Saturday, May 28, 2016

Hacking an IP camera (Grandstream GXV3611_HD)

Background:

I did this about a year ago. I was taking Living Lab course at IUPUI and people at the lab allowed me to borrow the IP camera. This particular camera was having an issue with Power-over-ethernet so I told them to let me check it out. I am not great with electronics but after watching a videos by EEVblog (he has bunch of repair and troubleshooting videos), I wanted to try out some things to see if I can find the issue. I didn't. I asked people at the lab if I could keep the camera for a while and play around with it and they allowed me to. I ended up finding sql injection vulnerability and an undocumented command to run telnet service so you can login as root.


0. Hardware:

At this point, I've already taken apart the camera. Below you can see 10x2 pins. I assumed that they were for debugging and were serial.

I connected my multimeter to all the pins to see if any was putting out more volts than 5. My logic analyzer can handle around 5 volts. (it was one of those cheap ones from ebay. If you can afford it, I recommend getting one from Saleae) Pins did not supply more than 5 volts so I decided to connect the logic analyzer to random pins.


When the camera was turned on, I noticed data on one of the channels and assumed it was serial.



1. Communicating with the camera and getting a shell:

I connected FTDI/Serial adapter to it and connected to the camera using Putty. Baud rate / speed was determined via looking at logic analyzer output. It was around 115200, which is one of the standard baud rates.


The pin that I connected to was TX so I couldn't transmit something to the camera but I could receive stuff in terminal.


I picked the pin above TX pin to see if it would receive input and it did. I still don't know how to determine what pin is for RX without tracing lines on the circuit board. If anyone has any idea, let me know.




I restarted the camera and stopped autoboot. (I know my screen is dusty)


It was using U-Boot. It's a bootloader which is typically used in embedded devices.


I had watched a video from Defcon titled “Hacking 20 devices in 45 minutes” in which the speakers talked about how they got shell by changing init option in U-Boot. I did the same thing.


Printenv command print out all the current boot options.

setenv command allows us to update the boot options. I set init=/bin/sh to get shell.


Bootm command is used to boot from memory. The address is taken from output of printenv.


The camera did indeed boot up and gave me a busybox shell.


2. Getting shell again:


I started browsing the file system and noticed empty folders. This happened because I modified the boot process.


I restarted the camera again and let it boot normally. After boot, it asked me for a username and a password.


I didn't know it so I restarted the camera again, modified init to run /bin/sh then dumped the hashes.


Password is empty/blank.


I booted the camera normally and logged in. I can finally see the files that I didn't see previously.


3. Bug hunting


Now that I have serial shell and access to the file system, I can start looking for remote vulnerabilities by reversing stuff running on the device.




In the screenshot above, you can see webs and cli running. Webs is the web server and cli is the telnet configuration server.


I took both of them to so I can analyze them IDA.


Cli was smaller compared to webs so I started analyzing that first.
Connecting to the telnet server prompts you to input username, password, and commands (when you authenticated)


I loaded the binary in IDA and looked for the string “Username:”




While going through the disassembly, I saw sql statements. I looked at the strings window and functions and found out that the program was using sqlite.


When I was getting cli and webs file onto my computer, I also grabbed system.db file and this was the sqlite database. The database contained a table called user, which contained usernames, passwords, privilege, and account status.


Here's the disassembly of the SQL query that interacts with user table.


The authentication part suffers from sql injection vulnerability.


Normally this is executed:
input = USERNAME
select * from users where name = 'USERNAME';


We can do this instead:
input = ';OUR OWN SQL STATEMENT;--
select * from users where name = '';OUR OWN SQL STATEMENT;--';


I opened up system.db database in SQLite Database Browser to try some statements out before I executed them on the camera.


My first thought was to just change the password for the admin account.


And it worked.


When I went back to the camera to try it, it failed.


The connection was killed if too much data was passed in the Username field.


I went back to SQLite Database Browser to try something else and came up with this:
'; update user set password='a';--




It executed the statement below:
select * from users where name = ''; update user set password='a';--';


This sets all the passwords to a.


Now that I think about it, I could have just changed privilege of all the accounts to 0 (admin) and set the disabled field 0, which would have been less noticeable and I could have logged in via anonymous account.

4. Getting remote root shell:


I examined cli file a bit more.


I noticed that there was a command(!#/) that didn't appear when I typed 'help'.


Here's the place where it jumps to:




It executes telnetd on port 20000. After doing sql injection and logging in to command line configuration menu, I can run !#/ command and execute telnetd. I can telnet in and login with root and empty password remotely.




5. Links:























43 comments:

  1. thank you so much for detailing your work. about serial if there are around <20 pins or pads I typically just do what you did and brute force search for the TX pin while hitting the "enter" key constantly. Many,most consoles will at least echo back the character you enter when you find TX. If you have too many pins or haven't found RX either you could try connecting all the suspect pins to your own microcontroller and doing a scan for serial. This is some code for arduino: https://github.com/cyphunk/RS232enum I usually run this on a teensy++ arduino compatible board which gives me around 40 pins to work with.

