ILDVR INC-MH40D06 security nightmare

So here I am poking at ILDVR INC-MH40D06 only to discover more and more security issues.

Security issue #1

WebUI hardcoded username and password (HANKVISION/HANKVISION).

Security issue #2

Apparently beyond “standard” webs binary running as webserver there is a separate instance of httpd running on the camera.
It runs on port 10081 and uses /mnt/flash/data as homedir.
The /mnt/flash/data contains a lot of config files (or status files to be exact):

/mnt/flash/data # ls -la

total 49
drwxrwxrwx    2 root     root             0 Aug  5  2013 .
drwxrwxrwx    8 root     root             0 Feb  8 16:13 ..
-rwx------    1 root     root           596 Dec 30 14:21 AlarmInfo
-rwx------    1 root     root            26 Dec 30 14:19 AudioConfig.txt
-rwx------    1 root     root           204 Dec 29 17:15 Auth8021xInfo
-rwx------    1 root     root            72 Dec 30 14:17 CameraInfo
-rwx------    1 root     root            64 Dec 29 17:15 ConfigScopeData
-rwx------    1 root     root           204 Dec 29 17:15 DDnsInfo
-rwx------    1 root     root            50 Aug  5  2013 DhcpFile.txt
-rwx------    1 root     root            50 Dec 29 17:15 DhcpSFile.txt
-rw-r--r--    1 root     root            64 Aug  5  2013 FilterInfo
-rwx------    1 root     root           632 Dec 29 17:15 FtpInfo
-rwx------    1 root     root            48 Dec 29 17:15 IgmpInfo
-rwx------    1 root     root           608 Dec 30 14:19 IvpathInfo
-rw-r--r--    1 root     root            80 Dec 30 14:19 MDScopeInfo
-rw-------    1 root     root          2384 Dec 30 14:05 MOTO_PresetPoint
-rw-r--r--    1 root     root             8 Aug  5  2013 MobileInfo
-rwx------    1 root     root           356 Dec 29 17:15 MotionInfo
-rwx------    1 root     root            64 Feb  8 15:47 NetInfo
-rwx------    1 root     root            64 Dec 29 17:15 NetInfo_BSD
-rwx------    1 root     root            64 Dec 29 17:15 NetInfo_HK
-rwx------    1 root     root           148 Dec 30 14:07 NtpInfo
-rwx------    1 root     root           328 Dec 30 14:19 OsdInfo
-rw-r--r--    1 root     root            18 Aug  5  2013 OwnUserInfo.txt
-rwx------    1 root     root            68 Dec 29 17:15 PppoeInfo
-rwx------    1 root     root           356 Dec 30 14:19 PrivacyInfo
-rwx------    1 root     root           480 Dec 29 17:15 ProfileData
-rwx------    1 root     root         17132 Dec 30 14:20 PtzConfigInfo
-rwx------    1 root     root            11 Dec 30 14:21 SDInfo
-rw-------    1 root     root            26 Dec 29 17:15 ShaInfo
-rwx------    1 root     root           492 Dec 29 17:26 SipInfo
-rw-r--r--    1 root     root            28 Aug  5  2013 SjkdInfo
-rwx------    1 root     root           800 Feb  8 14:14 SmtpInfo
-rw-r--r--    1 root     root           280 Aug  5  2013 SnmpInfo
-rwx------    1 root     root           320 Aug  5  2013 SysInfo
-rw-r--r--    1 root     root            36 Aug  5  2013 TutkInfo
-rwx------    1 root     root          4328 Feb  8 14:13 UserInfo
-rwx------    1 root     root            46 Dec 29 17:15 UuidData
-rwx------    1 root     root            15 Dec 29 17:15 Version.txt
-rwx------    1 root     root            36 Dec 30 14:20 VideoInfo
-rw-r--r--    1 root     root            12 Aug  5  2013 WifiBitrateInfo
-rw-r--r--    1 root     root           112 Aug  5  2013 WifiInfo
-rwx------    1 root     root           312 Dec 30 14:17 cameramode
-rwx------    1 root     root           312 Dec 29 17:15 cameramode_default
-rw-------    1 root     root            10 Dec 29 17:15 device_model.txt
-rw-------    1 root     root             2 Dec 29 17:15 hik.txt
-rw-r--r--    1 root     root             0 Jan  1  1970 hisi_ipc
-rwx------    1 root     root            18 Dec 29 17:15 ppcnCfg.txt
---------x    1 root     root           320 Dec 30 14:20 profiledata
-rwx------    1 root     root            14 Dec 30 14:14 sensor.cfg
-rwx------    1 root     root            13 Dec 29 17:19 uluCfg.cfg

These will contain plain text ftp settings and smtp settings among other this. There is no hint of auth.

2 thoughts on “ILDVR INC-MH40D06 security nightmare”

  1. Hi Sergei,
    Really interesting stuff!
    Did you found anything about the /form/ directory tree?

    1. Hi,

      The /form/ does not exist on the file system, instead it is hard coded into webs binary.
      I am still trying to find a shell injection exploit to be able to change the root password without RS232.
      One candidate is changing gateway via webui, it calls ip route command passing the the route as argument, but I was unable to form a correct string to do so.

      This is the call used to change the gateway:

      curl --data "flag=1&language=cn&DHCPenable=0&outIPAddr=192.168.1.200&outMaskAddr=255.255.255.0&outGateway=192.168.1.1&outDNSFirstServer=192.168.1.1&outDNSSecondServer=192.168.1.3" http://admin:admin@192.168.1.200:/form/netparaCfg

      I tried inserting a semicolon, pipe, null, && etc with no success (eg: outGateway=192.168.1.1;touch /tmp/test). In fact the injection worked somewhat (it changed the gateway to 255.255.255.255).

      I managed to repack jffs2 for root (after bricking the camera ;)) with new password (also replaced the password in etc/passwd in Server.tar.xz).

      Sergei.

Leave a Reply

Your email address will not be published. Required fields are marked *