or protected health information.

As a result, organizations using the affected Qianniao QN-L23PA0904 IP Security Camera may face challenges in maintaining compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and health data against unauthorized access and ensuring data integrity and confidentiality.

Failure to address this vulnerability could lead to violations of these standards due to potential data breaches and insufficient protection mechanisms.

Useful 0 Not Useful 0