Quantcast

Exploiting network surveillance cameras like a Hollywood hacker 4: Attack surface analysis of 3S Vision

Moving on to another vendor, Craig Heffner now analyzes the nuances of getting access to video feed and, even more, becoming root on 3S Vision cameras.

One more object for analysis

One more object for analysis

By far, the most expensive camera I looked at, though, was the N5072 from 3S Vision (see right-hand image). This one has a list price of “Contact Us”, which is how I know I can afford it. And I ran into a bit of a problem with this particular camera, little hiccup at first, because for all the other cameras I had been able to just go to the vendor’s website, pull down a firmware update whatever the latest firmware update was, and start analyzing the code in the firmware for vulnerabilities. So I really didn’t have to buy the device in order to at least do initial testing and things like that.

Password request

Password request

When I went to download the firmware for this camera, it gave me a little JavaScript popup box on the vendor’s web page, saying: “Ah, we want your password” (see right-hand image). So I immediately tried all the most common passwords: LOVE, SEX, GOD – of course none of those worked (see leftmost image below). What ended up working, though, was TAB=4, because if you look at the JavaScript it sends your password back to the server, and as long as you get the password right it just redirects you to your current URL with &tab=4 appended onto the end of it (see middle image below).

Download page accessed

Download page accessed

TAB=4 does the trick

TAB=4 does the trick

Giving popular passwords a shot

Giving popular passwords a shot

 

Custom web server being used

Custom web server being used

And I said, well gee, since I’m literate and all, I bet I can do that myself, and sure enough I get the download page (see rightmost image above). So this does not bode well for the security of their systems, nor does the fact that they’re using a custom web server (see right-hand image). It’s rather innocuously named ‘httpd’, but if you just look at the strings in this binary, it’s very clear that this is very custom to their firmware. It’s either something that they wrote themselves from scratch or something that has been very heavily modified by them.

So I said, well, this looks really custom. I really need to start looking at how their web server handles authentication. I know that the cameras use HTTP Basic authentication, so I know that they’re going to be doing some base64 decoding; because if you’re not familiar with HTTP Basic auth, your username and password are basically concatenated and then base64 encoded.

Cross-references to b64_decode

Cross-references to b64_decode

So I started looking through the code for cross-references to b64_decode (see right-hand image). So, what they do when they decode your password is they pass it to b64_decode – alright, that’s fine, they’re decoding your stuff. They then do two string comparisons against a hard-coded string “3sadmin” and another hard-coded string “27988303”. I saw this and I thought: “There is no way you were dumb enough to hard-code stuff into your HTTP server” (see leftmost image below). These can’t possibly be creds.

Accessing some video feeds

Accessing some video feeds

Backdoor creds worked

Backdoor creds worked

A pretty dumb approach

A pretty dumb approach

 

More stuff to watch

More stuff to watch

But they were, and they worked great (see middle image above). So you can access any 3S Vision camera, become admin with these backdoor creds, and that gives you access to video feeds of cash machines, Taiwanese checkpoints (see rightmost image above), and Russian industrial basements, at least that’s what I assume that is (see right-hand image). Now, again, looking at video feeds is really boring, so I wanted root. Luckily, their code is littered – especially once you’re logged in as admin your attack surface is wide open – and their code is just littered with unsafe function calls, it’s absolutely horrible.

The records.cgi handler

The records.cgi handler

Probably the best example of this is their records.cgi handler (see right-hand image). Not all of their cameras, but many of their cameras support local storage, so you can plug in, say, an SD card to the camera and it will save files off to the SD card for you. They also provide a way to do some basic file management from the admin interface, and this is done through the records.cgi page. Now, records.cgi is not a physical CGI page sitting on disk. What happens is when the web server sees that you requested records.cgi it invokes the do_records function handler.

action-remove

Specifying an action

The do-records function handler checks to see what action you’ve provided. So for example if you want it to delete a file, you can tell it “action=remove” (see right-hand image). Now, if you’re deleting a file, you also have to tell it which file you want deleted. So it checks to make sure that you’ve specified the filename as well. That filename is then shoved into an “rm” command that is passed to system (see leftmost image below). And I think everyone knows where this is going, yeah (see middle image below). Setting filename=’reboot’ makes it not respond to pings anymore (see rightmost image below).

Not responding to pings

Not responding to pings

'It's a call to system'

“It’s a call to system”

'rm' command passed to system

‘rm’ command passed to system

 

Devices affected

Devices affected

This affects almost all of 3S Vision’s products line (see right-hand image), not only the cameras but also their video servers because they use the same web server as well. And after a bit of research I found that another company named ALinking used the same code in their cameras as well. Now, ALinking went through and changed the hard-coded creds to something else, so all the ALinking cameras have the same hard-coded creds, they’re just different from 3S Vision’s hard-coded creds. They’re there and they’re easy to find.

Shodan stats

Shodan stats

These cameras are particularly interesting due to their cost, there’s not a whole lot of them when compared to some of the other devices (see right-hand image). But considering that these cameras are known to be deployed in foreign military, energy and industrial facilities, they are particularly interesting. So all of you who are already looking these up on Shodan – be careful; don’t blame me when the Chinese military shows up and gets pissed at you.

At the end of the day...

At the end of the day…

What this all boils down to is: I’m in your network, I can see you, and I’m root; which is not a bad position for any attacker could be in. Most of these cameras, the way that they’re deployed, they’re actually connected to the internal network, so if you can remotely access them and break into them, get root on them – you now have a Linux-based ARM machine sitting inside their network that you can then use to go after anything else in that network.
 

Read previous: Exploiting network surveillance cameras like a Hollywood hacker 3: Accessing the admin area on IQinVision

Read next: Exploiting network surveillance cameras like a Hollywood hacker 5: Messing around with admin’s video feed

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: