I decided to through a little more at these things, just to get a little more information. I tossed Nikto to the camera, and it identified that you can hit the /cgi-bin/ URI and it will list the scripts. They appear to be minimal, and two of them stood out. One was called "snapshot.sh" - and I immediately threw some shell escape characters trying to inject commands. Unfortunately, they actually did some sanity checking, and your maximum length to play with is a command about 4 characters long. Scratch that one off of the list.
The other script (ignoring the "proccgi" and "wagent" scripts) was called "jvsweb.cgi". A quick google, and someone said you can list video streams using this CGI in the form of :
http://192.168.1.20/cgi-bin/jvsweb.cgi?username=admin&password=&cmd=yst&action=get_video
Hrm. I wonder what else it can do? I tried some additional shell escapes on this, and it smartly refused to do anything else and just gave me a "param error". I dunno, maybe it tried to run it, but I couldn't get anything out of it (like a "%24%28cp+/etc/passwd+/mnt/web/cgi-bin/%29" [$(cp /etc/passwd /mnt/web/cgi-bin/)], though I didn't use a pipe on it). Another google with the cmd and yst added to the jvsweb.cgi, and I see a page referencing a "webhelp". That gives a list of options for the cmd parameter, and a very-high-level rundown of what they are for. It includes everything from modifying your white balance to configuring motion detection.There was also one called "webdevinfo". My curiosity was definitely piqued now. I tossed it in, and got a param error. A Russian page (https://habrahabr.ru/post/318572/) gave a bit more information that I could change the action to "list" (and better information on each of the commands in the webhelp, too) for most of those cmd's, and sure enough, I got a response for http://192.168.1.20/cgi-bin/jvsweb.cgi?username=admin&password=&cmd=webdevinfo&action=list :
{
"type": "ipc",
"hardware": "JVS-HI3516CS",
"firmware": "V2.2.2904",
"manufacture": "JVS-HI3516CS",
"sn": "S509233745",
"model": "ipc-module",
"channelCnt": 1,
"streamCnt": 3,
"ystChannelNo": [1, 2, 3, 0, 8, 0, 8, 0, 8, 0, 8, 0, 8, 0, 49316, 19032, 35896, 54, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 49048, 19032, 48912, 19032, 38256, 386, 45380, 16436, 2848, 16437, 200, 0, 2848, 16437, 0, 0, 0, 0, 16487, 50277, 16487, 50277, 45380, 16436, 49088, 19032, 1216, 19033, 2384, 19033, 63192, 16398, 49088, 19032, 16487, 50277, 45380, 16436, 60304, 375, 46392, 16436, 338, 0, 46392, 16436, 16487, 50277, 16487, 50277, 45380, 16436, 49144, 19032, 1216, 19033, 46392, 16436, 16487, 50277, 16487, 50277, 45380, 16436, 49168, 19032, 1216, 19033, 46392, 16436, 16487, 50277, 16487, 50277, 45380, 16436],
"name": "Camera",
"date": "2000-01-01 09:11:37",
"bSntp": 1,
"sntpInterval": 24,
"ntpServer": "192.168.1.1",
"tz": 8,
"bDST": 0
}
The product for these cameras is "JVS-HI3516CS". That matches the "dial-home-to-mamma" URL of it hitting "jovetech.com", as these are "Jovision" cameras. The HI3516CS seems to match a cheap, rebadge-friendly hardware producer named "Hisilicon". And, they sell an SDK. I might have to delve into the SDK to see if I can create a firmware that will override something, or give me another shell, but it is definitely a start. The ipc-module is interesting, to - it is an "IP Camera", modular manufacture system where you build the software you want around it, slap a pretty sticker on it, and ship it out.It is amazing to me that such a cheap, "anonymous" camera has such a good picture, and yet such a lack of controls in that "dial home" tendency.
No comments:
Post a Comment