Friday, October 13, 2017

More on Chinese Camera Hacking

So, as I keep phasing out my Hosafe Chinese cameras, I also keep going back to them.  They were cheap, but they have security issues that drive me crazy.  They also had a great picture.  So, I am really getting to the point I want to use them, without having them dial-home to mamma.

I decided to through a little more at these things, just to get a little more information.  I tossed Nikto to the camera, and it identified that you can hit the /cgi-bin/ URI and it will list the scripts.  They appear to be minimal, and two of them stood out.  One was called "snapshot.sh" - and I immediately threw some shell escape characters trying to inject commands.  Unfortunately, they actually did some sanity checking, and your maximum length to play with is a command about 4 characters long.  Scratch that one off of the list.

The other script (ignoring the "proccgi" and "wagent" scripts) was called "jvsweb.cgi".  A quick google, and someone said you can list video streams using this CGI in the form of :
    http://192.168.1.20/cgi-bin/jvsweb.cgi?username=admin&password=&cmd=yst&action=get_video
    
Hrm.  I wonder what else it can do?  I tried some additional shell escapes on this, and it smartly refused to do anything else and just gave me a "param error".  I dunno, maybe it tried to run it, but I couldn't get anything out of it (like a "%24%28cp+/etc/passwd+/mnt/web/cgi-bin/%29" [$(cp /etc/passwd /mnt/web/cgi-bin/)], though I didn't use a pipe on it). Another google with the cmd and yst added to the jvsweb.cgi, and I see a page referencing a "webhelp".  That gives a list of options for the cmd parameter, and a very-high-level rundown of what they are for.  It includes everything from modifying your white balance to configuring motion detection.

There was also one called "webdevinfo".  My curiosity was definitely piqued now.  I tossed it in, and got a param error.  A Russian page (https://habrahabr.ru/post/318572/) gave a bit more information that I could change the action to "list" (and better information on each of the commands in the webhelp, too) for most of those cmd's, and sure enough, I got a response for http://192.168.1.20/cgi-bin/jvsweb.cgi?username=admin&password=&cmd=webdevinfo&action=list :
    {
        "type":    "ipc",
        "hardware":    "JVS-HI3516CS",
        "firmware":    "V2.2.2904",
        "manufacture":    "JVS-HI3516CS",
        "sn":    "S509233745",
        "model":    "ipc-module",
        "channelCnt":    1,
        "streamCnt":    3,
        "ystChannelNo":    [1, 2, 3, 0, 8, 0, 8, 0, 8, 0, 8, 0, 8, 0, 49316, 19032, 35896, 54, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 49048, 19032, 48912, 19032, 38256, 386, 45380, 16436, 2848, 16437, 200, 0, 2848, 16437, 0, 0, 0, 0, 16487, 50277, 16487, 50277, 45380, 16436, 49088, 19032, 1216, 19033, 2384, 19033, 63192, 16398, 49088, 19032, 16487, 50277, 45380, 16436, 60304, 375, 46392, 16436, 338, 0, 46392, 16436, 16487, 50277, 16487, 50277, 45380, 16436, 49144, 19032, 1216, 19033, 46392, 16436, 16487, 50277, 16487, 50277, 45380, 16436, 49168, 19032, 1216, 19033, 46392, 16436, 16487, 50277, 16487, 50277, 45380, 16436],
        "name":    "Camera",
        "date":    "2000-01-01 09:11:37",
        "bSntp":    1,
        "sntpInterval":    24,
        "ntpServer":    "192.168.1.1",
        "tz":    8,
        "bDST":    0
    }
    
The product for these cameras is "JVS-HI3516CS".  That matches the "dial-home-to-mamma" URL of it hitting "jovetech.com", as these are "Jovision" cameras.  The HI3516CS seems to match a cheap, rebadge-friendly hardware producer named "Hisilicon".  And, they sell an SDK.  I might have to delve into the SDK to see if I can create a firmware that will override something, or give me another shell, but it is definitely a start.  The ipc-module is interesting, to - it is an "IP Camera", modular manufacture system where you build the software you want around it, slap a pretty sticker on it, and ship it out.

It is amazing to me that such a cheap, "anonymous" camera has such a good picture, and yet such a lack of controls in that "dial home" tendency.

No comments:

Post a Comment