Hacking Linksys IP Cameras pt 1During the easter break, I was playing with my my wireless Linksys IP camera which, although I bought several months ago, I hadnt taken my time to give the attention this beauty deserves until now The model in particular is the WVC5. GCA, which I would say is one of the most affordable Wi Fi IP cameras out there about GBP 8. UK, making it a great toy to tinker with. I found the camera to be quite good functionalities wise, although Ive experienced availability problems with it. It seems the camera freezes every once in a while. Well, this is true at least when you heavily customized its configuration which is what Ive ultimately done after playing so much with it. Ive loved playing with embedded devices for a while, and as a security researcher I find it quite an interesting topic as many de facto security principles that are usually attempted to be followed when designing other types of systems are not often applied to embedded devices. This, I believe is due to lack of limitations in hardware resources, and lack of awareness on consequences of getting a miscellaneous device compromised. IP camera gets ownedDuring the next days, Ill be posting some vulnerabilities Ive found. Some of them are fun and serious, while others you might find kind of boring. Meet the target. You can learn a lot about the specs of a device by simply reading the products literature. However, sometimes not enough info is provided in these documents. The following are some of the specs I confirmed by interacting with the camera in various ways CPU Faraday FA5. OS Linux version 2. Busybox confirmed as the file binbusybox exists on the filesystemHTTPD thttpd 2. Server HTTP headersMemory 3. B 3. 2 MB according to procmeminfo. Firmware Version V1. R2. 2 and V1. 0. 0R2. April 2. 00. 9It also comes with a telnet daemon usrsbintelnetd but unfortunately for hackers out there, the daemon is disabled as the following line is commented out on etcinit. S Start Telnet Server debug. Linksys Wvc54gc Firmware Download' title='Linksys Wvc54gc Firmware Download' />WVC54GC Setup Wizard. The hardware version is located beside or beneath the model number and is labeled version, ver. V. Bei diesem Software Paket handelt es sich um eine umfangreiche und dennoch kostenlose Webcam Software fr alle 32Bit Windows Systeme. Features, wie Live Streaming. Website dedicated to Wireless LAN Security and Wardriving. Includes lots of whitepapers, presentations, tools, firmware, drivers, equipment, and resources. Il-2 Sturmovik: Battle Of Stalingrad Torrent. Get support for Linksys WirelessG Internet Home Monitoring Camera. I have not yet managed to get a remote root shell by enabling the telnet daemon but have found some vulnerabilities which might help accomplishing this goal. I will be releasing these vulnerabilities in the next days. Please let me know if you know how to enable the telnet daemon on Linksys IP cameras Ideally, Id like to accomplish this without physically connecting to the camera or flashing the firmware. Remote admin compromise by unauthenticated attackers due to wizard design error. I found this vulnerability while investigating CVE 2. I wanted to know if CVE 2. During the easter break, I was playing with my my wireless Linksys IP camera which, although I bought several months ago, I hadnt taken my time to give the attention. Linksys IP camera firmware and model. The CVE entry states The Cisco Linksys WVC5. GC wireless video camera before firmware 1. Setup Wizard remote management command, which allows remote attackers to obtain sensitive information such as passwords by sniffing the network. So I started trying to figure out if the WVC5. GCA also discloses sensitive information when communicating with the wizard. According to the vendor, the issue has been fixed Solution 2. To decode the data, an administrator usernamepassword is a MUST. At first sight, when capturing the traffic between the wizard and the cam, I couldnt see the data traveling in human readable form. While trying to figure out how the data is sent over the network i. I realized there was something seriously wrong with the handshake mechanism. The following is a very generic and possibly inaccurate description of the handshake. Wizard Setup. Wizard. UDP request to 2. Camera responds back to 2. DCERPC protocol and presents itself with identity info such as the value of the defname variable which looks like LKXXXXXX, where X is a hex digit. This identity info is picked up by Setup. Wizard. exe. Some of this info such as MAC address, IP address and subnet mask is shown in the wizard. From now on, Setup. Wizard. exe uses the cameras defname variable when talking to it, so that the camera knows what requests submitted to 2. At this point the wizard has discovered the camera and the user can go through the setup procedure. For security reasons, the user needs to enter the admin username and password, before the setup process can start. Otherwise anyone could make changes to the camera without authenticating. Now, here is the important bit. If you capture the network traffic while running Setup. Wizard. exe, youll