When I checked, they were all based on the same chinese maker, and branded with their own firmwares. For example, the first ones were HoSafe, and returned the model "JVS-HI3516CS" (see the More on Chinese Camera Hacking post). The second, HikVision cameras returned something similar (but I do not have that as the camera was phased out quickly due to a hardware failure), and the latest Camius BoltV returns :
root@kali:~# strings CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw |head -n5
RSUp
IPC3516D
IPC3516D
V170913
V170911
Hm. Looks like a new company in the same old market, base model of HI3516, so let me ask you a quick question. It doesn't "dial home" because someone on the Internet said it doesn't. Is that , right? Let's see. Let's boot one up inside of my no-access network and see what we get.Jan 24 17:59:12 hostname dhcpd: DHCPDISCOVER from 58:e8:76:01:05:ff via eth0
Jan 24 17:59:12 hostname dhcpd: DHCPOFFER on 192.168.1.30 to 58:e8:76:01:05:ff via eth0
Jan 24 17:59:13 hostname dhcpd: DHCPREQUEST for 192.168.1.30 (192.168.1.1) from 58:e8:76:01:05:ff via eth0
Jan 24 17:59:13 hostname dhcpd: DHCPACK on 192.168.1.30 to 58:e8:76:01:05:ff via eth0
Looks good so far. I wait for a few minutes, and no DNS lookups. Looks great! I load up the browser, and....09:26:39.253127 IP 192.168.1.30.46294 > router.example.com.domain: 11532+ A? p2p.anlian.co. (31)
09:26:39.253347 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
09:26:39.255060 IP 192.168.1.30.35474 > router.example.com.domain: 11533+ A? p2p.anlian.co. (31)
09:26:39.255171 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
09:26:39.256390 IP 192.168.1.30.38702 > router.example.com.domain: 11534+ A? p2p.anlian.co. (31)
09:26:39.256489 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
09:26:41.272833 IP 192.168.1.30.37976 > router.example.com.domain: 11535+ A? p2p.anlian.co. (31)
09:26:41.273096 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
09:26:41.273923 IP 192.168.1.30.50096 > router.example.com.domain: 11536+ A? p2p.anlian.co. (31)
09:26:41.274022 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
09:26:41.274857 IP 192.168.1.30.36165 > router.example.com.domain: 11537+ A? p2p.anlian.co. (31)
09:26:41.274956 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
09:26:43.292613 IP 192.168.1.30.58809 > router.example.com.domain: 11538+ A? p2p.anlian.co. (31)
09:26:43.292800 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
09:26:43.293694 IP 192.168.1.30.33953 > router.example.com.domain: 11539+ A? p2p.anlian.co. (31)
09:26:43.293800 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
09:26:43.294944 IP 192.168.1.30.37312 > router.example.com.domain: 11540+ A? p2p.anlian.co. (31)
09:26:43.295039 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
09:26:45.312929 IP 192.168.1.30.34936 > router.example.com.domain: 11541+ A? p2p.anlian.co. (31)
09:26:45.313133 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
09:26:45.315165 IP 192.168.1.30.32893 > router.example.com.domain: 11542+ A? p2p.anlian.co. (31)
09:26:45.315265 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
09:26:45.316177 IP 192.168.1.30.60287 > router.example.com.domain: 11543+ A? p2p.anlian.co. (31)
09:26:45.316273 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
09:26:46.287401 ARP, Request who-has 192.168.1.30 tell router.example.com, length 28
09:26:46.288148 ARP, Reply 192.168.1.30 is-at 58:e8:76:01:05:fe (oui Unknown), length 46
09:26:47.332854 IP 192.168.1.30.57413 > router.example.com.domain: 11544+ A? p2p.anlian.co. (31)
09:26:47.333058 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
09:26:47.334285 IP 192.168.1.30.35320 > router.example.com.domain: 11545+ A? p2p.anlian.co. (31)
09:26:47.334409 IP router.example.com > 192.168.1.30: ICMP host router.example.com unreachable - admin prohibited, length 67
09:26:47.335774 IP 192.168.1.30.51734 > router.example.com.domain: 11546+ A? p2p.anlian.co. (31)
