Wanscam JW0004 IP Webcam hacking

Posted: Tuesday July 07 2015 @ 8:17pm  in Category: Hardware

Yes, I've bought this crappy webcam... On paper, it seems to have really nice features, but in reality there are lots of bugs and not everything works as expected. So if you can buy a Foscam instead go for it, but that's not the same price :-)

If you're stuck with this webcam, you'll find a few workarounds below!

My firmware versions are 67.2.2.166/9.0.4.60, so some things may not be usable on your IP cam if your firmware differs.

You can also flash the firmware version 67.2.2.172/9.0.4.67 but you will loose telnet access, although it's easy to re-enable telnetd (see below).

General information

There's a cheap Ralink MIPS CPU running at 360Mhz, with 32MB of RAM.

# cat /proc/version
Linux version 2.6.21 (root@mailzxh-desktop) (gcc version 3.4.2) #653 Tue Nov 20 15:22:24 CST 2012
# cat /proc/cpuinfo 
system type             : Ralink SoC
processor               : 0
cpu model               : MIPS 24K V4.12
BogoMIPS                : 239.10
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : yes
hardware watchpoint     : yes
ASEs implemented        : mips16 dsp
VCED exceptions         : not available
VCEI exceptions         : not available

We have a telnet access with user root and password=123456 so we can start to play. The telnet daemon and a few other ones are started by the /system/init/ipcam.sh script:

telnetd
/system/system/bin/daemon.v5.7 &
/system/system/bin/cmd_thread &
/system/system/bin/gmail_thread &

A few interesting ports are listening:

# netstat -nap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:99              0.0.0.0:*               LISTEN      147/encoder
tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN      28/telnetd
tcp        0      0 0.0.0.0:8600            0.0.0.0:*               LISTEN      29/daemon.v5.7
udp      236      0 127.0.0.1:8832          0.0.0.0:*                           147/encoder
udp        0      0 0.0.0.0:3074            0.0.0.0:*                           147/encoder
udp        0      0 0.0.0.0:3076            0.0.0.0:*                           147/encoder
udp        0      0 127.0.0.1:6666          0.0.0.0:*                           147/encoder
udp        0      0 0.0.0.0:8600            0.0.0.0:*                           29/daemon.v5.7
udp        0      0 127.0.0.1:9123          0.0.0.0:*                           29/daemon.v5.7
udp        0      0 127.0.0.1:9124          0.0.0.0:*                           147/encoder
udp        0      0 0.0.0.0:32108           0.0.0.0:*                           147/encoder
udp        0      0 127.0.0.1:8812          0.0.0.0:*                           31/gmail_thread
udp        0      0 127.0.0.1:8813          0.0.0.0:*                           147/encoder
udp        0      0 127.0.0.1:8822          0.0.0.0:*                           147/encoder
udp        0      0 127.0.0.1:8831          0.0.0.0:*                           30/cmd_thread

NMAP gives the following details:

PORT     STATE SERVICE    VERSION
23/tcp   open  telnet     BusyBox telnetd
99/tcp   open  http       GoAhead-Webs httpd
8600/tcp open  tcpwrapped
3074/udp  open
filtered unknown
3075/udp  open
filtered orbix-locator
8600/udp  open
filtered unknown
32108/udp open
filtered unknown

Ok, so the encoder process is the web server. No idea about the usage of tcp port 8600 and all the other UDP ports...

Seems to be based on the "GoAhead" web server. They modified it because of various UDP ports listening.

Moreover the /system partition containing important binaries is write-enabled so the temptation to modify the firmware directly is high, but I need to do a backup first!

http://www.wanscam.com/xiazai/sdk/JW-SDK-API.zip

Fix: using a simple SMTP server for mail alerts

Wanscam is using ssmtp for mail sending. The binary is in /system/system/bin/ssmtp, and the configuration file is in /tmp/ssmtp.conf. This configuration file is generated after each reboot or when you change the email parameters, if you don't this file that's because you've entered "non-standart" parameters in the WebUI.

Well, if you tried to use a simple SMTP server without SSL/TLS and Authentication, you found that motion email alerts do not work anymore.

The trick to use it is: 1- enable SMTP authentication in 'Mail service settings' 2- but set the SMTP user to '#buggyfirmware' 3- leave the password blank

This way ssmtp.conf is properly generated:

# cat /tmp/ssmtp.conf
root=youremail@example.com
mailhub=smtp.example.com:25
rewriteDomain=
hostname=smtp.example.com:25
AuthUser=#buggyfirmware
AuthPass=
FromLineOverride=YES

Regarding this bug, the support said that only mail servers provided in the list are supported, custom mail servers cannot be used !

