Vulnerability Spotlight: Multiple vulnerabilities in the Roav A1 Dashcam

Lilith Wyatt of Cisco Talos discovered these vulnerabilities.

Executive Summary 

Cisco Talos is disclosing multiple vulnerabilities in the Anker Roav A1 Dashcam and the Novatek NT9665X chipset. The Roav A1 Dashcam by Anker is a dashboard camera that allows users to connect using the Roav app for Android and iOS so that the users can toggle settings and download videos from the dashcam, along with a host of other features. These vulnerabilities could be leveraged by an attacker to gain arbitrary code execution on affected devices.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Novatek to ensure that some of these issues are resolved and that an update is available for affected customers. However, we were unable to contact Anker, therefore, TALOS-2018-0685, TALOS-2018-0687 and TALOS-2018-0688 remain unpatched.

Vulnerability Details

Anker Roav A1 Dashcam WifiCmd Code 9999 execution vulnerability (TALOS-2018-0685/CVE-2018-4014)

An exploitable code execution vulnerability exists in a Wifi Command of the Roav A1 Dashcam. A specially crafted packet can cause a stack-based buffer overflow. An attacker can send a packet to trigger this vulnerability, resulting in code execution on an affected device. For additional information, please see the advisory here.

Anker Roav A1 Dashcam stack overflow code execution vulnerability (TALOS-2018-0687/CVE-2018-4016)

The URL-parsing functionality of the Roav A1 Dashcam is vulnerable to code execution. A specially crafted packet can cause a stack-based buffer overflow. An attacker can send a packet to trigger this vulnerability, resulting in code execution on an affected device. For additional information, please see the advisory here.

Anker Roav A1 Dashcam Wifi AP default credential vulnerability (TALOS-2018-0688/CVE-2018-4017)

The Roav A1 Dashcam contains a default credential that can be exploited. The device uses a default password and does not require the user to change it. For additional information, please see the advisory here.

Novatek NT9665X HTTP upload firmware update vulnerability (TALOS-2018-0689/CVE-2018-4018)

An exploitable firmware update vulnerability exists in the NT9665X Chipset firmware, running on Anker Roav A1 Dashcam version "RoavA1_SW_V1.9". The HTTP server allows for arbitrary firmware binaries to be uploaded which will be flashed upon next reboot. An attacker can send an HTTP PUT request or upgrade firmware request to trigger this vulnerability. For additional information, please see the advisory here.

Novatek NT9665X XML_UploadFile path overflow code execution vulnerability
(TALOS-2018-0695/CVE-2018-4023)

An exploitable code execution vulnerability exists in the `XML_UploadFile` WiFi command of the NT9665X Chipset firmware, running on Anker Roav A1 Dashcam version "RoavA1_SW_V1.9". A specially crafted packet can cause a stack-based buffer overflow, resulting in code execution. For additional information, please see the advisory here.

Novatek NT9665X XML_GetThumbNail denial-of-service vulnerability (TALOS-2018-0696/CVE-2018-4024)

An exploitable denial-of-service vulnerability exists in the thumbnail display functionality of the NT9665X Chipset firmware, running on the Anker Roav A1 Dashcam, version "RoavA1_SW_V1.9". A specially crafted packet can cause a null pointer to dereference, resulting in a device reboot. For additional information, please see the advisory here.

Novatek NT9665X XML_GetRawEncJpg denial-of-service vulnerability (TALOS-2018-0697/CVE-2018-4025)

An exploitable denial of service vulnerability exists in the `XML_GetRawEncJpg` WiFi command of the NT9665X Chipset firmware, running on Anker Roav A1 Dashcam version "RoavA1_SW_V1.9". A specially crafted packet can cause an invalid memory to dereference, resulting in a device reboot. An attacker can send a packet to trigger this vulnerability. For additional information, please see the advisory here.

Novatek NT9665X XML_GetScreen Strncmp denial-of-service vulnerability (TALOS-2018-0698/CVE-2018-4026)

An exploitable denial-of-service vulnerability exists in the `XML_GetScreen` Wi-Fi command of the NT9665X Chipset firmware, running on the Anker Roav A1 Dashcam, version "RoavA1_SW_V1.9.” A specially crafted set of packets can cause an invalid memory to dereference, resulting in a device reboot. For additional information, please see the advisory here.

Novatek NT9665X XML_UploadFile WifiCmd denial-of-service vulnerability (TALOS-2018-0699/CVE-2018-4027)  

An exploitable denial-of-service vulnerability exists in the `XML_UploadFile` Wi-Fi command of the NT9665X Chipset firmware, running on the Anker Roav A1 Dashcam, version "RoavA1_SW_V1.9.” A specially crafted packet can cause a semaphore deadlock, which prevents the device from receiving any physical or network inputs. An attacker can send a specially crafted packet to trigger this vulnerability. For additional information, please see the advisory here.

Novatek NT9665X HFS overwrite denial-of-service vulnerability (TALOS-2018-0700/CVE-2018-4028)
     
An exploitable firmware update vulnerability exists in the NT9665X Chipset firmware running on the Anker Roav A1 Dashcam, version "RoavA1_SW_V1.9.” The HTTP server could allow an attacker to overwrite the root directory of the server, resulting in a denial of service. An attacker can send an HTTP POST request to trigger this vulnerability. When this denial-of-service vulnerability is paired up with TALOS-2018-0699, the Anker Dashcam is completely disabled until the battery runs out. For additional information, please see the advisory here.

Novatek NT9665X HFS Recv buffer overflow code execution vulnerability (TALOS-2018-0701/CVE-2018-4029)  

An exploitable code execution vulnerability exists in the HTTP request-parsing function of the NT9665X Chipset firmware running on the Anker Roav A1 Dashcam, version "RoavA1_SW_V1.9.” A specially crafted packet can cause an unlimited and arbitrary write to memory, resulting in code execution. For additional information, please see the advisory here.

Coverage

The following SNORTⓇ rules detect attempts to exploit TALOS-2018-0685, TALOS-2018-0699, TALOS-2018-0698, TALOS-2018-0697, TALOS-2018-0696, and TALOS-2018-0695. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For all current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 40866, 48250, 48251, 48253, 48254, 48255

Versions Tested

Talos has tested and confirmed that the following Roav A1 Dashcam versions are affected: Anker Roav A1 Dashcam version "RoavA1_SW_V1.9" and the Novatek NT9665X chipset firmware.