VR Model P1 - 360 degree camera


This article is one of my very old assessment for fun i did (and it is done 2017) got it by recovering hard disk and assigned CVE ID - (CVE-2020-23512).

Here my target to  test 360 degree camera which trending in the IP camera world recently, what we going test model P1 VR camera.

What is VR camera..?
In photography, an omnidirectional camera (from "Omni", meaning all) is a camera with a 360-degree field of view in the horizontal plane, or with a visual field that covers (approximately) the entire sphere. Omnidirectional cameras are important in areas where large visual field coverage is needed, such as in panoramic photography and robotics.



VR CAM P1 Proxy Eye Fisheye Camera IP 3D Vr 360 Degree Panoramic 960P Wi-Fi CCTV Camera With Sd Memory Card Slot Multi Viewing Mode

Features of this VR CAMERA:
  
Brand VR CAM
Model P1
Product Dimension 15 x 15 x 5 cm
Resolution 960p
Android/iOS Devices Additional Features
Additional features * 360 Degree Panorama + 3D VR + WIFI & Wired RJ45 + TF Card Slot + Two Way Audio
*Multi Angle Monitor: Mode 1: Electronic PTZ, Mode 2:Panoramic, Mode 3: Corridor, Mode 4:Tranditional Split Screen,
*1/3 Inch CMOS Sensor, Resolution: 1536 x 1536, Lens 1.19mm Visual Angle 360 degree, 3MP HD
*One Camera = 4 to 6 piece common camera
Optical Zoom 16 X
Connector Type Wireless ,Wired
Material Plastic
Lens Type Fisheye
Voltage 12 Volts
Wattage 130


For config the Device follow the document : 

Lets start the assessment:
As part of the security assessment i just connected Ethernet to device and it is assigned IP

started scanning the IP address of the device and got the results as shown below


That's interesting some ports are open like 21,23,6789 with details and it is port number 21 ftp-anon is possible means anonymous credentials will work and if there is no "auth" direct will get
- lets see 


There is no authentication on the FTP and it is giving the direct access to the filesystem of camera.We already got the firmware access from port number 21 (FTP) will check through web interface or we can download firmware from the FTP location using WGET (wget –r ) or use FTP Client download filezilla)


FTP client File-zilla Access



Filesystem analysis is always main part of the IoT Devices Pentesting , After downloading firmware just dig deep all files to get confidential information.In etc/password and etc/shadow having the hardcoded information’s 

MD5 Hashed

And JFFS filesystem files consisting
Remote FTP Server IP information with credentials



Digging around some more i found some treasure in the form of the router’s (yes the work network) Wi-Fi password in plaintext at /tmp/wifi_info.



When we checking the web interface of device, and we got to know the login page having the business logic vulnerability,

That is without credentials we can get access of admin control panel, below image shows the login page


There are some parameters from embedded application  it was observed that the application is possible to access the direct admin control panel without credentials
http://192.168.0.185/view.html








Comments

Post a Comment

Popular posts from this blog

Buspirate v3.6 firmware upgrade from USB

Image
Buspirate:  The Bus Pirate v3.6a, created by Ian Lesnet, is a troubleshooting tool that communicates between a PC and any embedded device over 1-wire, 2-wire, 3-wire, UART, I2C, SPI, and HD44780 LCD protocols - all at voltages from 0-5.5VDC. This product eliminates a ton of early prototyping effort when working with new or unknown chips. Upgrading Firmware: buspirate will not come with new firmware so it has to be change by us. buspirate v4 : Supports firmware version 7  buspirate v3.x:  Supports firmware version 6&7 (note : firmware version 7 may hurt the device hardware not fully tested from my side doit in your won risk) Requirements: Buspirate firmware and loader : https://github.com/DangerousPrototypes/Bus_Pirate/tree/master/BPv3-bootloader ICSP pins. in these pins there are two of them which is  PGD and PGC   helps us to load the firmware into it . T he PGC and PGD pins with a jumper cable. When you are in the bootloader, the MODE LED of the Bus Pirate will stay on connect th
Read more

Dumping the Firmware from the device Using buspirate - SPI

Image
One of the best way to get the firmware from the hardware While doing penetration testing there are scenarios in which we need to dump the firmware from the devices.This method is typically used when there are no firmware’s available from vendor site. Today we are going to show you how to dump the firmware from an Wireless router Binatone DT 850W Software and hardware Requirements: Buspirate Ubuntu 16.04 or any other Linux machine Flashrom tool SOIC cable pin 8 Buspirate connectors               This is a Wireless router from Binatone DT 850W which will be used as an example for dumping the firmware. Let’s us Analyze the Inside Device.You can see IC chips like  EEPROM, UART  pins and Ralink  CPU  and also some Other   IC  chips Let us focus mainly on the  EEPROM chip (winbond W25Q16). What is EEPROM : EEPROM (also written E2PROM and pronounced “e-e-prom”, “double-e-prom” or “e-squared-prom”) stands for electrically erasable program
Read more