Bug: Mail alerts with GMail

I did not manage to get motion alerts working with GMail, with my firmware... (Only to a custom smtp server with the trick above).

Bug: Cannot set default PTZ position

On the "PTZ Settings" page, the submit button does not work with Chrome or Firefox. Starting a Javascipt console confirms a bug, you'll see the following error when clicking on the submit button:

Uncaught ReferenceError: set_ptz is not defined

Playing with the set_misc.cgi page does not seem to work either. I tried with "http://ip:99/set_misc.cgi?ptz_preset=1&loginuse=admin&loginpas=YOURPASS"

If you have another idea...let me know! That's an annoying bug since the webcam randomly reboots, and then your default surveilance position is lost!

Enabling telnetd

After upgrading to 67.2.2.172/9.0.4.6, I lost the telnet access so it was time to customize the update. The flash file format is a modified zip format not even signed so that's easy to put what you want on the webcam filesystem. Here's my update script for the system part:

#!/bin/bash

FILE=67.2.2.173.bin
zip -r system.zip system
echo -ne "wifi-camera-sys-qetyipadgjlzcbmn">$F
perl -e '$s = -s "system.zip" ;print pack("l", $s);'>>$F
cat system.zip >>$F
echo -ne "wifi-camera-end-nvxkhfsouteqzhpo">>$F

To enable telnetd, I modified /system/init/ipcam.sh this way:

#telnetd
/system/system/bin/daemon.v5.7 &
/system/system/bin/cmd_thread &
/system/system/bin/gmail_thread &
sleep 30
telnetd

So I moved telnetd near the end of the startup script, after a little delay. Indeed, when I lost the telnet access, I tried to connect to port 23 in a loop, and found that I could connect during a few seconds before the connexion was closed. After a few greps in the binaries, I found that the 'encoder' process was responsible for a 'killall telnetd'. In the same binary, you will find the string 'telnetd &' so there must be another backdoor to enable telnetd. A little RE is needed here. Anyway the sleep 30, workaround is sufficient.

You can find the modified firmware with telnet access here.

Security vulnerability: remote access, UPNP cannot be disabled

I could not disable the UPNP client on the Wanscan, so if your router/ADSL modem is UPNP compatible, it will open the port 99 to your webcam. I hope that you changed the default wanscam password, or anybody will be able to spy on you... yes that's one of many little suprises found in numerous cheap webcams...

The only way to be safe is to disable UPNP on your modem/router.

Security vulnerability: authentication

Digest authentication is enabled but the login and passwd are passed on every URL, nullifying the benefits of digest auth.

For example the following requests are done:

GET http://ip:99/set_alias.cgi?alias=IPCAM&next_url=alias.htm&loginuse=admin&loginpas=xxx

Security vulnerability: Stored XSS + CSRF

I found a stored XSS with the set_alias.cgi function. Since there is no CSRF protection on this webcam, somebody could force a victim to store an XSS on the webcam, and take control of the victim's web browser.

http://ip:99/set_alias.cgi?alias=%22;alert(1);var%20a=%22&next_url=alias.htm&loginuse=admin&loginpas=xxx

Because of the CSRF vulnerability, a firmware upgrade could also be started by a hacker. The hacker's firmware could implement more backdoors since the firmware file format is not signed and easy to RE. Anyway, if the webcam telnet port is opened on the Internet, then your network is already fully compromised :-)

Cheap Hash cracking in the cloud

Posted: Friday October 10 2014 @ 11:04am  in Category: Software

As a penetration tester, sometimes you need to check the password strength of a few Hashes you gathered. Why not using AWS for testing your hashes instead of buying expensive hardware?

So, here's my recipie, it's very simple to set up. Follow one of the 'getting-started' tutorials available for Amazon Web Services to get your SSH keys, setup firewall rules, and run the following script to start a nice G2.2xlarge GPU instance:

#!/bin/bash -x

# aws-marketplace/amzn-ami-graphics-hvm-2013.09.1.x86_64-ebs
AMI=ami-1b597c72

ec2-run-instances $AMI -z us-east-1d -k yoursshkey -g yourfwrules -t g2.2xlarge > instances
sleep 10
while true; do
    ec2-describe-instances > instances
    grep running instances && break
    sleep 5
done
INST=`cat instances
grep running
sed -n 1p
cut -f 2`
IP=`cat instances
grep running
sed -n 1p
cut -f 4`

ssh -i yoursshkey.pem ec2-user@$IP "cd /tmp
wget http://rpmfind.net/linux/epel/6/x86_64/p7zip-9.20.1-2.el6.x86_64.rpm
wget http://hashcat.net/files/cudaHashcat-1.31.7z
sudo rpm -ivh p7zip*.rpm
7za x cudaHashcat-1.31.7z
ls
"

