analysis of leakage of camera sensitive information of a domestic manufacturer

Posted by santillano at 2020-03-05

Pdf Report Download: analysis of camera sensitive information disclosure event of a domestic manufacturer English version: webcam sensitive information disclosure vulnerability analysis

Author: know Chuangyu 404 laboratory date: March 21, 2017

1. Event overview

A domestic monitoring product supplier and solution service provider has a number of surveillance cameras and related supporting equipment. On March 5, 2017, a foreign security researcher named "bashis" was included in seebug [0], a vulnerability platform owned by zhichuangyu, and released a vulnerability announcement, claiming that there was a "backdoor" vulnerability in multiple cameras of the manufacturer's technology [1]. Then on March 6, 2017, the manufacturer officially confirmed the existence of the vulnerability in the release of the vulnerability notice (security bulletin_) and released the latest firmware to fix the vulnerability.

It is known that Chuangyu 404 laboratory successfully reproduced the vulnerability through research and analysis, and determined that the vulnerability is a sensitive information disclosure vulnerability. Without any credentials, an attacker can access a link to get information disclosure such as the user name and hash password of the web management of the camera device:

Through the leaked username and hash password, the attacker can directly control and manage the camera device. Later, it was known that Chuangyu 404 laboratory passed the "zoomeye cyberspace search engine" [3] and detected the whole network on March 19. The data results on March 19 show that there are still more than 200000 camera devices on the Internet with this vulnerability, which may affect many other brand camera devices except a manufacturer's brand.

2. Scope of vulnerability

2.1 total equipment

Using the default dork (search criteria) provided by zoomeye, we can find that in the history of zoomeye's cyberspace search engine, 1744000 IP data related to cameras of a certain manufacturer are collected [4].

2.2 number of risk equipment affected by vulnerability

According to the global detection results of zoomeye cyberspace engine conducted by Chuangyu 404 security laboratory on March 19, it is found that there are still 206000 devices around the world with this information leakage vulnerability 13 days after an official upgrade announcement issued by a manufacturer on March 6. The following is the statistics and analysis of risk equipment.

2.2.1 regional distribution of risk equipment

As can be seen from the figure below, risk equipment is distributed in 178 countries around the world. Around the world, the United States, Europe, Africa and South Asia have a large number of risk equipment. In China, Beijing, Shanghai, Guangzhou, Nanjing and Harbin are the cities with the most risk equipment.

2.2.2 port distribution of risk equipment

In the actual exploration, we found that the web service of the risk camera was opened on different ports, in addition to which there were various other ports. According to statistics, there are 248 ports open on the Internet. The figure below shows the top ten ports. It can be seen from the figure below that most services are still open to port 80, but there are also many installation and operation and maintenance personnel who have modified the port to other ports, which can increase the security of the device to a certain extent.

2.2.3 brand distribution of risk equipment

For further analysis of these devices with vulnerabilities, we extracted the MD5 value verification of favicon.ico on these device servers, and found the following five groups of MD5 values and corresponding quantities:

Note: there are 496 other devices without favicon.ico file

We respectively selected five groups of MD5 targets for actual visit and web code analysis, and found that the five groups of MD5 web code are basically similar, and there are "3.0-web3.0" strings in the relevant JavaScript script code, the main difference is that the pictures of the login page in web management are different. Such as:

We have noticed that the brand camera data volume of "bd9e17c46bbc18af2a2bd718dddad0e" group is up to 197634, far more than that of the other four groups. The screenshot of the login page of these devices is as follows:

We didn't see a clear "brand" prompt, so we found the following web page through Google search [5]: is associated with a brand camera called "imaxcampro".

Based on the above analysis, we boldly speculate that five groups of camera devices of different brands of favicon.ico file md5-hash are based on the modification of a manufacturer's equipment, and the specific release is as follows [6] [7] [8] [9]:

The global distribution statistics of the most ranked brand cameras suspected to be "imaxcampro" continued:

It can be seen that these equipment are mainly distributed in overseas markets such as America, Europe, South Korea and India in Asia.

3. Detection and repair

Inspection method:

Due to the impact of the vulnerability on the release of detection tools may lead to the disclosure of vulnerability details, in addition, the vulnerability discoverer deleted the relevant vulnerability verification procedures on the day of the vulnerability announcement, so the relevant detection procedures are not provided here temporarily. For the units or organizations that need to check the safety of relevant equipment to use the above brand cameras, please contact zhichuangyu 404 laboratory.

Repair method:

On March 6, the manufacturer officially released the relevant vulnerability announcement, affected the device model and upgrade method. Please refer to [2]:

For other affected brands, we know that Chuangyu 404 laboratory is actively contacting relevant manufacturers to confirm and assist in repairing relevant vulnerabilities.

4. conclusion

In the event basis and analysis process, after the vulnerability was disclosed, a manufacturer and company immediately carried out security emergency response to confirm the vulnerability and issued relevant announcements and firmware upgrades. From the global statistical data and brand analysis after 13 days, it was noted that only 109 brands of Dahua occupied. From this point of view, it shows that the emergency response of a manufacturer and company has significant effect, and that Mingji The influence of different brands of equipment in the same product is still very large. This case also reflects the current situation of the safety of IOT and other devices: there is a wide lack of corresponding "safety" process in the cooperation process of manufacturers or brands, which has obviously become an important "defect" of IOT device safety.

5. Reference link

[0]. Seebug vulnerability platform [1]. 0-day: Dahua backdoor generation 2 and 3 [2]. Dahua security bulletin March 6, 2017 [3]. Zoomeye cyberspace search engine [4]. Zoomeye cyberspace search engine search relevant camera equipment of a manufacturer T = host & Q = app% 3A "Dahua + web + camera + server" [5]. Configuring automatic time updating for imaxcampro DVRs and NVRs[6]. CRECREDIT TECH[7]. Hi-Focus[8]. Honeywell International Inc.[9]. Worldeyecam, INC

This article was published by seebug paper. If you need to reprint it, please indicate the source. Address: