News:

Re-organized the forum to more cleanly delineate the development section, as the end user support side appears to have taken a life of its own!

Author Topic: TRENDNET ip-cams w serious SECURITY flaw  (Read 8478 times)

  • No avatar
  • *****
February 06, 2012, 06:57:50 am
most of their products have a (now) well documented backdoor

http://console-cowboys.blogspot.com/2012/01/trendnet-cameras-i-always-feel-like.html

  • No avatar
  • *****
February 13, 2012, 12:30:54 pm
Feel like copy / pasting? 

Blogspot doesn't work from China.

  • No avatar
  • *****
February 13, 2012, 01:44:44 pm
Code: [Select]
As we can see the file '3' was a compressed Minix file system. Lets mount it and take a look around.
#mkdir cameraFS
#sudo mount -o loop -t minix 3z cameraFS/
#cd cameraFS/
#ls
bin  dev  etc  lib  linuxrc  mnt  proc  sbin  server  tmp  usr  var
 There is all sorts of interesting stuff in the "/server" directory but we are going to zero in on a specific directory "/server/cgi-bin/anony/"
#cd server/cgi-bin/anony/
#ls
jpgview.htm  mjpeg.cgi  mjpg.cgi  view2.cgi
 The "cgi-bin" directory is mapped to the root directory of http server of the camera, knowing this we can make a request to http://192.168.1.17/anony/mjpg.cgi and surprisingly we get a live stream from the camera.
Now at first I am thinking, well the directory is named "anony" that means anonymous so this must be something that is enabled in the settings that we can disable.... Looking at the configuration screen you can see where users can be configured to access the camera. The following screen shows the users I have configured (user, guest)
Still after setting up users with passwords the camera is more than happy to let me view its video stream by making our previous request. There does not appear to be a way to disable access to the video stream, I can't really believe this is something that is intended by the manufacturer. Lets see who is out there :)

 Because the web server requires authentication to access it (normally) we can use this information to fingerprint the camera easily. We can use the realm of 'netcam' to conduct our searches
Hopping on over to Shodan (http://www.shodanhq.com) we can search for 'netcam' and see if there is anyone out there for us to watch
If we check a few we can see this is limited to only those results with the realm of 'netcam' and not 'Netcam'
Doing this manually is boring and tedious, wouldn't it be great if we could automagically walk through all 9,500 results and log the 'good' hosts.... http://consolecowboys.org/scripts/camscan.py

 This python script requires the shodan api libs http://docs.shodanhq.com/ and an API key. It will crawl the shodan results and check if the device is vulnerable and log it. The only caveat here is that the shodan api.py file needs to be edited to allow for including result page offsets. I have highlighted the required changes below.
     def search(self, query,page=1):
         """Search the SHODAN database.
       
         Arguments:
         query    -- search query; identical syntax to the website
         page     -- page number of results     

         Returns:
         A dictionary with 3 main items: matches, countries and total.
         Visit the website for more detailed information.
       
         """
         return self._request('search', {'q': query,'page':page})

 Last I ran this there was something like 350 vulnerable devices that were available via shodan. Enjoy.

It is starting to look like all trendnet cameras are vulnerable, they have updated their downloads page with critical updates that "improve security" for the following cameras:
TV-IP121W
TV-IP252P
TV-IP410WN
TV-IP410
TV-IP121WN
TV-IP110WN
TV-IP110W

That is 7/11 of the cameras they make.

I left out all the pictures and the part where the disection of the fw is detailed.
If you can't access shodan, I'll pm you some ips tomorrow (e.g.: 80.65.184.188)

February 14, 2012, 09:18:40 pm
I guess that is likely that the other brands using this Fitivision platform also have the problem .

eg - Airlink , Zonet , Hawking models that look similar .
« Last Edit: February 14, 2012, 09:40:06 pm by camgo »