Now your virtual server is ready for oclHashcating :-) just run a few commands like this:

ssh -i yoursshkey.pem ec2-user@$IP "cd /tmp/XXXXX
./cudaHashcat-plus64.bin -a 3  20794edc2e5c77a6775f74a5d731fdb5"

What performance do you get for $0.65/hour? About 1.4GH/s for MD5 and 2GH/s for NTLM. Enough to brute force most 8 chars passwords in less than one hour.

Session.Name...: cudaHashcat-plus
Status.........: Running
Input.Mode.....: Mask (?1?2?2?2?2?2?2?3) [8]
Hash.Target....: 20794edc2e5c77a6775f74a5d731fdb5
Hash.Type......: MD5
Time.Started...: Thu Nov 28 19:58:53 2013 (5 secs)
Time.Estimated.: Thu Nov 28 21:06:09 2013 (1 hour, 5 mins)
Speed.GPU.#1...:  1465.6 MH/s
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 8053063680/5533380698112 (0.15%)
Rejected.......: 0/8053063680 (0.00%)
HWMon.GPU.#1...: 99% Util, 78c Temp, -1% Fan

...
...

Session.Name...: cudaHashcat-plus
Status.........: Running
Input.Mode.....: Mask (?1?2?2?2?2?2?2) [7]
Hash.Target....: b4b9b02e6f09a9bd760f388b67351e2c
Hash.Type......: NTLM
Time.Started...: Thu Nov 28 20:21:21 2013 (5 secs)
Time.Estimated.: Thu Nov 28 20:22:32 2013 (1 min, 2 secs)
Speed.GPU.#1...:  2039.2 MH/s
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.......: 11408506880/134960504832 (8.45%)
Rejected.......: 0/11408506880 (0.00%)
HWMon.GPU.#1...: 99% Util, 66c Temp, -1% Fan

oclHashCat lite should be even faster but I had problems running it on AWS, and of course you can easily write a script to start a distributed hash brute force on multiple AWS instances.

Have fun!

OVH hosting and Facebook apps

Posted: Thursday June 07 2012 @ 1:18pm  in Category: Software

You have a cheap hosting at OVH, and you'd like to create apps or page tabs on Facebook? The main issue is that Facebook requires that your app is available on a HTTPS website, with a valid SSL certificate... Fortunately, there's a solution even if your app is on OVH !

First, follow the basic setup part in this excellent Hyperarts tutorial.

Then, the trick is on the "Page Tabs" settings. The "Page Tab URL" could be, as shown in the tutorial "http://www.mydomain.com/facebook/mytestapp/", but if you simply add 'https' for the "Secure Page Tab URL", it won't work because the SSL certificate is not valid.

So, you have the use this URL instead: https://sslXX.ovh.net/~myovhuserid/facebook/mytestapp/ , where:

  • 'sslXX' is your OVH SSL server name and number, you can find it in your 'OVH Manager'
  • 'myovhuserid' is the same as your FTP upload account name.

Then, the follow the rest of the tutorial. Of course, to add the tab to your page use the right URL:

https://www.facebook.com/dialog/pagetab?app_id=YOUR_APP_ID&
next=https://sslXX.ovh.net/~myovhuserid/facebook/mytestapp/

(In fact there was a bug today on Facebook so I had to use this link instead:)

https://www.facebook.com/add.php?api_key=YOUR_APP_ID&pages=1

You're now ready to enjoy making 'reveal tabs' on your FB page with simple PHP code like this:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<link rel="stylesheet" type="text/css" href="style.css" />
<style type="text/css">
 body {
 width:520px;
 margin:0; padding:0; border:0;
}
</style>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>
<body>
<div id="container">
<?
$signed_request = $_REQUEST["signed_request"];
list($encoded_sig, $payload) = explode('.', $signed_request, 2);
$data = base64_decode(strtr($payload, '-_', '+/'));
# Yes I could have used json_decode instead of a preg_match !
if (preg_match("/liked.?:true/", $data)) {
    print "You like my page, good!";
} else {
    print "Please click on the like button above, to unlock special content!";
}
?>
</div>
</body>
</html>

Have Fun!

Gandi Hosting vs Amazon EC2 computing power (updated)

Posted: Monday November 01 2010 @ 2:00pm  in Category: Hardware

I'm currently playing with Amazon Web Services and EC2, Amazon's highly flexible VPS hosting service. Gandi Hosting is providing a similar Xen based hosting service, and last day I saw that they benchmarked their basic "one share" server with Unixbench and got a score of 40.

