Burn-in rutovy shell in Vesta IP cameras and not only

It so happened that I faced the task of recording and storing video from IP cameras. The Vesta VC-6206 IR cameras were purchased and installed without introducing an information system architecture based on them. A very short period of operation showed that the cameras tend to hang and it would be nice to reboot them periodically. nmap showed that only telnet, http and rtsp are available on the camera. It seemed to me a good solution to reboot the camera with a telnet over the krone, but the technical support refused to give the root password.

Briefly about the use of cameras

The customer’s plans were to make friends of these cameras with the zoneminder on the Linux server, but the zoneminder supports RTSP is not so good, it uses the external memory too heavily through external filters (with a resolution of 1920 * 1080). Support reported that it does not support working with Linux. As a result, it was decided to write video with cvlc in portions of 10 minutes with a small overlap. Everything is fine, the video is written, the CPU is not loaded at all - so the stream arrives in H264 and you do not need to recode, but it just hangs often.

Authorities hide

Even the android and iphone do not give the user under root privileges, but in my case full access was reasonably necessary. The fact that access via telnet is always open and support does not tell the password makes you wonder. I downloaded the firmware, unpacked the zip that it was, saw the cramfs image inside:

# file VC-6206_V4.00.R10.20130129-WiFi.bin
VC-6206_V4.00.R10.20130129-WiFi.bin: Zip archive data, at least v2.0 to extract
# unzip VC-6206_V4.00.R10.20130129-WiFi.bin
Archive: VC-6206_V4.00.R10.20130129-WiFi.bin
inflating: Install
inflating: web-x.cramfs.img
inflating: custom-x.cramfs.img
inflating: user-x.cramfs.img
inflating: logo-x.cramfs.img
inflating: romfs-x.cramfs.img
inflating: InstallDesc

It really tastes like cramfs:

# file web-x.cramfs.img
web-x.cramfs.img: u-boot legacy, Linux, Linux / ARM, Standalone Program (gzip), 1310656 bytes, Tue Jan 29 12:50:53 2013, Load Address: 0x023E0000, Entry Point: 0x02520000, Header CRC: 0xD2BAE056, Data CRC: 0x29F4363A

I tried to mount these images, but failed:

# mount -o loop -t cramfs romfs-x.cramfs.img / mnt
mount: wrong fs type, bad option, bad superblock on / dev / loop5,
missing codepage or helper program, or other error
In some cases, useful in syslog - try
dmesg | tail or so
root @ server: ~ / VC-6206_V4.00.R10.20130129-WiFi # dmesg | tail -3
[168.201350] fuse init (API version 7.13)
[171.240014] eth0: no IPv6 routers present
[48915.272594] cramfs: wrong magic

Thanks to philpirj and his post , life has become better, life has become more cheerful:

for i in *.img ; do mkdir -p /mnt/fw/`basename $i .img` ; dd if=$i of=$i.cut bs=8 skip=8 ; mount -o loop -t cramfs $i.cut /mnt/fw/`basename $i .img` ; done 

In the image of the system itself (romfs-x.cramfs.img), I first noticed the telnetd packed with UPX. I unpacked it, made strings for it, but did not find hard-coded passwords there and lost interest in it.
I found this / etc / passwd:

 root:absxcfbgXtb3o:0:0:root:/:/bin/sh 

Conveniently. John The Ripper from the package in debian went through DES128 with a speed of only 1800K c / s, after rebuilding it with OpenMP and sse2 it became 6300K c / s. By the end of the day, john finished and I got a root password that fits all cameras with this firmware and sewn it tightly into it.

Success

The password came up, of course:

root @ server: /mnt/cramfs/user-x.cramfs# telnet 192.168.1.11
Trying 192.168.1.11 ...
Connected to 192.168.1.11.
Escape character is '^]'.
')
LocalHost login: root
Password:
# cat / proc / cpuinfo
Processor: ARM926EJ-S rev 5 (v5l)
BogoMIPS: 148.27
Features: swp half thumb fastmult edsp java
CPU implementer: 0x41
CPU architecture: 5TEJ
CPU variant: 0x0
CPU part: 0x926
CPU revision: 5
Cache type: write-back
Cache clean: cp15 c7 ops
Cache lockdown: format C
Cache format: Harvard
I size: 16384
I assoc: 4
I line length: 32
I sets: 128
D size: 8192
D assoc: 4
D line length: 32
D sets: 64

