C7824WIP Security Review

IP_camera_vstarcam_c7824wip

1. Camera specifications

Brand : Vstarcam
Product name : C7824WIP HD indoor IP Camera
Model : C7824WIP
OS : Embedded Linux OS
CPU :

2. Security vulnerabilities

root-access
Achievements :
– Remotely take control of the camera (telnet)
– Find the web UI password

Methods :
– Bruteforce : success
– Firmware reverse engineering : success
– Form injection : success

3. Network services analysis

Scan all the active network services on the camera using Nmap :

80/http : The web interface : Documented
23/telnet : Remote command line access : Undocumented

4. Telnet penetration test

4.1 Method 1 : Bruteforce

The password is cracked in a few seconds using Medusa. Hydra fails to crack the password.

The root password : 123456.

4.2 Method 2 : Reverse engineering

4.2.1 Tools
Binwalk

Binwalk is a firmware analysis tool designed for analyzing, reverse engineering and extracting data contained in firmware images.

The last stable version of Binwalk (2.1.1) was not extracting the firmware correctly, so I had to install the 2.0.0. The bug should be solved in the next version.

Install Binwalk 2.0.0 :

4.2.2 Firmware reverse engineering
Firmware servers and download link

Sniffing the traffic between the Vstarcam firmware upgrade software and Internet allows us to easily identify the servers and the protocol used to retrieve and upgrade camera firmware.
HTTP sniffing

Remote file : http://45.63.8.70/FM/system/firmware.txt

So we can download our firmware (45.63.8.70) using the following link : http://45.63.8.70/FM/system/CH-sys-48.53.64.67.zip

Firmware download and extraction

Create a working folder :

Download and extract the zipped firmware :

Binary header analysis :

We should be able to use Binwalk to extract the firmware :

Using tree to see the files available :

Done !

Firmware analysis and password retrieval

Looking for the files containing the “passwd” string :

And check in these files for the password.
– wifidaemon :

– encoder :

So the hashed password for root user is : LSiuY7pOmZG2s. This is encrypted, you can’t use this one to login. We need to crack it first :

The root password : 123456.

4.2.3 WebUI reverse engineering

Now that you have a root access, you could go online and retrieve all the WebUI directly from the device. However, we’ll show here the reverse engineering way.

Firmware servers and download link

Sniffing the traffic between the Vstarcam firmware upgrade software and Internet allows us to easily identify the servers and the protocol used to retrieve and upgrade camera WebUI.
HTTP sniffing

Remote file: http://45.63.8.70/FM/vstarcam/firmware.txt

So we can download the WebUI EN53.8.1.13 using the following link : http://45.63.8.70/FM/vstarcam/CH-app-CH53.8.1.13_VSTARCAM.zip

WebUI download and extraction

Create a working folder :

Download and extract the zipped firmware :

Now we can use Binwalk to extract the .bin firmware :

The zip files are password protected.
Another way to check :

The easiest way is to go back to the firmware folder and look for the unzipping password :

And use the same method that we used to find the root password. Look for any unzip command in files :

And check in the updata file for the password :

Unzipping password : vstarcam!@#$% (better than 123456 by the way !).

Let’s go back to WebUI unzipping :

And use the previous password to unzip the file :

Done !

4.3 Method 3 : Injection

Thanks to this article, we know that the system is interpreting the FTP user, so proceed as follow :
injection-form

Save and proceed to a “test”. Then monitor the FTP server logs :

So the hashed password for root user is : LSiuY7pOmZG2s. As already mentioned before, easy to decode :

5. Web interface penetration test

Initiate a telnet connection on the camera using the credentials found earlier.
Then it’s easy to find the web interface password :

6. Links

http://catdevzero.blogspot.sg/2015/02/experiments-with-ip-camera-part-1.html
http://liken.otsoa.net/blog/?x=entry:entry140322-183809
http://jumpespjump.blogspot.co.uk/2015/09/how-i-hacked-my-ip-camera-and-found.html
https://www.pentestpartners.com/blog/hacking-the-ip-camera-part-1/

16 thoughts on “C7824WIP Security Review”

  1. Very nice, on my camera the password is a empty string.

    There is a interesting line.
    It would appear that the password is generated randomly by a program or function call CreateTelnetPasswd.

    How would you recommend getting telnet access?

    ===websLaunchCgiProc===
    /etc/passwd
    vstarcam2015:%s:0:0:Administrator:/:/bin/sh
    /etc/group
    root:x:0:admin
    CreateTelnetPasswd
    WebReadParam
    /
    …skipping
    root:LSiuY7pOmZG2s:0:0:Administrator:/:/bin/sh

    1. Never mind my last post, the FTP thing worked. The password might take a while to crack tho.
      I wish these camera were Open-Source, they could probably sell more units if they did that.

      1. BTW , for any one else reading this the password was 20150602 for firmware 48.53.72.74. The username was vstarcam2015

        Thanks for the great article on reverse engineering.

  2. Hi guys,

    Great article, I learned a lot from it.

    I have this cam and I want to use it in a secure way. When I disable traffic to internet for this device on my router and reboot the cam, I can’t connect anymore via the Android application (eye4). Even telnet and nmap don’t show life.

    I tried to find another application that could connect internally but none of them succeeds to show any frame.

    Someone kowns about some good app?

    10x
    Daniel

    1. Daniel,

      I would not be surprised that the Eye4 app is not working anymore after that.
      However it is unlikely that telnet and HTTP no longer work. Did you try to ping the cam ?

      If NMAP is not showing up anything, any client will be able to connect.

    1. Hi,

      Unfortunately I don’t have the camera anymore but if I remember correctly, this should be mentioned somewhere on the Web UI (maintenance, system or something similar).

      Ronan

  3. Very interesting article, I was going to buy this camera as baby monitor.
    Just a couple of questions: would be a little less insecure changing the root password to something a bit harder to brute-force than 123456?
    Furthermore what if I don’t forward the telnet and ftp port?
    Thanks!

    1. Not really, it’s reseted when the camera boots up, and for me the biggest issue is to have a videostream going on unknown servers…

      But having this camera running on a local network without internet connection should be ok…

  4. It seems they have addressed the security vulnerabilities. Today I updated the firmware and NMAP didn’t show any open ports…

    1. Hi,

      Good to know ! Maybe they didn’t fix the injection breach, and there is still a way to activate Telnet by this way.

      Ronan

  5. you can easily spoof the dns for the update request wherby pointing it to an ip holding older firmware, I have successfully got telnet working however the web interface has been removed it seems.

Leave a Reply to SilverBird Cancel reply

Your email address will not be published. Required fields are marked *