notice that when the user is asked to enter the admin username and password after the camera is discovered, there are NO requests sent from the wizard to the camera in order to verify that the entered usernamepassword combination is correctHow is this possible What the heck is going on I thought. I was terrified to confirm my worst fear the wizard already knows the cameras admin username and password at this point, thus there is no need to ask the camera again. Indeed, at this point before the user enters the admin username and password that is the cameras credentials are already loaded into the memory of the Setup. Wizard. exe process. This is because the camera has previously transfered the admin credentials along with other configuration data In case I didnt explain myself properly Ill summarize the issue by saying that the camera transfers the admin username and password to the wizard before the user enters them. The following steps demonstrate how an unauthenticated attacker can remotely obtain the cameras admin username and password Download the setup wizard. You might need to download a different wizard if you want to test this vulnerability on a different Linksys IP camera model. Run Setup. Wizard. Click on Click Here to Start Setup Camera Next after accepting EULA Next 4 more times in totalThe discovery process is quite flaky, so if the wizard hasnt found your camera yet, click on Search Again as many times as required until it works. You should now see your cameras name under the Camera List column and also various configuration data under the Status column You now need to dump the process memory of Setup. Wizard. exe using your favorite tool Then open the memory dump file using your favorite hex editor. Now you can either search for admin and find the admin password after a few null bytes, or tell your hex editor to go to decimal position 7. Address Goto. XVI3. In my case the admin password would always fall within this position Have fun It is somehow ironic that a free tool provided by the vendor of a product can be used as a hacker tool against their own product. As far as I know, this vulnerability cannot be exploited over the Internet, since the camera only responds to wizards located in the same LAN. Never say never though, so if you find a way to exploit this vulnerability over the Internet, please contact us. UPDATE CPU and additional OS info added. Comments Powered By. Linksys Official Support. WVC5. 4GC Downloads. Belkin International, Inc., including all affiliates and subsidiaries Belkin, us or we thanks you for choosing one of our Belkin, Linksys or We. Mo products the Product. This End User License Agreement this Agreement is a legal document that contains the terms and conditions under which limited use of certain Software as defined below that operates with the Product is licensed to you. PLEASE READ THIS AGREEMENT CAREFULLY BEFORE INSTALLING OR USING THIS PRODUCT. BY CHECKING THE BOX OR CLICKING THE BUTTON TO CONFIRM YOUR ACCEPTANCE WHEN YOU FIRST INSTALL THE SOFTWARE, YOU ARE AGREEING TO ALL THE TERMS OF THIS AGREEMENT. ALSO, BY USING, COPYING OR INSTALLING THE SOFTWARE, YOU ARE AGREEING TO ALL THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THESE TERMS, DO NOT CHECK THE BOX OR CLICK THE BUTTON ANDOR DO NOT USE, COPY OR INSTALL THE SOFTWARE, AND UNINSTALL THE SOFTWARE FROM ALL DEVICES THAT YOU OWN OR CONTROL. IF YOU DO NOT ACCEPT THE TERMS OF THIS AGREEMENT AND YOU PURCHASED A PRODUCT CONTAINING THE SOFTWARE FROM AN AUTHORIZED RETAILER, RESELLER OR APP STORE AS DEFINED BELOW, YOU MAY BE ELIGIBLE TO RETURN THE PRODUCT FOR A REFUND, SUBJECT TO THE TERMS AND CONDITIONS OF THE APPLICABLE RETURN POLICY. This product is Software licensed to you by Belkin and, where applicable, by Belkins suppliers. Software means any and all firmware programs and associated files provided with respect to the Product any and all software programs, applications or apps and associated files provided with respect to the Product all modified versions of and upgrades or improvements to such programs such as those provided via web based updates, all subsequent versions of such programs, and all copies of such programs and files. Software does not include any Open Source Software as defined below. By you, we mean the purchaser, recipient or other end user of the Product containing the Software or the purchaser, recipient or other end user of the Software on a standalone basis. You may also mean a person who has downloaded the Software from an authorized website, such as http www. Apples App Store or Google Play each such application market or store is referred to in this Agreement as an App Store and collectively as App Stores. LICENSE GRANT. Belkin hereby grants you the right to use i where your Product is not a Small Medium Business or SMB branded Product, for your personal, non commercial purposes or ii where your Product is a Small Medium Business or SMB Product, for your personal or commercial use copies of the Software in object code form on devices that you own or, in the case of firmware, one copy of the firmware in object code form solely on