Cam Hack
Essay by cmccall • March 1, 2017 • Essay • 277 Words (2 Pages) • 1,096 Views
The most expensive camera on this list is the 3SVision N5072. The camera uses a custom web server that they for some reason titled "httpd", despite all the custom binaries. The most logical step from here is to check and see how the camera handles authentication, by checking for references to base64 decoding. There is a binary that mentions it, and makes two string comparisons to "3sadmin" and "27988303". Based on my previous post, I hope you all understand this means that they have hard coded credentials on the camera that cannot be changed. The camera just so happens to be filled with unsafe function calls, with the best example being the records.cgi handler. Many of 3SVision's cameras support local storage, they also provide a way to do basic file management from the admin interface, and this is done through records.cgi. Records.cgi isn't a file on the disk, when the web server sees you requested records.cgi, it calls the do_records function handler. The do_records function handler checks to see what action you've provided, for example, action=remove. If you also want a file deleted, you'd need to specify which file. That file name you specified is then put into an rm command that is passed to system, all you Linux users out there should know that is very stupid. This leaves the door wide open to command injection like so: wget \--user=3sadmin --password=27988303 \ 'http://camera-ip-address/records.cgi?\action=remove&storage=sd&filename='reboot'. Never let user input make calls to system, ever. This effects most of 3SVision's product lines, because they use their own web server and, like many other vendors, loves re using code. -@hackersworldwide on instagram (not submitted by that account, pasted from it)
...
...