Often, an input field just intended to collect a server address or user name will also accept entries of a different nature that will be interpreted by the system.
Low-cost IP Cameras, but also more professional ones, have been exposed to XSS for many years, a good reminder that such network devices should not be directly exposed to the Internet!
Hopefully that vulnerability is now well known and many manufacturers eventually "patched" their devices or reduced the attack surface by removing telnet and ftp altogether.
If your IP camera has a HTTP-based user interface, here's a working example of command injection (for learning purpose). This works great on old generation Veskys and Digoo BB-M2 (the pictures below comes from that model), and does not with the Wanscam models I tested.
First check if the admin interface of your camera as an FTP server settings page like this:
Then instead of FTP Server address, copy this command:
put $(killall telnetd)
That first command killed the running telnet daemon.
The second will now launch the Busybox shell without a user/pass prompt. In the username field, copy this:
$(telnetd -l /bin/sh)
Click the Set up button to save the entries, and click the "Test" button to send them.
After that, use any telnet emulator, like Putty, and connect to the camera on port 23
As the owner of the camera, this trick allows you to gain full control on your camera.
 |
| "hslwificam" |
Source: https://nm-projects.de/2017/01/hacking-ip-camera-digoo-bb-m2-part-3-getting-root-access/
More reading:
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2010/february/busybox-command-injection/
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.