Saturday, May 28, 2016

Hacking an IP camera (Grandstream GXV3611_HD)


I did this about a year ago. I was taking Living Lab course at IUPUI and people at the lab allowed me to borrow the IP camera. This particular camera was having an issue with Power-over-ethernet so I told them to let me check it out. I am not great with electronics but after watching a videos by EEVblog (he has bunch of repair and troubleshooting videos), I wanted to try out some things to see if I can find the issue. I didn't. I asked people at the lab if I could keep the camera for a while and play around with it and they allowed me to. I ended up finding sql injection vulnerability and an undocumented command to run telnet service so you can login as root.

0. Hardware:

At this point, I've already taken apart the camera. Below you can see 10x2 pins. I assumed that they were for debugging and were serial.

I connected my multimeter to all the pins to see if any was putting out more volts than 5. My logic analyzer can handle around 5 volts. (it was one of those cheap ones from ebay. If you can afford it, I recommend getting one from Saleae) Pins did not supply more than 5 volts so I decided to connect the logic analyzer to random pins.

When the camera was turned on, I noticed data on one of the channels and assumed it was serial.

1. Communicating with the camera and getting a shell:

I connected FTDI/Serial adapter to it and connected to the camera using Putty. Baud rate / speed was determined via looking at logic analyzer output. It was around 115200, which is one of the standard baud rates.

The pin that I connected to was TX so I couldn't transmit something to the camera but I could receive stuff in terminal.

I picked the pin above TX pin to see if it would receive input and it did. I still don't know how to determine what pin is for RX without tracing lines on the circuit board. If anyone has any idea, let me know.

I restarted the camera and stopped autoboot. (I know my screen is dusty)

It was using U-Boot. It's a bootloader which is typically used in embedded devices.

I had watched a video from Defcon titled “Hacking 20 devices in 45 minutes” in which the speakers talked about how they got shell by changing init option in U-Boot. I did the same thing.

Printenv command print out all the current boot options.

setenv command allows us to update the boot options. I set init=/bin/sh to get shell.

Bootm command is used to boot from memory. The address is taken from output of printenv.

The camera did indeed boot up and gave me a busybox shell.

2. Getting shell again:

I started browsing the file system and noticed empty folders. This happened because I modified the boot process.

I restarted the camera again and let it boot normally. After boot, it asked me for a username and a password.

I didn't know it so I restarted the camera again, modified init to run /bin/sh then dumped the hashes.

Password is empty/blank.

I booted the camera normally and logged in. I can finally see the files that I didn't see previously.

3. Bug hunting

Now that I have serial shell and access to the file system, I can start looking for remote vulnerabilities by reversing stuff running on the device.

In the screenshot above, you can see webs and cli running. Webs is the web server and cli is the telnet configuration server.

I took both of them to so I can analyze them IDA.

Cli was smaller compared to webs so I started analyzing that first.
Connecting to the telnet server prompts you to input username, password, and commands (when you authenticated)

I loaded the binary in IDA and looked for the string “Username:”

While going through the disassembly, I saw sql statements. I looked at the strings window and functions and found out that the program was using sqlite.

When I was getting cli and webs file onto my computer, I also grabbed system.db file and this was the sqlite database. The database contained a table called user, which contained usernames, passwords, privilege, and account status.

Here's the disassembly of the SQL query that interacts with user table.

The authentication part suffers from sql injection vulnerability.

Normally this is executed:
input = USERNAME
select * from users where name = 'USERNAME';

We can do this instead:
select * from users where name = '';OUR OWN SQL STATEMENT;--';

I opened up system.db database in SQLite Database Browser to try some statements out before I executed them on the camera.

My first thought was to just change the password for the admin account.

And it worked.

When I went back to the camera to try it, it failed.

The connection was killed if too much data was passed in the Username field.

I went back to SQLite Database Browser to try something else and came up with this:
'; update user set password='a';--

It executed the statement below:
select * from users where name = ''; update user set password='a';--';

This sets all the passwords to a.

Now that I think about it, I could have just changed privilege of all the accounts to 0 (admin) and set the disabled field 0, which would have been less noticeable and I could have logged in via anonymous account.

4. Getting remote root shell:

I examined cli file a bit more.

I noticed that there was a command(!#/) that didn't appear when I typed 'help'.

Here's the place where it jumps to:

It executes telnetd on port 20000. After doing sql injection and logging in to command line configuration menu, I can run !#/ command and execute telnetd. I can telnet in and login with root and empty password remotely.

