Wednesday, January 24, 2018

IPC Camera Hacking

After my run-in with HikVision and HoSafe cameras (no provided firmwares that they would send to me), I decided to try another cheap camera.  What I settled on had someone claiming that the cameras wouldn't dial home to China.  They were Camius BoltV cameras.

When I checked, they were all based on the same chinese maker, and branded with their own firmwares.  For example, the first ones were HoSafe, and returned the model "JVS-HI3516CS" (see the More on Chinese Camera Hacking post).  The second, HikVision cameras returned something similar (but I do not have that as the camera was phased out quickly due to a hardware failure), and the latest Camius BoltV returns :
    root@kali:~# strings CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw |head -n5
    RSUp
    IPC3516D
    IPC3516D
    V170913
    V170911
    
Hm. Looks like a new company in the same old market, base model of HI3516, so let me ask you a quick question.  It doesn't "dial home" because someone on the Internet said it doesn't. Is that , right?  Let's see.  Let's boot one up inside of my no-access network and see what we get.
    Jan 24 17:59:12 hostname dhcpd: DHCPDISCOVER from 58:e8:76:01:05:ff via eth0
    Jan 24 17:59:12 hostname dhcpd: DHCPOFFER on 192.168.1.30 to 58:e8:76:01:05:ff via eth0
    Jan 24 17:59:13 hostname dhcpd: DHCPREQUEST for 192.168.1.30 (192.168.1.1) from 58:e8:76:01:05:ff via eth0
    Jan 24 17:59:13 hostname dhcpd: DHCPACK on 192.168.1.30 to 58:e8:76:01:05:ff via eth0
    
Looks good so far.  I wait for a few minutes, and no DNS lookups.  Looks great!  I load up the browser, and....
    09:26:39.253127 IP 192.168.1.30.46294 > router.example.com.domain: 11532+ A? p2p.anlian.co. (31)
    09:26:39.253347 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:39.255060 IP 192.168.1.30.35474 > router.example.com.domain: 11533+ A? p2p.anlian.co. (31)
    09:26:39.255171 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:39.256390 IP 192.168.1.30.38702 > router.example.com.domain: 11534+ A? p2p.anlian.co. (31)
    09:26:39.256489 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:41.272833 IP 192.168.1.30.37976 > router.example.com.domain: 11535+ A? p2p.anlian.co. (31)
    09:26:41.273096 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:41.273923 IP 192.168.1.30.50096 > router.example.com.domain: 11536+ A? p2p.anlian.co. (31)
    09:26:41.274022 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:41.274857 IP 192.168.1.30.36165 > router.example.com.domain: 11537+ A? p2p.anlian.co. (31)
    09:26:41.274956 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:43.292613 IP 192.168.1.30.58809 > router.example.com.domain: 11538+ A? p2p.anlian.co. (31)
    09:26:43.292800 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:43.293694 IP 192.168.1.30.33953 > router.example.com.domain: 11539+ A? p2p.anlian.co. (31)
    09:26:43.293800 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:43.294944 IP 192.168.1.30.37312 > router.example.com.domain: 11540+ A? p2p.anlian.co. (31)
    09:26:43.295039 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:45.312929 IP 192.168.1.30.34936 > router.example.com.domain: 11541+ A? p2p.anlian.co. (31)
    09:26:45.313133 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:45.315165 IP 192.168.1.30.32893 > router.example.com.domain: 11542+ A? p2p.anlian.co. (31)
    09:26:45.315265 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:45.316177 IP 192.168.1.30.60287 > router.example.com.domain: 11543+ A? p2p.anlian.co. (31)
    09:26:45.316273 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:46.287401 ARP, Request who-has 192.168.1.30 tell router.example.com, length 28
    09:26:46.288148 ARP, Reply 192.168.1.30 is-at 58:e8:76:01:05:fe (oui Unknown), length 46
    09:26:47.332854 IP 192.168.1.30.57413 > router.example.com.domain: 11544+ A? p2p.anlian.co. (31)
    09:26:47.333058 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:47.334285 IP 192.168.1.30.35320 > router.example.com.domain: 11545+ A? p2p.anlian.co. (31)
    09:26:47.334409 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
    09:26:47.335774 IP 192.168.1.30.51734 > router.example.com.domain: 11546+ A? p2p.anlian.co. (31)
After connecting with the browser, it appears to dial home to China, to a peer-to-peer network.   People seem to answer questions they know nothing about.