Hardware:
Revision: 3650000
Serial: 0000000000000000
# ps w
PID Uid VSZ Stat Command
1 root 3728 S init
2 root SW [posix_cpu_timer]
3 root SW [softirq-high / 0]
4 root SW [softirq-timer / 0]
5 root SW [softirq-net-tx /]
6 root SW [softirq-net-rx /]
7 root SW [softirq-block / 0]
8 root SW [softirq-tasklet]
9 root SW [softirq-hrtimer]
10 root SW [softirq-rcu / 0]
11 root SW <[desched / 0]
12 root SW <[events / 0]
13 root SW <[khelper]
14 root SW <[kthread]
26 root SW <[kblockd / 0]
27 root SW <[kseriod]
36 root SW <[khubd]
93 root SW [pdflush]
94 root SW [pdflush]
95 root SW <[kswapd0]
96 root SW <[aio / 0]
97 root SW <[cifsoplockd]
98 root SW <[cifsdnotifyd]
715 root SW [mtdblockd]
750 root SW <[kmmcd]
797 root SWN [jffs2_gcd_mtd7]
822 root 1576 S / sbin / syshelper 25
826 root 3732 S / sbin / telnetd
828 root 2744 S / utils / upgraded
829 root 3516 S / sbin / searchIp
922 root 103628 S / usr / sbin / fvideoencoder -i 2 -s 6 -d 0 -o 1 -h 2 -g 2 -l 81 -t 8 -j 1 -a 3 -b 40
923 root 11596 S / usr / sbin / a1ewtest
938 root 12772 S wlandaemon
943 root 3728 S / bin / sh /usr/etc/dup_app.sh
945 root 1396 S dupc / usr / bin / Sofia
946 root 372884 S / usr / bin / Sofia
1137 root 3732 S -sh
1139 root 3732 R ps w
# cat / mnt / mtd / Config / Account1
{
"Groups": [
{
"AuthorityList": [
"ShutDown",
"ChannelTitle",
"RecordConfig",
"Backup",
"StorageManager",
"Account",
"SysInfo",
"QueryLog",
"DelLog",
"SysUpgrade",
"AutoMaintain",
"GeneralConfig",
"EncodeConfig",
CommConfig,
"NetConfig",
"AlarmConfig",
"VideoConfig",
"PtzConfig",
"PTZControl",
"DefaultConfig",
"Talk_01",
"Monitor_01",
"Replay_01"
],
"Memo": "administrator group",
"Name": "admin"
},
{
"AuthorityList": ["Monitor_01", "Replay_01"],
"Memo": "user group",
"Name": "user"
}
],
"Users": [
{
"AuthorityList": [
"ShutDown",
"ChannelTitle",
"RecordConfig",
"Backup",
"StorageManager",
"Account",
"SysInfo",
"QueryLog",
"DelLog",
"SysUpgrade",
"AutoMaintain",
"GeneralConfig",
"EncodeConfig",
CommConfig,
"NetConfig",
"AlarmConfig",
"VideoConfig",
"PtzConfig",
"PTZControl",
"DefaultConfig",
"Talk_01",
"Monitor_01",
"Replay_01"
],
"Group": "admin",
"Memo": "admin 's account",
"Name": "admin",
"Password": "QyZfVmgd",
"Reserved": true
"Sharable": true
},
{
"AuthorityList": ["Monitor_01", "Replay_01"],
"Group": "user",
"Memo": "guest's account",
"Name": "guest",
"Password": "tlJwpbo6",
"Reserved": true
"Sharable": true
},
{
"AuthorityList": ["Monitor_01"],
"Group": "user",
"Memo": "default account",
"Name": "default",
"Password": "OxhlwSG8",
"Reserved": false,
Sharable: false
}
]
}
#

Spread

First, I expected to quickly google something according to the firmware version and found out that the same firmware is used in Feng IP cameras at least. Judging by the fact that the firmware has a bunch of modules for different cameras and wifi support, this firmware is common to several models. Having already reached the config from the inside of the camera, I googled the default password passwords hashes and found a post on the third producer's forum, where some guy shakes the same or similar cameras through a hole in the web interface. I didn’t work with relative paths, but it looks like it’s just fixed. Still, the post is left on the manufacturer's forum.

PS This post does not pretend to the status of a serious research, in it I just tell you how I solve a practical task for me. I considered that the post will be interesting to harabrachiteli as posts like it . The decrypted password is available at this link . (Every time it’s funny like the first time. Actually, the search will not take much time, the password is simple)