A publicly exposed webshell on a webserver of shenzhen sanjitongchuang electronic co. LTD allowed an attacker to execute arbitrary operating system commands (RCE) and access to internal files
Smart Watches
NTCF:
NTCF-2024-79124
Product:
SeTracker
Vendor:
shenzhen sanjitongchuang electronic co. LTD
Criticality:
high
Status:
fixed
Discovered:
2024-04-19
Detail:
Public
Description
A backdoor, more precisely a webshell, was discovered on a web server belonging to Shenzhen Sanjitongchuang Electronic Co. LTD, the manufacturer of the SeTracker Mobile App and API, which is used by children's smartwatches and other tracking devices from various manufacturers. The discovered backdoor provided the ability to execute arbitrary commands (remote code execution, RCE) and access internal files. Since the vendor has not responded, it remains unclear whether other vulnerabilities were exploited by an attacker to install the backdoor, who installed it, and whether customer data was exfiltrated.
In the past, other severe vulnerabilities affecting this manufacturer have been reported, for example by the Norwegian Consumer Council:
https://www.forbrukerradet.no/side/significant-security-flaws-in-smartwatches-for-children/
In accordance with NTC Vulnerability Disclosure Policy, no technical details about this vulnerability will be publicly disclosed. Further details may be provided on a case by case basis.
Please use the contact form and provide an explanation for your request.
Timeline
2024-04-19: initial discovery
2024-04-23: first contact to vendor
2024-06-03: private disclosure to vendor
2024-06-03: no feedback from vendor: private disclosure to vendor by email
2024-08-28: webshell is removed from the webserver. no answer from vendor still (silent fix). it is unclear whether all security vulnerabilities have been fully addressed.
2024-09-18: public disclosure