With that out of the way, let's see what we have.  I first ran NMAP against the camera :
    root@kali:~# map -sT -O 192.168.1.30
    Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-20 08:33 MST
    Nmap scan report for 192.168.128.31
    Host is up (0.0031s latency).
    Not shown: 996 closed ports
    PORT     STATE SERVICE
    23/tcp   open  telnet
    80/tcp   open  http
    554/tcp  open  rtsp
    7000/tcp open  afs3-fileserver
    No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
    TCP/IP fingerprint:
    OS:SCAN(V=7.60%E=4%D=1/20%OT=23%CT=1%CU=39315%PV=Y%DS=2%DC=I%G=Y%TM=5A63616
    OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=11%GCD=FA00%ISR=9C%TI=I%CI=I%TS=U)OPS(O1=
    OS:M5B4%O2=M5B4%O3=M5B4%O4=M5B4%O5=M5B4%O6=M5B4)WIN(W1=FFFF%W2=FFFF%W3=FFFF
    OS:%W4=FFFF%W5=FFFF%W6=FFFF)ECN(R=Y%DF=N%T=41%W=FFFF%O=M5B4%CC=N%Q=)T1(R=Y%
    OS:DF=N%T=41%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=N%T=100%W=0%S=Z%A=S%F=AR%O=%RD
    OS:=0%Q=)T3(R=Y%DF=N%T=100%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T4(R=Y%DF=N%T=100%W
    OS:=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=100%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=
    OS:)T6(R=Y%DF=N%T=100%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=100%W=0%S=Z%
    OS:A=S%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=37%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%R
    OS:UCK=G%RUD=G)IE(R=N)
    
    Network Distance: 2 hops
    
    OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 15.18 seconds
    
    root@kali:~# 
    
That looks like the last one, except the ports are different.  Aside from that, pretty near perfect.  This seems to be better in security, though, as every request from Hydra gave us false positives (a basic redirection to another location).
    workstation:~ username$ curl http://192.168.1.30/cgi-bin/something.pl
    <root>
    <port>9988</port>
    <devtype>5932089570895921152</devtype>
    <langstrs>ENU FRA DEU ITA PTG RUS ESN</langstrs>
    <curlang>ENU</curlang>
    <custom>CAMIUS</custom>
    <logo>CAMIUS</logo>
    <uiversion>0</uiversion>
    <sdcardpageshow>0</sdcardpageshow>
    <title></title>
    <firstloginflag>0</firstloginflag>
    <pluginfile>0</pluginfile>
    <devicetime>2015-01-14_12-39-53</devicetime>
    </root>
    workstation:~ username$
    
So, I can't explore this one like I did HikVision or Hosafe.  Next try is to see if I could find the firmware.  Lo and behold!  A company that allowed the firmware to be downloaded!  Here's why this is beneficial.  We can dismantle the firmware to see what we have in there.  I'd never done this before, so it was an exercise in learning.  Maybe this will help.

Everything I read online explained to use binwalk, then firmware-mod-tools.  I ran binwalk (like I was supposed to), and then firmware-mod-tools to explode what binwalk found :
    root@kali:~# binwalk CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw
    
    DECIMAL       HEXADECIMAL     DESCRIPTION
    --------------------------------------------------------------------------------
    179268        0x2BC44         CRC32 polynomial table, little endian
    180292        0x2C044         CRC32 polynomial table, little endian
    245840        0x3C050         uImage header, header size: 64 bytes, header CRC: 0x747FC94F, created: 2017-09-11 01:41:14, image size: 2751376 bytes, Data Address: 0x80008000, Entry Point: 0x80008000, data CRC: 0x242F03BD, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.4.35"
    263908        0x406E4         gzip compressed data, maximum compression, from Unix, NULL date (1970-01-01 00:00:00)
    2997312       0x2DBC40        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 2736056 bytes, 595 inodes, blocksize: 65536 bytes, created: 2017-09-20 00:46:43
    5733440       0x577C40        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 4828778 bytes, 121 inodes, blocksize: 131072 bytes, created: 2017-10-09 05:06:26
    10749816      0xA40778        CRC32 polynomial table, little endian
    10750840      0xA40B78        CRC32 polynomial table, little endian
    10756235      0xA4208B        LZO compressed data
    10818104      0xA51238        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 3894082 bytes, 435 inodes, blocksize: 131072 bytes, created: 2017-10-09 03:39:10
    
    root@kali:~# /opt/firmware-mod-kit/trunk/extract-firmware.sh CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw
    [... a whole lot of compilation errors ...]
    @kali:~#
    
Apparently, the distribution for Kali doesn't compile the firmware-mod-tools.  Then I found a nifty little flag in binwalk that gave me what I needed, which was a nifty little -e option to explode what was found :
    root@kali:~# binwalk -e CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw
    
