Consumer IP cameras are now the most widely adopted solution for remote monitoring in various contexts, such as private homes or small offices. While the security of these devices has been scrutinized, most approaches are limited to relatively shallow network-based analyses. In this paper, we discuss a methodology for the security analysis and identification of remotely exploitable vulnerabilities in IP cameras, which includes static and dynamic analyses of executables extracted from IP camera firmware. Compared to existing methodologies, our approach leverages the context of the target device to focus on the identification of malicious invocation sequences that could lead to exploitable vulnerabilities. We demonstrate the application of our methodology by using the Tenda CP3 IP camera as a case study. We identified five novel CVEs, with CVSS scores ranging from 7.5 to 9.8. To partially automate our analysis, we also developed a custom tool based on Ghidra and rhabdomancer.

翻译：消费级IP摄像头现已成为私人住宅或小型办公室等多种场景中远程监控最广泛采用的解决方案。尽管这些设备的安全性已受到审查，但大多数方法仅限于相对浅层的基于网络的分析。本文讨论了一种用于安全分析及识别IP摄像头中可远程利用漏洞的方法，该方法包括对从IP摄像头固件中提取的可执行文件进行静态和动态分析。与现有方法相比，我们的方法利用目标设备的上下文，专注于识别可能导致可被利用漏洞的恶意调用序列。我们通过以Tenda CP3 IP摄像头为例，展示了该方法的应用。我们发现了五个新的CVE漏洞，其CVSS评分介于7.5至9.8之间。为了部分自动化分析过程，我们还开发了一个基于Ghidra和rhabdomancer的自定义工具。