Fun with the Vstarcam IP camera

LMAX Exchange

Recently, I got myself a VStarCam IP camera, model H6837WI,
relatively cheap for what you get – a H264 capable, wireless/wired IP
camera with two way audio, SD card recording and few other nice
features.

The software provided with the camera is Windows only,
which is a system I don’t use very often at home 😉 …so I started
with exploring the camera’s web interface, by default run on port 81. It
turned out that the quicktime plugin didn’t seem to work in any browser
and other than getting the direct H264 stream, this was the only way to
get live video feed without the proprietary software.

Nothing about getting the H264 stream directly in the docs. Duh. 🙁

A
bit frustrated, I run wireshark just to get an idea of what the camera
is ‘doing’ when left idle. Hmmm…DNS requests to user.gocam.so? Looks
like part of the default DDNS settings, which according to the
documentation, let you use the vstarcam provided service to access your
IP camera remotely using an external server…Call me paranoid, but
that’s definitely not something I would be happy with! By the way, urls
found by google pointing to the vstarcam forum, redirect to
piopo.25u.com, which is rather suspicious (did someone forgot to update
their server software? oops). According to Virustotal, Sophos flags this
domain as malicious, although it doesn’t currently resolve to any IP…
None of this made me anymore comfortable about using the default (or
any) DDNS service and the security of it… Made a mental note to
disable the DDNS and verify that the camera is not doing anything silly
later on.

Right, all of this was a bit disappointing…but apart
from traffic sniffing, there’s one more thing you need to do with every
device you connect to your network – port scan it of course! ;] So here
we go, in the most simple way…

# nmap 192.168.1.126

Starting Nmap 6.01 ( http://nmap.org ) at 2012-07-16 16:36 BST
Nmap scan report for 192.168.1.126
Host is up (0.029s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
23/tcp open telnet
81/tcp open hosts2-ns
554/tcp open rtsp
MAC Address: 00:E0:4C:AA:BB:CC (Realtek Semiconductor)

Nmap done: 1 IP address (1 host up) scanned in 3.28 seconds

Telnet! Getting interesting…Ok, the web UI default credentials are…’admin’ and no password ;] Let’s see…

$
telnet 192.168.1.126

Trying 192.168.1.126...

Connected to
192.168.1.126.

Escape character is '^]'.

(none) login: admin

Password:

Login incorrect

Nah! How about root?

(none) login: root
warning: cannot change to home directory
/ #

Voila! Got shell and it’s password free! ;] Let’s do some exploring here…

/ # id
uid=0(root) gid=0(root)
/ # free
total used free shared buffers
Mem: 17344 15720 1624 0 2724
Swap: 0 0 0
Total: 17344 15720 1624
/ # uname -a
Linux (none) 2.6.24ssl #197 PREEMPT Thu Sep 22 14:07:30 CST 2011 armv5tejl unknown

Not the most recent kernel I’d say… 😉 running on armv5, (not MIPS?)

/ # cat /proc/cpuinfo
Processor : ARM926EJ-S rev 5 (v5l)
BogoMIPS : 119.60
Features : swp half fastmult edsp java
CPU implementer : 0x41
CPU architecture: 5TEJ
CPU variant : 0x0
CPU part : 0x926
CPU revision : 5
Cache type : write-back
Cache clean : cp15 c7 ops
Cache lockdown : format C
Cache format : Harvard
I size : 8192
I assoc : 4
I line length : 32
I sets : 64
D size : 8192
D assoc : 4
D line length : 32
D sets : 64

Hardware : object h264 ipcam
Revision : 0000
Serial : 0000000000000000

Not the most capable hardware, but hey… 😉

Either
way, I have to admit that being able to get a proper shell on your
cheap IP camera is pretty cool 🙂 (Still, no toaster yet ;)). There’s
quite a lot of interesting stuff there, for a geek of course (yes,
including the /etc/shadow file of course, but I won’t spoil the fun ;)).
My camera even came with a snapshot picture taken in what looks like a
warehouse…

A definite bonus is the fact that the web UI is
located in /mnt/www so you can poke around and adjust few bits here and
there 😉 You can actually grab the update file from the vendor website
which contains most of the filesystem anyway and have a look around that
way, too… 🙂

There’s also a service running on port 6801/udp
and I have no idea what’s it for, and the netstat doesn’t reveal
associated binary name:

# netstat -tualn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:554 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:81 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.126:23 192.168.1.20:51680 ESTABLISHED
udp 0 0 0.0.0.0:6801 0.0.0.0:*

Speaking
about binaries – by the looks of things, the toolchain used for the
camera is rather ancient – glibc 2.3.6 and gcc 3.4.6. One could still
cross compile that and thanks to the ftp client provided on the camera
(didn’t I say it’s hackers friendly? ;)), or using the ‘update’ method,
put and run their own binaries on the camera…;] BTW, the wireless
adapter is Ralink 3070 which in theory should run aircrack-ng just
fine… ;]

Another discovery – the vendor provided Windows
software communicates with the camera via the camera webserver and
binary cgi files using some sort of a binary protocol…I was looking at
the netzob tool not long ago, and
maybe I’ve just found some good opportunity to play with it…Rewriting a
simple client in Python would be cool, as well as a remote code
execution via the cgi ;). Did I mention that the IE interface uses
ActiveX component?

All in all, one must admit – the H6837WI is a
hacker friendly camera! ;] I still need to get the H264 streaming to
work at some point though…after all that was the main reason why I got
the camera in the first place…:)

Happy hacking! 🙂

LMAX Exchange Staff Blogs Radek Madej   Foreign Exchange   LMAX Exchange  

Any opinions, news, research, analyses, prices or other information ("information") contained on this Blog, constitutes marketing communication and it has not been prepared in accordance with legal requirements designed to promote the independence of investment research. Further, the information contained within this Blog does not contain (and should not be construed as containing) investment advice or an investment recommendation, or an offer of, or solicitation for, a transaction in any financial instrument. LMAX Group has not verified the accuracy or basis-in-fact of any claim or statement made by any third parties as comments for every Blog entry.

LMAX Group will not accept liability for any loss or damage, including without limitation to, any loss of profit, which may arise directly or indirectly from use of or reliance on such information. No representation or warranty is given as to the accuracy or completeness of the above information. While the produced information was obtained from sources deemed to be reliable, LMAX Group does not provide any guarantees about the reliability of such sources. Consequently any person acting on it does so entirely at his or her own risk. It is not a place to slander, use unacceptable language or to promote LMAX Group or any other FX and CFD provider and any such postings, excessive or unjust comments and attacks will not be allowed and will be removed from the site immediately.