So I said, well, this looks really custom. I really need to start looking at how their web server handles authentication. I know that the cameras use HTTP Basic authentication, so I know that they’re going to be doing some base64 decoding; because if you’re not familiar with HTTP Basic auth, your username and password are basically concatenated and then base64 encoded.So I started looking through the code for cross-references to b64_decode (see right-hand image). So, what they do when they decode your password is they pass it to b64_decode – alright, that’s fine, they’re decoding your stuff. They then do two string comparisons against a hard-coded string “3sadmin” and another hard-coded string “27988303”. I saw this and I thought: “There is no way you were dumb enough to hard-code stuff into your HTTP server” (see leftmost image below). These can’t possibly be creds. But they were, and they worked great (see middle image above). So you can access any 3S Vision camera, become admin with these backdoor creds, and that gives you access to video feeds of cash machines, Taiwanese checkpoints (see rightmost image above), and Russian industrial basements, at least that’s what I assume that is (see right-hand image). Now, again, looking at video feeds is really boring, so I wanted root. Luckily, their code is littered – especially once you’re logged in as admin your attack surface is wide open – and their code is just littered with unsafe function calls, it’s absolutely horrible. Probably the best example of this is their records.cgi handler (see right-hand image). Not all of their cameras, but many of their cameras support local storage, so you can plug in, say, an SD card to the camera and it will save files off to the SD card for you. They also provide a way to do some basic file management from the admin interface, and this is done through the records.cgi page. Now, records.cgi is not a physical CGI page sitting on disk. What happens is when the web server sees that you requested records.cgi it invokes the do_records function handler. The do-records function handler checks to see what action you’ve provided. So for example if you want it to delete a file, you can tell it “action=remove” (see right-hand image). Now, if you’re deleting a file, you also have to tell it which file you want deleted. So it checks to make sure that you’ve specified the filename as well. That filename is then shoved into an “rm” command that is passed to system (see leftmost image below). And I think everyone knows where this is going, yeah (see middle image below). Setting filename=’reboot’ makes it not respond to pings anymore (see rightmost image below). This affects almost all of 3S Vision’s products line (see right-hand image), not only the cameras but also their video servers because they use the same web server as well. And after a bit of research I found that another company named ALinking used the same code in their cameras as well. Now, ALinking went through and changed the hard-coded creds to something else, so all the ALinking cameras have the same hard-coded creds, they’re just different from 3S Vision’s hard-coded creds. They’re there and they’re easy to find. These cameras are particularly interesting due to their cost, there’s not a whole lot of them when compared to some of the other devices (see right-hand image). But considering that these cameras are known to be deployed in foreign military, energy and industrial facilities, they are particularly interesting. So all of you who are already looking these up on Shodan – be careful; don’t blame me when the Chinese military shows up and gets pissed at you. What this all boils down to is: I’m in your network, I can see you, and I’m root; which is not a bad position for any attacker could be in. Most of these cameras, the way that they’re deployed, they’re actually connected to the internal network, so if you can remotely access them and break into them, get root on them – you now have a Linux-based ARM machine sitting inside their network that you can then use to go after anything else in that network.