After connecting with the browser, it appears to dial home to China, to a peer-to-peer network. People seem to answer questions they know nothing about.With that out of the way, let's see what we have. I first ran NMAP against the camera :
root@kali:~# map -sT -O 192.168.1.30
Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-20 08:33 MST
Nmap scan report for 192.168.128.31
Host is up (0.0031s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
554/tcp open rtsp
7000/tcp open afs3-fileserver
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=1/20%OT=23%CT=1%CU=39315%PV=Y%DS=2%DC=I%G=Y%TM=5A63616
OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=11%GCD=FA00%ISR=9C%TI=I%CI=I%TS=U)OPS(O1=
OS:M5B4%O2=M5B4%O3=M5B4%O4=M5B4%O5=M5B4%O6=M5B4)WIN(W1=FFFF%W2=FFFF%W3=FFFF
OS:%W4=FFFF%W5=FFFF%W6=FFFF)ECN(R=Y%DF=N%T=41%W=FFFF%O=M5B4%CC=N%Q=)T1(R=Y%
OS:DF=N%T=41%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=N%T=100%W=0%S=Z%A=S%F=AR%O=%RD
OS:=0%Q=)T3(R=Y%DF=N%T=100%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T4(R=Y%DF=N%T=100%W
OS:=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=100%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=
OS:)T6(R=Y%DF=N%T=100%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=100%W=0%S=Z%
OS:A=S%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=37%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%R
OS:UCK=G%RUD=G)IE(R=N)
Network Distance: 2 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.18 seconds
root@kali:~#
That looks like the last one, except the ports are different. Aside from that, pretty near perfect. This seems to be better in security, though, as every request from Hydra gave us false positives (a basic redirection to another location).workstation:~ username$ curl http://192.168.1.30/cgi-bin/something.pl
<root>
<port>9988</port>
<devtype>5932089570895921152</devtype>
<langstrs>ENU FRA DEU ITA PTG RUS ESN</langstrs>
<curlang>ENU</curlang>
<custom>CAMIUS</custom>
<logo>CAMIUS</logo>
<uiversion>0</uiversion>
<sdcardpageshow>0</sdcardpageshow>
<title></title>
<firstloginflag>0</firstloginflag>
<pluginfile>0</pluginfile>
<devicetime>2015-01-14_12-39-53</devicetime>
</root>
workstation:~ username$
So, I can't explore this one like I did HikVision or Hosafe. Next try is to see if I could find the firmware. Lo and behold! A company that allowed the firmware to be downloaded! Here's why this is beneficial. We can dismantle the firmware to see what we have in there. I'd never done this before, so it was an exercise in learning. Maybe this will help.Everything I read online explained to use binwalk, then firmware-mod-tools. I ran binwalk (like I was supposed to), and then firmware-mod-tools to explode what binwalk found :
root@kali:~# binwalk CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
179268 0x2BC44 CRC32 polynomial table, little endian
180292 0x2C044 CRC32 polynomial table, little endian
245840 0x3C050 uImage header, header size: 64 bytes, header CRC: 0x747FC94F, created: 2017-09-11 01:41:14, image size: 2751376 bytes, Data Address: 0x80008000, Entry Point: 0x80008000, data CRC: 0x242F03BD, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.4.35"
263908 0x406E4 gzip compressed data, maximum compression, from Unix, NULL date (1970-01-01 00:00:00)
2997312 0x2DBC40 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 2736056 bytes, 595 inodes, blocksize: 65536 bytes, created: 2017-09-20 00:46:43
5733440 0x577C40 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 4828778 bytes, 121 inodes, blocksize: 131072 bytes, created: 2017-10-09 05:06:26
10749816 0xA40778 CRC32 polynomial table, little endian
10750840 0xA40B78 CRC32 polynomial table, little endian
10756235 0xA4208B LZO compressed data
10818104 0xA51238 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 3894082 bytes, 435 inodes, blocksize: 131072 bytes, created: 2017-10-09 03:39:10
root@kali:~# /opt/firmware-mod-kit/trunk/extract-firmware.sh CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw
[... a whole lot of compilation errors ...]
@kali:~#
Apparently, the distribution for Kali doesn't compile the firmware-mod-tools. Then I found a nifty little flag in binwalk that gave me what I needed, which was a nifty little -e option to explode what was found :root@kali:~# binwalk -e CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
179268 0x2BC44 CRC32 polynomial table, little endian
180292 0x2C044 CRC32 polynomial table, little endian
245840 0x3C050 uImage header, header size: 64 bytes, header CRC: 0x747FC94F, created: 2017-09-11 01:41:14, image size: 2751376 bytes, Data Address: 0x80008000, Entry Point: 0x80008000, data CRC: 0x242F03BD, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.4.35"
263908 0x406E4 gzip compressed data, maximum compression, from Unix, NULL date (1970-01-01 00:00:00)
2997312 0x2DBC40 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 2736056 bytes, 595 inodes, blocksize: 65536 bytes, created: 2017-09-20 00:46:43
5733440 0x577C40 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 4828778 bytes, 121 inodes, blocksize: 131072 bytes, created: 2017-10-09 05:06:26
10749816 0xA40778 CRC32 polynomial table, little endian
10750840 0xA40B78 CRC32 polynomial table, little endian
10756235 0xA4208B LZO compressed data
10818104 0xA51238 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 3894082 bytes, 435 inodes, blocksize: 131072 bytes, created: 2017-10-09 03:39:10
root@kali:~# ls -ltr
total 86448
drwxr-xr-x 2 root root 4096 Jan 18 21:09 Videos
drwxr-xr-x 2 root root 4096 Jan 18 21:09 Templates
drwxr-xr-x 2 root root 4096 Jan 18 21:09 Public
drwxr-xr-x 2 root root 4096 Jan 18 21:09 Pictures
drwxr-xr-x 2 root root 4096 Jan 18 21:09 Music
drwxr-xr-x 2 root root 4096 Jan 18 21:09 Downloads
drwxr-xr-x 2 root root 4096 Jan 18 21:09 Documents
drwxr-xr-x 2 root root 4096 Jan 18 21:09 Desktop
Sweet! I started immediately exploring the system after finding every file now available to me :root@kali:~# ls -ltr
total 86448
[... snip ...]
drwxr-xr-x 5 root root 4096 Jan 21 08:00 _CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted
root@kali:~#
root@kali:~# cd _CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted/
root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted# ls
2DBC40.squashfs 577C40.squashfs squashfs-root squashfs-root-1
406E4 A51238.squashfs squashfs-root-0
root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted#
root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted# ls squashfs-root
bin etc lib mkimg.rootfs moudle plugs root sys var
boot home linuxrc mknod_console nfsroot ppp sbin tmp
dev init lost+found mnt opt proc share usr
root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted#
root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted# cd squashfs-root
root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted/squashfs-root# cd etc/
root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted/squashfs-root/etc# ls
boa fs-version group inittab mtab passwd- profile resolv.conf udev
fstab goahead init.d mime.types passwd ppp protocols services
root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted/squashfs-root/etc# cp passwd ~/
root@kali:~/_CH29XH3_F16M_SF_ENU_CAMIUS_V2.1.3.6-171009_W.sw.extracted/squashfs-root/etc#
And now I only needed to run john-the-ripper on the password file and locate the proper RTSP stream for motion detection. However, after a few days of running John, I still didn't have a matching password. So, I started looking for other ways to gain that access. But, let's keep digging, just because I am curious. In the exploded web squashfs, we see just a bit more information :Hm. A lot of binary files, but some configs. So, what service is running HTTP? I believe it is BOA, and in the root FS filesystem's /etc/boa/boa.conf, there is this interesting little setting for the server to run as :
User 0
Group 0
Huh? Wow. If you can run anything on the service, you have ROOT ACCESS! So, let's see what else is in there :DocumentRoot /plugs
[... snip ...]
CGIPath /plugs/cgi-bin:/bin:/usr/bin:/usr/local/bin
[SARCASM] Beautifully secure [/SARCASM]! It looks like if you can get any of the jobs in the cgi-bin directory of the second squashfs, you have a successful breach, because it will run any command as root that is in the /bin or /usr/bin or /usr/local/bin directories. Unfortunately, there is only one thing in /cgi-bin, and that is media port.cgi, which is an ELF tool :root@kali:~# file mediaport.cgi
mediaport.cgi: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped
root@kali:~#
This might not be as easy as I was hoping.
No comments:
Post a Comment