    ReplyDelete
    Replies
    1. Thanks!
      That's very clever. Never thought about using an Arduino to detect pins.
      I haven't been doing this for very long.

      Delete
    2. Hi All!

      We are selling fresh & genuine SSN Leads, with good connectivity. All data is tested & verified.
      Headers in Leads:

      First Name | Last Name | SSN | Dob | Address | State | City | Zip | Phone Number | Account Number | Bank Name | DL Number | Routing Number | IP Address | Reference | Email | Rental/Owner |

      *You can ask for sample before any deal
      *Each lead will be cost $1
      *Premium Lead will be cost $5
      *If anyone wants in bulk I will negotiate
      *Sampling is just for serious buyers

      Hope for the long term deal
      For detailed information please contact me on:

      Whatsapp > +923172721122
      email > leads.sellers1212@gmail.com
      telegram > @leadsupplier
      ICQ > 752822040

      Delete
    3. Hello Everyone !

      USA Fresh & Verified SSN Leads along with Driving License/ ID Number, AVAILABLE with 99.9% connectivity
      All Leads have genuine & valid information.

      **DETAILS IN LEADS**
      First Name | Last Name | SSN | Dob | Driving License Number | Address | City | State | Zip | Phone Number | Account Number | Payday | Bank Name | Employee Details | IP Address

      *Price for SSN lead $2
      *You can ask for sample before any deal
      *If anyone buy in bulk, we can negotiate
      *Sampling is just for serious buyers

      ==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
      ->$5 PER EACH

      ->Hope for the long term Business
      ->Interested buyers will be welcome

      **Contact 24/7**
      Whatsapp > +923172721122
      Email > leads.sellers1212@gmail.com
      Telegram > @leadsupplier
      ICQ > 752822040

      Delete
  2. SQL Injection in telnet-login: AWESOME;

    ReplyDelete
    Replies
    1. Hello all
      am looking few years that some guys comes into the market
      they called themselves hacker, carder or spammer they rip the
      peoples with different ways and it’s a badly impact to real hacker
      now situation is that peoples doesn’t believe that real hackers and carder scammer exists.
      Anyone want to make deal with me any type am available but first
      I‘ll show the proof that am real then make a deal like

      Available Services

      ..Wire Bank Transfer all over the world

      ..Western Union Transfer all over the world

      ..Credit Cards (USA, UK, AUS, CAN, NZ)

      ..School Grade upgrade / remove Records

      ..Spamming Tool

      ..keyloggers / rats

      ..Social Media recovery

      .. Teaching Hacking / spamming / carding (1/2 hours course)

      discount for re-seller

      Contact: 24/7

      fixitrogers@gmail.com

      Delete
  3. They conduct these tests mainly to check if the hardware and software programs are effective enough to prevent any unauthorized entry.hack FB

    ReplyDelete
  4. This blog has a positive and eager result.
    Chris

    ReplyDelete
  5. This blog is a punchy bit of composing, as it has a solid impact.
    Instaport password hacker

    ReplyDelete
  6. Charmingly dumbfounded to see this meshwork of surprising words.
    http://192-168-01.com

    ReplyDelete
  7. I found your this post while searching for some related information on blog search...Its a good post..keep posting and update the information. Security cameras

    ReplyDelete
  8. I’m impressed, I must say. Really rarely do I encounter a blog that’s both educative and let me tell you, you have hit the nail on the head. The issue is something that not enough people are speaking intelligently about. I am very happy that I stumbled across this in my search for something relating to this. 4k cameras

    ReplyDelete
  9. I simply discovered this online journal and have high trusts in it to proceed. Keep up the considerable work, its elusive great ones. I have added to my top picks. Much obliged to You. CCTV for Sydney Homes

    ReplyDelete
  10. I operate my own website,.My website is over two years old and website related to Random Password. All people like to use different password for there sites and accounts because they feel fear from hackers.

    ReplyDelete
  11. This article has some vast and valuable information about this subject.
    weatherproof security cameras

    ReplyDelete
  12. I drink 2 litres of flavoured milk every day and 2 protein shakes each with 40g protein. war machines hack

    ReplyDelete
  13. I'm really impressed about the info you provide in your articles. If you want to invest in suits and be stress-free, then you should shake hands with us. We are providing great clothing in the most reasonable price range that you wouldn’t find anywhere else. Put your trust in us as your supplier since we are the prominent custom stickers printing You can rely on us for the clothing problems we assure you we will never let our customers down.