I was curious to see the score I could get with a small Amazon EC2 server, so I quickly started an instance and the same Unixbench release. The score I got for a small EC2 instance was 34.5 :

BYTE UNIX Benchmarks (Version 4.1-wht.2)
System -- Linux ip- 2.6.21.7-2.fc8xen #1 SMP Fri Feb 15 12:39:36 EST 2008 i686 GNU/Linux
/dev/sda1             10321208    578372   9218548   6% /

                     INDEX VALUES            
TEST                                        BASELINE     RESULT      INDEX

Dhrystone 2 using register variables        376783.7  2016468.0       53.5
Double-Precision Whetstone                      83.1     1267.8      152.6
Execl Throughput                               188.3      835.7       44.4
File Copy 1024 bufsize 2000 maxblocks         2672.0    11164.0       41.8
File Copy 256 bufsize 500 maxblocks           1077.0     3059.0       28.4
File Read 4096 bufsize 8000 maxblocks        15382.0    74927.0       48.7
Pipe-based Context Switching                 15448.6    21771.7       14.1
Pipe Throughput                             111814.6    58972.3        5.3
Process Creation                               569.3     1361.2       23.9
Shell Scripts (8 concurrent)                    44.8      171.8       38.3
System Call Overhead                        114433.5   670336.1       58.6
                                                                 =========
     FINAL SCORE                                                      34.5

So if we believe Gandi.net, basic Amazon EC2 and Gandi instances have roughly the same power. But later I found the following Gandi benchmark, which shows much lower results that Amazon's:

...
     FINAL SCORE                                                      20.4

But I didn't want to test myself Gandi Hosting because I would have needed to create an account and pay an initial fee of 14 Euros, just for playing 30 minutes with one server. With Amazon Web Services, running this benchmark cost me only $0.10 ! That's what I really find interesting with AWS: everything you use (CPU, Storage, ...) is billed on an hourly basis so it's very cheap for quick tests. And if tomorrow I ever want to run this benchmark on a "Medium High CPU" (5 times more CPU than a "small" instance) it will only cost me $0.20. But I admit that the big plus for Gandi Hosting is that bandwidth is free whereas you'll be billed up to $0.17 for each GB transferred on AWS.

Update !

I asked a friend to run the benchmark on its Gandi VM and here are his results:

==============================================================
BYTE UNIX Benchmarks (Version 4.1-wht.2)
System -- Linux 2.6.18-xenU #4 SMP Mon Sep 22 17:59:36 CEST 2008 i686 GNU/Linux
/dev/xvda1             2466700   1212380   1129016  52% /

Start Benchmark Run: mardi 9 mars 2010, 19:59:57 (UTC+0100)
 19:59:57 up 201 days, 18:57,  2 users,  load average: 1.17, 0.31, 0.10

End Benchmark Run: mardi 9 mars 2010, 20:16:47 (UTC+0100)
 20:16:47 up 201 days, 19:14,  2 users,  load average: 17.42, 7.55, 3.83


                     INDEX VALUES            
TEST                                        BASELINE     RESULT      INDEX

Dhrystone 2 using register variables        376783.7   920333.0       24.4
Double-Precision Whetstone                      83.1     1240.4      149.3
Execl Throughput                               188.3      536.1       28.5
File Copy 1024 bufsize 2000 maxblocks         2672.0    20431.0       76.5
File Copy 256 bufsize 500 maxblocks           1077.0     7771.0       72.2
File Read 4096 bufsize 8000 maxblocks        15382.0    79094.0       51.4
Pipe-based Context Switching                 15448.6    29433.3       19.1
Pipe Throughput                             111814.6   210581.0       18.8
Process Creation                               569.3      869.3       15.3
Shell Scripts (8 concurrent)                    44.8       62.9       14.0
System Call Overhead                        114433.5   355747.7       31.1
                                                                 =========
     FINAL SCORE                                                      34.0

We see that, Gandi VMs performance is: - 50% lower for CPU integer, process creation, shell scripts, system calls - the same for FPU performance - higher for disk related operations - much higher for pipe throughput (caused by a different kernel?).

So that's hard to see a clear winner here, and you should try with your application to determine which one is better. Running an apache or database benchmark would be something interesting !

www.aopensource.com

Posted: Tuesday May 25 2010 @ 5:40pm  in Category: Software

Ten years after palmopensource.com, the directory of open source applications for WebOS/PalmOS, I decided to start AOpenSource.com, which is a directory of open source apps for Android and Android programming links.

