Quantcast

Exploiting network surveillance cameras like a Hollywood hacker 3: Accessing the admin area on IQinVision

Having discovered vulnerabilities for D-Link and Cisco, which aren’t camera-focused companies, Craig Heffner looks into how IQinVision is doing security-wise.

Another sample to investigate

Another sample to investigate

So I said, okay, clearly, D-Link and Cisco are doing it wrong in their defense, though, you know, they’re not really camera companies; they don’t do cameras; cameras aren’t really their focus. So let’s look at someone who is a camera company, it’s their bread & butter, hopefully they know how to do it right. So I picked on IQinVision, partially because they make some really expensive high-definition cameras; the IQ832N, for example (see right-hand image), will run you over $1000 apiece, so it’s certainly not cheap. The main reason, though, is that these are the guys who make the cameras that are used in the business complex where I work, so it’s a little more personal.

Open to the world

Open to the world

What you get for $1000 per a camera is a high-definition video feed unauthenticated (see right-hand image), open to the world by default. Now, admittedly, this is a configurable option, you can require authentication. This is the default setting but you can go in as an admin and change that. Now, guess how many admins connect to their cameras through the Internet without changing that default setting? Almost all of them. So this is really interesting, but it’s not really that interesting from a security standpoint. It’s like, okay, they don’t know how to secure their stuff, big deal… But I wanted some actual vulnerabilities.

Authentication for admin area

Authentication for admin area

So I said, well, let’s look at getting into the admin area, which is password protected (see right-hand image) and which, thankfully, most admins have the presence of mind to change the default settings for. To do this I started looking at what else I can get to without authentication. And one of the few pages you can get to without authentication is oidtable.cgi (see leftmost image below). The output from the oidtable, really, isn’t that interesting; it’s a bunch of technical camera settings like focus and all the other stuff. There’s nothing really sensitive in here like usernames and passwords.

Value size check

Value size check

The code behind oidtable

The code behind oidtable

Nothing interesting at first sight

Nothing interesting at first sight

 

What’s more interesting is the code behind oidtable (see middle image above), because if you disassemble this CGI binary you’ll see that it looks to see if you specified a ‘grep’ parameter in your QUERY_STRING when you sent your GET request to it. If you have, it checks to make sure the value you provided is less than 32 bytes long (see rightmost image above), and as long as you meet that requirement it will take that string, shove it into a ‘grep’ command (see leftmost image below) and pass it to ‘popen’ (see middle image below), at which case I facepalmed, did my best Kim Jong-il impression (rightmost image below), and did some command injection.

The reaction

The reaction

Using 'popen'

Using ‘popen’

String inside 'grep' command

String inside ‘grep’ command

 

Running the 'ps' command

Running the ‘ps’ command

Again, just like with the D-Link, you see I can run a ‘ps’ command and I get the output sent back to my browser (see right-hand image). So I have a built-in unauthenticated web root shell already on the device. It’s also worth noting that while process listings are interesting, these cameras already have Netcat installed on them, with the ‘-e’ option enabled, so I’m sure most people here can think of some more interesting commands to run than a process listing.

But my main goal in all this was, really, to get to the admin area, recall. So I said, well, how can I do that? We can also use this bug to retrieve the contents of arbitrary files (see leftmost image below). The etc/privpasswd file is what contains the actual admin credentials – it’s not etc/passwd, it’s etc/privpasswd.

Admin password retrieved

Admin password retrieved

Contents of etc/privpasswd

Contents of etc/privpasswd

Taking advantage of the bug

Taking advantage of the bug

 

So we can pull back the contents of that file (see middle image above). As you can see here, it has the username ‘root’ and an encrypted password. This is where we have two options: you can try and decrypt the password, or if that doesn’t work – screw it, we’re root, we’ll just overwrite the file with whatever we want (see rightmost image above). In either case we get access to the admin area (see leftmost image below), and again, we’re both root and admin on these cameras.

Lots of these cameras out there

Lots of these cameras out there

Vulnerable!

Vulnerable!

Benefits of being root and admin

Benefits of being root and admin

 

These bugs affect most of IQinVision’s product line (see middle image above), including their 3 series cameras, the 7 series, the Sentinel series, the Alliance-pro, Alliance-mx, and Alliance-mini series. And there are plenty of these out online (see rightmost image above), which is a little distressing considering that they are known to be deployed by schools, police, banks, governments, prisons, casinos, utilities companies, financial consulting firms, to name a few. So have fun with that…
 

Read previous: Exploiting network surveillance cameras like a Hollywood hacker 2: Cisco’s weaknesses

Read next: Exploiting network surveillance cameras like a Hollywood hacker 4: Attack surface analysis of 3S Vision

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: