So here I am poking at ILDVR INC-MH40D06 only to discover more and more security issues.
Security issue #1
WebUI hardcoded username and password (HANKVISION/HANKVISION).
Security issue #2
Apparently beyond “standard” webs binary running as webserver there is a separate instance of httpd running on the camera.
It runs on port 10081 and uses /mnt/flash/data as homedir.
The /mnt/flash/data contains a lot of config files (or status files to be exact):
/mnt/flash/data # ls -la
total 49
drwxrwxrwx 2 root root 0 Aug 5 2013 .
drwxrwxrwx 8 root root 0 Feb 8 16:13 ..
-rwx------ 1 root root 596 Dec 30 14:21 AlarmInfo
-rwx------ 1 root root 26 Dec 30 14:19 AudioConfig.txt
-rwx------ 1 root root 204 Dec 29 17:15 Auth8021xInfo
-rwx------ 1 root root 72 Dec 30 14:17 CameraInfo
-rwx------ 1 root root 64 Dec 29 17:15 ConfigScopeData
-rwx------ 1 root root 204 Dec 29 17:15 DDnsInfo
-rwx------ 1 root root 50 Aug 5 2013 DhcpFile.txt
-rwx------ 1 root root 50 Dec 29 17:15 DhcpSFile.txt
-rw-r--r-- 1 root root 64 Aug 5 2013 FilterInfo
-rwx------ 1 root root 632 Dec 29 17:15 FtpInfo
-rwx------ 1 root root 48 Dec 29 17:15 IgmpInfo
-rwx------ 1 root root 608 Dec 30 14:19 IvpathInfo
-rw-r--r-- 1 root root 80 Dec 30 14:19 MDScopeInfo
-rw------- 1 root root 2384 Dec 30 14:05 MOTO_PresetPoint
-rw-r--r-- 1 root root 8 Aug 5 2013 MobileInfo
-rwx------ 1 root root 356 Dec 29 17:15 MotionInfo
-rwx------ 1 root root 64 Feb 8 15:47 NetInfo
-rwx------ 1 root root 64 Dec 29 17:15 NetInfo_BSD
-rwx------ 1 root root 64 Dec 29 17:15 NetInfo_HK
-rwx------ 1 root root 148 Dec 30 14:07 NtpInfo
-rwx------ 1 root root 328 Dec 30 14:19 OsdInfo
-rw-r--r-- 1 root root 18 Aug 5 2013 OwnUserInfo.txt
-rwx------ 1 root root 68 Dec 29 17:15 PppoeInfo
-rwx------ 1 root root 356 Dec 30 14:19 PrivacyInfo
-rwx------ 1 root root 480 Dec 29 17:15 ProfileData
-rwx------ 1 root root 17132 Dec 30 14:20 PtzConfigInfo
-rwx------ 1 root root 11 Dec 30 14:21 SDInfo
-rw------- 1 root root 26 Dec 29 17:15 ShaInfo
-rwx------ 1 root root 492 Dec 29 17:26 SipInfo
-rw-r--r-- 1 root root 28 Aug 5 2013 SjkdInfo
-rwx------ 1 root root 800 Feb 8 14:14 SmtpInfo
-rw-r--r-- 1 root root 280 Aug 5 2013 SnmpInfo
-rwx------ 1 root root 320 Aug 5 2013 SysInfo
-rw-r--r-- 1 root root 36 Aug 5 2013 TutkInfo
-rwx------ 1 root root 4328 Feb 8 14:13 UserInfo
-rwx------ 1 root root 46 Dec 29 17:15 UuidData
-rwx------ 1 root root 15 Dec 29 17:15 Version.txt
-rwx------ 1 root root 36 Dec 30 14:20 VideoInfo
-rw-r--r-- 1 root root 12 Aug 5 2013 WifiBitrateInfo
-rw-r--r-- 1 root root 112 Aug 5 2013 WifiInfo
-rwx------ 1 root root 312 Dec 30 14:17 cameramode
-rwx------ 1 root root 312 Dec 29 17:15 cameramode_default
-rw------- 1 root root 10 Dec 29 17:15 device_model.txt
-rw------- 1 root root 2 Dec 29 17:15 hik.txt
-rw-r--r-- 1 root root 0 Jan 1 1970 hisi_ipc
-rwx------ 1 root root 18 Dec 29 17:15 ppcnCfg.txt
---------x 1 root root 320 Dec 30 14:20 profiledata
-rwx------ 1 root root 14 Dec 30 14:14 sensor.cfg
-rwx------ 1 root root 13 Dec 29 17:19 uluCfg.cfgThese will contain plain text ftp settings and smtp settings among other this. There is no hint of auth.
Hi Sergei,
Really interesting stuff!
Did you found anything about the /form/ directory tree?
Hi,
The /form/ does not exist on the file system, instead it is hard coded into webs binary.
I am still trying to find a shell injection exploit to be able to change the root password without RS232.
One candidate is changing gateway via webui, it calls ip route command passing the the route as argument, but I was unable to form a correct string to do so.
This is the call used to change the gateway:
I tried inserting a semicolon, pipe, null, && etc with no success (eg: outGateway=192.168.1.1;touch /tmp/test). In fact the injection worked somewhat (it changed the gateway to 255.255.255.255).
I managed to repack jffs2 for root (after bricking the camera ;)) with new password (also replaced the password in etc/passwd in Server.tar.xz).
Sergei.