5. Links:


  1. thank you so much for detailing your work. about serial if there are around <20 pins or pads I typically just do what you did and brute force search for the TX pin while hitting the "enter" key constantly. Many,most consoles will at least echo back the character you enter when you find TX. If you have too many pins or haven't found RX either you could try connecting all the suspect pins to your own microcontroller and doing a scan for serial. This is some code for arduino: I usually run this on a teensy++ arduino compatible board which gives me around 40 pins to work with.

    1. Thanks!
      That's very clever. Never thought about using an Arduino to detect pins.
      I haven't been doing this for very long.

  2. SQL Injection in telnet-login: AWESOME;

  3. They conduct these tests mainly to check if the hardware and software programs are effective enough to prevent any unauthorized entry.hack FB

  4. This blog has a positive and eager result.

  5. This blog is a punchy bit of composing, as it has a solid impact.
    Instaport password hacker

  6. Charmingly dumbfounded to see this meshwork of surprising words.

  7. I found your this post while searching for some related information on blog search...Its a good post..keep posting and update the information. Security cameras

  8. I’m impressed, I must say. Really rarely do I encounter a blog that’s both educative and let me tell you, you have hit the nail on the head. The issue is something that not enough people are speaking intelligently about. I am very happy that I stumbled across this in my search for something relating to this. 4k cameras

  9. I simply discovered this online journal and have high trusts in it to proceed. Keep up the considerable work, its elusive great ones. I have added to my top picks. Much obliged to You. CCTV for Sydney Homes

  10. I operate my own website,.My website is over two years old and website related to Random Password. All people like to use different password for there sites and accounts because they feel fear from hackers.

  11. This article has some vast and valuable information about this subject.
    weatherproof security cameras

  12. I drink 2 litres of flavoured milk every day and 2 protein shakes each with 40g protein. war machines hack

  13. I'm really impressed about the info you provide in your articles. If you want to invest in suits and be stress-free, then you should shake hands with us. We are providing great clothing in the most reasonable price range that you wouldn’t find anywhere else. Put your trust in us as your supplier since we are the prominent custom stickers printing You can rely on us for the clothing problems we assure you we will never let our customers down.

  14. zombie gunship survival hack Ur editing is next level man. I hv also seen brawl stars by ea. But this is fantastic

  15. mini golf king hack I am a BIG FAN of getting up at 5AM. It's perfect for quiet time, CREATIVE time and connection time. I hope to make videos as GREAT as yours in the near future. (I just created my first 7 day EPIC LIFE challenge

  16. Thank you for this fascinating post, I am happy I observed this website on Google. Not just content, in fact, the whole site is fantastic.

  17. Thank you for this, definitely will try out some of these just to try getting a summer body for our August beach trip!
    war machines hack

  18. After a year, analysing all kinds of diets, finally understood that we should eat normal foods that are grown locally from our native home town... no packed or imported foods. This is the trick but nobody ill like this comment!! factory inc hack

  19. thanks for this usefull article, waiting for this article like this again. Serious Security Alarms in Point Cook

  20. Great Job done your content is very help full.Ac repair Service in gurgaon good blog. blog like these are are very helpful for us because we are into ac repairing and service. It is always good to read and upgrade ourselves

  21. You are the smartest, you are much louder and I hope you give me a heart zero city zombie shelter survival hack

  22. Nice article, very useful content. Thanks for sharing this amazing information. I just used this Islamic app & found very helpful:best quran app

  23. Smart Outsourcing Solutions is the leading web development, ecommerce solution, offshore outsourcing development and freelancing training company in Dhaka Bangladesh please
    visit us: Seo Training In Dhaka
    Seo Training In Bangladesh

  24. it's working fine for me! Thank you for sharing this with us dominations hack

  25. securedengineers gives full-Service fire safety equipment's Expert in practical experience of new framework deals and establishment, just as existing framework assessments, testing, Service, support, and fix. We provide low cost cctv camera system, fire hydrant system, fire sprinkler system, fire alarm system, security sensor system, fire extinguishers and other security products.We also gives Fire Consultant Services in Ludhiana and Mumbai.You can call on +91 7986996817 for any queries or visit the following link.

    fire hydrant system suppliers in Gurgaon

  26. i am browsing this website dailly and get nice facts from here all the time.

  27. seaport hack Excellent trick this great friend, this was what I was looking for a long time and finally something that works. I recommend them all if it is real is not a lie. Thanks friend. Keep it up