Ray Sharp CCTV DVR Password Retrieval & Remote Root

Last updated at Wed, 03 Jan 2024 20:47:36 GMT

On January 22, 2013, a researcher going by the name someLuser detailed a number of security flaws in the Ray Sharp DVR platform. These DVRs are often used for closed-circuit TV (CCTV) systems and security cameras. In addition to Ray Sharp, the exposures seem to affect rebranded DVR products by Swann, Lorex, URMET, KGuard, Defender, DEAPA/DSP Cop, SVAT, Zmodo, BCS, Bolide, EyeForce, Atlantis, Protectron, Greatek, Soyo, Hi-View, Cosmos, and J2000. The vulnerabilities allow for unauthenticated access to the device configuration, which includes the clear-text usernames and passwords that, once obtained, can be used to execute arbitrary system commands root through a secondary flaw in the web interface. someLuser's blog post includes a script for obtaining the clear-text passwords as well as a standalone exploit that yields a remote root shell on any vulnerable device.

In short - this provides remote, unauthorized access to security camera recording systems.

These types of flaws are common in embedded appliances, but the impact is limited by firewalls and other forms of network access control. A vulnerable DVR that is protected by the corporate firewall is not much of a risk for most organizations. In this case, however, the situation is substantially worse. The Ray Sharp DVR platform supports the Universal Plug and Play (UPnP) protocol and automatically exposes the device to the internet if a UPnP-compatible router is responsible for network address translation (NAT) on the network. Many home and small office routers enable UPnP by default. This has the effect of exposing tens of thousands of vulnerable DVRs to the internet. For reference, the Ray Sharp firmware uses the "minupnp" open source implementation to perform this port mapping.

To determine the exposure level, I worked with someLuser to determine signatures for the web interface. The two most common models could be detected with the following signatures:

• self.location = "webclient.html"
• <TITLE>Web Client for DVR</TITLE>

These two signatures were matched against all HTTP services within the critical.io database. This returned over 58,000 unique IPs that were running a vulnerable DVR platform. This list covered over 150 countries, with the largest portion (~19,000) located within the United States, followed by India (~6,000), and Italy (~5,700).

Interestingly enough, the beloved firmware-mod-kit package used for router tweaks also succeeds in unpacking the firmware provided by Swann. This provides an easy way to obtain the raysharp_dvr ELF image without rooting the device over the serial console. This binary implements almost all of the device's functionality, including everything from the web server to the CD-ROM writer based on cdrecord. In addition to being a terrible architecture, this may have inadvertent licensing implications. A quick analysis of the binary points out another feature - in order to make these systems even more hackable easier to access, they can automatically register their IP with a dynamic DNS service. Based on raysharp_dvr binary, the following dynamic DNS providers are supported:

• dyndns.org
• bliao.com
• lorexddns.net
• myq-see.com
• ltscctv.com
• systemport.net
• members.3322.org
• easterndns.com
• newddns.com
• nightowldvr.com
• smartcontroldns.net
• kguard.org
• no-ip.com
• freedns.afraid.org
• changeip.com
• dnsexit.com
• ddns.com.br
• swanndvr.com

To make things interesting, the user-agent sent is_ "myclient 1.0 caiwang213@163.com"_ and a hard-coded credential is present within the binary, which decodes as:

TsnNua31U1UAAJguFeQ:6731998

This hardcoded credential seems to be related to the freedns.afraid.org service, but this could not be confirmed. The hardcoded user agent, however, has caused concern before.

To make matters worse, the version of OpenSSL compiled into this binary is OpenSSL 0.9.8j (07 Jan 2009), a version that is over three years old and rife with security problems.

A quick review with IDA Pro identifies a number of trivial mistakes, including unbounded strcpy() calls. One particular gem that stood out is listed below:

A Metasploit module has been added that can be used to scan for vulnerable devices.

Metasploit Pro users should click on Modules and search for raysharp_dvr_passwords. The Ray Sharp DVR Password Retriever module should be selected. For Metasploit console uses, enter the following command to select the appropriate module:

$ sudo -s -E
# msfconsole
msf> use auxiliary/scanner/misc/raysharp_dvr_passwords

Once the module is loaded, enter the IP or IP range that you would like to test:

msf  auxiliary(raysharp_dvr_passwords) > set RHOSTS 192.168.0.0/24
msf  auxiliary(raysharp_dvr_passwords) > set THREADS 256
msf  auxiliary(raysharp_dvr_passwords) > run

[+] 192.168.0.153:9000 (user='admin' pass='1234546') mac=00-23-63-63-63-63 version=V2.1-20110716