Hacking Linksys IP Cameras (pt 2)

Mon, 20 Apr 2009 22:27:14 GMT

This article is a continuation of the following GNUCITIZEN article, which includes an introduction to the topic and also some initial observations: Hacking Linksys IP Cameras (pt 1).

Privilege escalation via arbitrary file retrieval

The second vulnerability I'll be releasing is an arbitrary(ish) file retrieval vulnerability. It's not fully arbitrary because you can only retrieve the contents of files located within the same directory where the vulnerable CGI program is located. However, this is enough to allow a neat privilege escalation vector where a restricted user that only has permissions to view the video stream, can gain access to the admin account password.

The problem lies within the next_file parameter which is submitted to the main.cgi program. Although main.cgi does filter characters typically used in directory traversal sequences such as dots (.) and forward slashes (/), it seems that the developer didn't consider that retrieving the contents of files within the current directory could create a security hole. By simply retrieving the contents of .htpasswd a restricted user which only has permissions to access the video stream can access the credentials of the admin account and also the credentials of other restricted users (if applicable).

The only restriction that needs to be bypassed, is dots (.) symbols being filtered. i.e.: the following will not work and will result in a forbidden error:


But replacing the dot (`.`) symbol with its hexadecimal equivalent:


Will result in the contents of `.htpasswd` being returned. i.e.:

admin:adminpassw0rd user1:pass1 user2:pass2

Like most IP cameras, the Linksys WVC54GCA allows administrators to grant access to the video stream to selected users only (rather than anonymous users who don't need to authenticate). In this case, the admin user can click on the Users menu and tick the Only users in database option (please see screenshot below). After this, all that is needed is to add a username/password pair for the account to grant video-viewing access to:

Video User Accounts

Well, the feature discussed above can be rendered useless by exploiting the vulnerability I have described, since it allows restricted users to retrieve the admin password.

Testing Info

Successfully tested on:

  • WVC54GCA
  • Firmware V1.00R22 and V1.00R24 (latest available as on 20th April 2009)

Please note that this vulnerability is different to BID 10476 which affected the /main.cgi program rather than /img/main.cgi.

If you can encode the dot using its hexadecimal representation, what prevents you from doing the same with slash, so you can achieve directory traversal?
It really works ... damn, I'm throwing my camera under a VPN. Don't want nobody catching me in an awkward situation :/
@A: that doesn't work. thttpd's default forbidden error page is returned when trying so.
That works indeed, as long as you're logged in. As long as you only allow one admin user and that's you, it is probably a non-issue.
Correct, that only works if you are logged in in another browser session. Try that by closing down all your browsers and then try again with a clean session, it will prompt for the Username and password, if you skip that it will error out.
@balt: indeed you need to be logged in. BUT, you DON'T need admin privileges. You can login as a RESTRICTED user (video-viewing permissions only), steal the admin password and finally login as admin. Thus, this vuln serves as a privilege escalation vector as explained in the post.
Indeed. If you have any user accounts enabled, and they have weak passwords, you might as well have given up your admin account. Seems it is better to run with no passwords than with them as your admin account password is now tied to the strength of N users accounts. Wow.
The more recent version of the firmware 1.100R2 resolves this important issue. Thanks for pointing it out - I'm sure that's how Linksys/Cisco fixed the problem. The software on this camera is still a joke- unsigned activeX control for a security camera. That's crazy.
Should have checked before posting - the latest 1.100R2 firmware includes a signed ActiveX control (finally!)