    ReplyDelete
  14. zombie gunship survival hack Ur editing is next level man. I hv also seen brawl stars by ea. But this is fantastic

    ReplyDelete
  15. mini golf king hack I am a BIG FAN of getting up at 5AM. It's perfect for quiet time, CREATIVE time and connection time. I hope to make videos as GREAT as yours in the near future. (I just created my first 7 day EPIC LIFE challenge

    ReplyDelete
  16. Thank you for this fascinating post, I am happy I observed this website on Google. Not just content, in fact, the whole site is fantastic. https://192-168-i-i.com/

    ReplyDelete
  17. Thank you for this, definitely will try out some of these just to try getting a summer body for our August beach trip!
    war machines hack

    ReplyDelete
  18. After a year, analysing all kinds of diets, finally understood that we should eat normal foods that are grown locally from our native home town... no packed or imported foods. This is the trick but nobody ill like this comment!! factory inc hack

    ReplyDelete
  19. thanks for this usefull article, waiting for this article like this again. Serious Security Alarms in Point Cook

    ReplyDelete
  20. Great Job done your content is very help full.Ac repair Service in gurgaon good blog. blog like these are are very helpful for us because we are into ac repairing and service. It is always good to read and upgrade ourselves


    ReplyDelete
  21. You are the smartest, you are much louder and I hope you give me a heart zero city zombie shelter survival hack

    ReplyDelete
  22. Nice article, very useful content. Thanks for sharing this amazing information. I just used this Islamic app & found very helpful:best quran app

    ReplyDelete
  23. Smart Outsourcing Solutions is the leading web development, ecommerce solution, offshore outsourcing development and freelancing training company in Dhaka Bangladesh please
    visit us: Seo Training In Dhaka
    Seo Training In Bangladesh

    ReplyDelete
  24. it's working fine for me! Thank you for sharing this with us dominations hack

    ReplyDelete
  25. securedengineers gives full-Service fire safety equipment's Expert in practical experience of new framework deals and establishment, just as existing framework assessments, testing, Service, support, and fix. We provide low cost cctv camera system, fire hydrant system, fire sprinkler system, fire alarm system, security sensor system, fire extinguishers and other security products.We also gives Fire Consultant Services in Ludhiana and Mumbai.You can call on +91 7986996817 for any queries or visit the following link.

    fire hydrant system suppliers in Gurgaon

    ReplyDelete
  26. i am browsing this website dailly and get nice facts from here all the time.

    ReplyDelete
  27. seaport hack Excellent trick this great friend, this was what I was looking for a long time and finally something that works. I recommend them all if it is real is not a lie. Thanks friend. Keep it up

    ReplyDelete
  28. Hey everyone I am so excited about this tutorial because it has helped me to I really appreciate thanks for sharing horse riding tales hack

    ReplyDelete
  29. Hi All!

    We are selling fresh & genuine SSN Leads, with good connectivity. All data is tested & verified.
    Headers in Leads:

    First Name | Last Name | SSN | Dob | Address | State | City | Zip | Phone Number | Account Number | Bank Name | DL Number | Routing Number | IP Address | Reference | Email | Rental/Owner |

    *You can ask for sample before any deal
    *Each lead will be cost $1
    *Premium Lead will be cost $5
    *If anyone wants in bulk I will negotiate
    *Sampling is just for serious buyers

    Hope for the long term deal
    For detailed information please contact me on:

    Whatsapp > +923172721122
    email > leads.sellers1212@gmail.com
    telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete
  30. Are you interested in trading bitcoin binary and forex trade where you can earn 100% of your investment daily If you invest as low as $200 you will get a profit of $2,000 after 72 hours if you are intrested you can contact him via email: hackintechnology@gmail.com +12132951376(WHATSAPP)

    ReplyDelete
  31. Hello Everyone !

    USA Fresh & Verified SSN Leads along with Driving License/ ID Number, AVAILABLE with 99.9% connectivity
    All Leads have genuine & valid information.

    **DETAILS IN LEADS**
    First Name | Last Name | SSN | Dob | Driving License Number | Address | City | State | Zip | Phone Number | Account Number | Payday | Bank Name | Employee Details | IP Address

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
    ->$5 PER EACH

    ->Hope for the long term Business
    ->Interested buyers will be welcome

    **Contact 24/7**
    Whatsapp > +923172721122
    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete

  32. https://www-1921681254.com/

    https://www-192-168-l0-1.com

    This IP address is used by the routers like TP-Link, Netgear, D-Link uses it as the default IP

    ReplyDelete
  33. Hello all
    am looking few years that some guys comes into the market
    they called themselves hacker, carder or spammer they rip the
    peoples with different ways and it’s a badly impact to real hacker
    now situation is that peoples doesn’t believe that real hackers and carder scammer exists.
    Anyone want to make deal with me any type am available but first
    I‘ll show the proof that am real then make a deal like

    Available Services

    ..Wire Bank Transfer all over the world

    ..Western Union Transfer all over the world

    ..Credit Cards (USA, UK, AUS, CAN, NZ)

    ..School Grade upgrade / remove Records

    ..Spamming Tool

    ..keyloggers / rats

    ..Social Media recovery

    .. Teaching Hacking / spamming / carding (1/2 hours course)

    discount for re-seller

    Contact: 24/7

    fixitrogers@gmail.com

    ReplyDelete