    DECIMAL       HEXADECIMAL     DESCRIPTION
    --------------------------------------------------------------------------------
    179268        0x2BC44         CRC32 polynomial table, little endian
    180292        0x2C044         CRC32 polynomial table, little endian
    245840        0x3C050         uImage header, header size: 64 bytes, header CRC: 0x747FC94F, created: 2017-09-11 01:41:14, image size: 2751376 bytes, Data Address: 0x80008000, Entry Point: 0x80008000, data CRC: 0x242F03BD, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.4.35"
    263908        0x406E4         gzip compressed data, maximum compression, from Unix, NULL date (1970-01-01 00:00:00)
    2997312       0x2DBC40        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 2736056 bytes, 595 inodes, blocksize: 65536 bytes, created: 2017-09-20 00:46:43
    5733440       0x577C40        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 4828778 bytes, 121 inodes, blocksize: 131072 bytes, created: 2017-10-09 05:06:26
    10749816      0xA40778        CRC32 polynomial table, little endian
    10750840      0xA40B78        CRC32 polynomial table, little endian
    10756235      0xA4208B        LZO compressed data
    10818104      0xA51238        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 3894082 bytes, 435 inodes, blocksize: 131072 bytes, created: 2017-10-09 03:39:10
    
    root@kali:~# ls -ltr
    total 86448
    drwxr-xr-x 2 root root     4096 Jan 18 21:09 Videos
    drwxr-xr-x 2 root root     4096 Jan 18 21:09 Templates
    drwxr-xr-x 2 root root     4096 Jan 18 21:09 Public
    drwxr-xr-x 2 root root     4096 Jan 18 21:09 Pictures
    drwxr-xr-x 2 root root     4096 Jan 18 21:09 Music
    drwxr-xr-x 2 root root     4096 Jan 18 21:09 Downloads
    drwxr-xr-x 2 root root     4096 Jan 18 21:09 Documents
    drwxr-xr-x 2 root root     4096 Jan 18 21:09 Desktop
Sweet!  I started immediately exploring the system after finding every file now available to me :
    root@kali:~# ls -ltr
    total 86448
    [... snip ...]
    drwxr-xr-x 5 root root     4096 Jan 21 08:00 _CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted
    root@kali:~#
    root@kali:~# cd _CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted/
    root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted# ls
    2DBC40.squashfs  577C40.squashfs  squashfs-root    squashfs-root-1
    406E4            A51238.squashfs  squashfs-root-0
    root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted#
    root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted# ls squashfs-root
    bin   etc   lib         mkimg.rootfs   moudle   plugs  root   sys  var
    boot  home  linuxrc     mknod_console  nfsroot  ppp    sbin   tmp
    dev   init  lost+found  mnt            opt      proc   share  usr
    root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted#
    root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted# cd squashfs-root
    root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted/squashfs-root# cd etc/
    root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted/squashfs-root/etc# ls
    boa    fs-version  group   inittab     mtab    passwd-  profile    resolv.conf  udev
    fstab  goahead     init.d  mime.types  passwd  ppp      protocols  services
    root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted/squashfs-root/etc# cp passwd ~/
    root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted/squashfs-root/etc#
    
And now I only needed to run john-the-ripper on the password file and locate the proper RTSP stream for motion detection.  However, after a few days of running John, I still didn't have a matching password.  So, I started looking for other ways to gain that access.  But, let's keep digging, just because I am curious.  In the exploded web squashfs, we see just a bit more information :

Hm. A lot of binary files, but some configs.  So, what service is running HTTP?  I believe it is BOA, and in the root FS filesystem's /etc/boa/boa.conf, there is this interesting little setting for the server to run as :
    User 0
    Group 0
    
Huh?  Wow.  If you can run anything on the service, you have ROOT ACCESS! So, let's see what else is in there :
    DocumentRoot /plugs
    [... snip ...]
    CGIPath /plugs/cgi-bin:/bin:/usr/bin:/usr/local/bin
    
[SARCASM] Beautifully secure [/SARCASM]! It looks like if you can get any of the jobs in the cgi-bin directory of the second squashfs, you have a successful breach, because it will run any command as root that is in the /bin or /usr/bin or /usr/local/bin directories.  Unfortunately, there is only one thing in /cgi-bin, and that is media port.cgi, which is an ELF tool :
    root@kali:~# file mediaport.cgi
    mediaport.cgi: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped
    root@kali:~#
    
This might not be as easy as I was hoping.

No comments:

Post a Comment