the Product relating to the firmware. As part of this license, you may A operate the Software in the manner described in the user documentation for the Software B where the Software is provided for download onto a personal computer or mobile device, make as many copies of the Software as you reasonably need for your own use this does not include firmware and C permanently transfer all of your rights to use the Product including but not limited to the Software to another person, so long as that person also agrees to be bound by this Agreement, and following such transfer you stop using the Product and the Software. You can find the user documentation for the Software on the Support page of the applicable Belkin website. LICENSE RESTRICTIONS. The Software is licensed, not sold, to you. You only have the non exclusive right to use the Software in accordance with this Agreement. You may not i modify, adapt or otherwise create derivative works from the Software, the Product containing the Software or user documentation except as may be permitted by an applicable open source license without receiving prior written consent from Belkin to make any such modifications ii lease, sublicense, resell, rent, loan, redistribute, or otherwise transfer except as expressly permitted above, whether for commercial purposes or otherwise, the Software or user documentation iii reverse engineer, disassemble, decrypt or decompile the Product or the Software or otherwise try to reduce the Software to a human readable form, except where and only to the extent that such activity is permitted by applicable law or where Belkin is required to permit such activity under the terms of an applicable open source license iv remove or alter any copyright, trademark or other proprietary notices contained in the Software or user documentation v use the Product, Software or user documentation to develop a competing hardware andor software product, or otherwise in any manner not set forth in this Agreement or the user documentation vi if the Software is firmware, copy the firmware other than one backup copy for archival purposes only, use it on a multi user system or operate it separately from the Product onto which it is embedded vii use the Software to transmit software viruses or other harmful computer code, files or programs, or to circumvent, disable or otherwise interfere with security related features of the Software viii use the Software to collect or harvest any third partys personally identifiable information, to send unauthorized commercial communications or to invade the privacy rights of any third party or ix use the Software for any unlawful purpose, andor in any manner that breaches this Agreement. All rights not expressly granted to you by Belkin under this Agreement are hereby reserved by Belkin. You will not acquire such rights, whether through estoppel, implication, or otherwise. APP SOFTWARE RESTRICTIONS. If you have downloaded the Software from an App Store, you are also subject to any terms of use of that App Store. Such terms of use may prohibit you from doing some of the things you are permitted to do under this Agreement, or permit you to do some of the things you are prohibited from doing under this Agreement. In addition, application of the App Stores terms of use may result in other terms of this Agreement not being applicable to the Software or applying in a different way than this Agreement states. If your use of the Software is subject to an App Stores terms of use, then in the event of any conflict or ambiguity between the terms of this Agreement and such App Stores terms of use, the App Stores terms of use will govern, but only to the extent necessary to resolve such conflict or ambiguity, and the terms of this Agreement will otherwise remain in full force and effect. Notwithstanding anything to the contrary in this Agreement, by using the Software, you acknowledge and agree that it is solely your responsibility to understand the terms of this Agreement, as well as the terms of use of any App Store that may be relevant to the Software or the Product. UPGRADES AND UPDATES. While Belkin is not required to do so, Belkin may provide you with upgrades or updates to this Software. This Agreement will govern any upgrades provided by Belkin that replace andor supplement the original firmware andor Software, unless such upgrade is accompanied by a separate end user license agreement, in which case the terms of that end user license agreement will govern. If you decide not to download and use an upgrade or update provided by Belkin, you understand that you could put the Software at risk to serious security threats or cause the Software to become unusable or unstable. Some Products include an auto update feature, which gives us the ability to make updates automatically. You can change auto update options by changing your settings within the Product account information. In very limited cases, updates may still be automatically applied, regardless of the auto update setting. For example, we may provide an automatic update that fixes a security breach or vulnerability to your network.