Contrary to PalmOpenSource, AOpenSource will be more "up-to-date" because most links will be automatically updated from the Android Market using their "package name". And what's nice with aopensource.com is that you don't need to be on the Android Market to be listed (contrary to most other Android apps sites).

If you developed Open Source Software for Android, feel free to submit your link to the aopensource.com database ! AOpenSource.com

Android NBench: PC power in your pocket

Posted: Sunday April 18 2010 @ 10:55am  in Category: Hardware

When I have a new Linux device in my hands, I love running NBench to see the raw CPU power. So I ported the NBench to Android, and you can find it in the Android Market.

The benchmark was designed to expose the capabilities of a system's CPU, FPU, memory system, and C compiler performance. The results can be published and seen on this web site: http://www.tux.org/~mayer/linux/bmark.html

Now that we have a benchmark that runs on smartphones and PCs, we can make some interesting comparisons, and soon, a few results on Android phones were reported.

You'll see on the graph below, that newer devices based on the new ARM Cortex A8 architecture (Droid and Nexus one), are getting really powerful. The Nexus One OC to 1.11GHz can be compared to a Pentium III at 1GHz. The floating point performance is still low, but I don't think that Android takes into account the newer FP SIMD available on the Snapdragon or the TI OMAP.

android pc nbench comparison

New Android Page and DextRootFR mod

Posted: Monday March 15 2010 @ 8:38pm  in Category: Software

I've just set-up a new page about some Android experiments:

http://www.drolez.com/software/android/

One of my 1st contribution to the Android community is a new rooted ROM for French Dext Owners: DextRootFR I saw the Motoblur 1.3.20 update coming but none of the usual modders release a rooted version, so I released my own ! I'm building a framework to easily follow official updates, and all the modified source code will be available on Sourceforge, to comply with GPL licenses, or other ones.

Enjoy !

WebOS and the vitality of Android

Posted: Friday March 05 2010 @ 9:39pm  in Category: Software

This post is a follow-up to WebOS and the death of Android !

There's no contradiction, and I still think that WebOS is still the best designed OS for smartphones : their Javascript/HTML framework is amazing, and native development on WebOS is perfect with their support of libSDL and SDL/OpenGL. Incredible 3D games are being ported to WebOS.

But Palm marketing is lame (it has always been in the past 20 years), and nobody wants to buy a WebOS device. Their market share is ridiculous.

So...I just bought a Motorola Cliq/Dext running Android to replace my old Zaurus :-) There are now thousands of high quality apps on Android, and I bet that the iPhone will have a hard time soon (the lawsuit they brought is a sign of this !!!).

WebOS and the death of Android

Posted: Friday October 09 2009 @ 10:21pm  in Category: Software

webosThe battle of Linux based smartphones has begun, and I bet that WebOS, used for the new Palm Pre, will kill Android based phones.

Why ? Because Android is not so open as it seems, it's based on Linux but it has nothing to do with Linux. Apps cannot be ported easily to the Dalvik VM ( http://en.wikipedia.org/wiki/Dalvik_virtual_machine ).

WebOS applications are written in Javascript/CSS/HTML, and lots of people know Javascript ! Moreover, all standard WebOS applications (Contacts, Calendar, etc) are also written in Javascript, so people begun to customize them easily. Do you know lots of people which started to customize their KDE or Gnome desktop when they installed their first Linux distribution ? No. The entry fee is too high. Just take a look at unofficial Pre dev forums to see how people are excited about WebOS: http://forums.precentral.net/web-os-development/

WebOS is open source for the masses, and that's the first time I see such a revolution happening in the FOSS world.

Palm WebOS rootfs now available !

Posted: Tuesday June 30 2009 @ 10:56am  in Category: Software

As the webmaster of http://www.palmopensource.com , I try to find more details about the new Palm(tm) Linux based OS: WebOS. Right now, the WebOS SDK is not available to everybody, it should be available in a few weeks, but something interesting has happened: The Palm Pre root filesystem can be downloaded here: http://palm.cdnetworks.net/rom/pre_p100eww/webosdoctorp100ewwsprint.jar

An interesting thread about that has started here: http://forums.precentral.net/web-os-development/184378-ok-rom-comes.html

Now I think it's a matter of days before this rootfs can be booted with QEmu and free/open apps start to be written for WebOS !

NEWS: And now the Mojo SDK has leaked also ! http://forums.precentral.net/web-os-development/189062-mojo-sdk-download.html

Last 5 Posts >>

Bookmark and Share

RSS 2.0 Feed