Fun with the Vstarcam IP camera

2012-07-16
5 min read

Recently, I got myself a VStarCam IP camera, model H6837WI, relatively cheap for what you get - a H264 capable, wireless/wired IP camera with two way audio, SD card recording and few other nice features.

The software provided with the camera is Windows only, which is a system I don’t use very often at home ;) …so I started with exploring the camera’s web interface, by default run on port 81. It turned out that the quicktime plugin didn’t seem to work in any browser and other than getting the direct H264 stream, this was the only way to get live video feed without the proprietary software.

Nothing about getting the H264 stream directly in the docs. Duh. :(

A bit frustrated, I run wireshark just to get an idea of what the camera is ‘doing’ when left idle. Hmmm…DNS requests to user.gocam.so? Looks like part of the default DDNS settings, which according to the documentation, let you use the vstarcam provided service to access your IP camera remotely using an external server…Call me paranoid, but that’s definitely not something I would be happy with! By the way, urls found by google pointing to the vstarcam forum, redirect to piopo.25u.com, which is rather suspicious (did someone forgot to update their server software? oops). According to Virustotal, Sophos flags this domain as malicious, although it doesn’t currently resolve to any IP… None of this made me anymore comfortable about using the default (or any) DDNS service and the security of it… Made a mental note to disable the DDNS and verify that the camera is not doing anything silly later on.

Right, all of this was a bit disappointing…but apart from traffic sniffing, there’s one more thing you need to do with every device you connect to your network - port scan it of course! ;] So here we go, in the most simple way…
# nmap 192.168.1.126Starting Nmap 6.01 ( http://nmap.org ) at 2012-07-16 16:36 BSTNmap scan report for 192.168.1.126Host is up (0.029s latency).Not shown: 997 closed portsPORT STATE SERVICE23/tcp open telnet81/tcp open hosts2-ns554/tcp open rtspMAC Address: 00:E0:4C:AA:BB:CC (Realtek Semiconductor)Nmap done: 1 IP address (1 host up) scanned in 3.28 seconds
Telnet! Getting interesting…Ok, the web UI default credentials are…‘admin’ and no password ;] Let’s see…
$ telnet 192.168.1.126 Trying 192.168.1.126... Connected to 192.168.1.126. Escape character is '^]'. (none) login: admin Password: Login incorrect
Nah! How about root?
(none) login: rootwarning: cannot change to home directory/ #
Voila! Got shell and it’s password free! ;] Let’s do some exploring here…
/ # iduid=0(root) gid=0(root)/ # free total used free shared buffers Mem: 17344 15720 1624 0 2724 Swap: 0 0 0Total: 17344 15720 1624/ # uname -aLinux (none) 2.6.24ssl #197 PREEMPT Thu Sep 22 14:07:30 CST 2011 armv5tejl unknown
Not the most recent kernel I’d say… ;) running on armv5, (not MIPS?)
/ # cat /proc/cpuinfo Processor : ARM926EJ-S rev 5 (v5l)BogoMIPS : 119.60Features : swp half fastmult edsp java CPU implementer : 0x41CPU architecture: 5TEJCPU variant : 0x0CPU part : 0x926CPU revision : 5Cache type : write-backCache clean : cp15 c7 opsCache lockdown : format CCache format : HarvardI size : 8192I assoc : 4I line length : 32I sets : 64D size : 8192D assoc : 4D line length : 32D sets : 64Hardware : object h264 ipcamRevision : 0000Serial : 0000000000000000
Not the most capable hardware, but hey… ;)

Either way, I have to admit that being able to get a proper shell on your cheap IP camera is pretty cool :) (Still, no toaster yet ;)). There’s quite a lot of interesting stuff there, for a geek of course (yes, including the /etc/shadow file of course, but I won’t spoil the fun ;)). My camera even came with a snapshot picture taken in what looks like a warehouse…

A definite bonus is the fact that the web UI is located in /mnt/www so you can poke around and adjust few bits here and there ;) You can actually grab the update file from the vendor website which contains most of the filesystem anyway and have a look around that way, too… :)

There’s also a service running on port 6801/udp and I have no idea what’s it for, and the netstat doesn’t reveal associated binary name:
# netstat -tualnActive Internet connections (servers and established)Proto Recv-Q Send-Q Local Address Foreign Address Statetcp 0 0 0.0.0.0:554 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:81 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN tcp 0 0 192.168.1.126:23 192.168.1.20:51680 ESTABLISHED udp 0 0 0.0.0.0:6801 0.0.0.0:*

Speaking about binaries - by the looks of things, the toolchain used for the camera is rather ancient - glibc 2.3.6 and gcc 3.4.6. One could still cross compile that and thanks to the ftp client provided on the camera (didn’t I say it’s hackers friendly? ;)), or using the ‘update’ method, put and run their own binaries on the camera…;] BTW, the wireless adapter is Ralink 3070 which in theory should run aircrack-ng just fine… ;]

Another discovery - the vendor provided Windows software communicates with the camera via the camera webserver and binary cgi files using some sort of a binary protocol…I was looking at the netzob tool not long ago, and maybe I’ve just found some good opportunity to play with it…Rewriting a simple client in Python would be cool, as well as a remote code execution via the cgi ;). Did I mention that the IE interface uses ActiveX component?

All in all, one must admit - the H6837WI is a hacker friendly camera! ;] I still need to get the H264 streaming to work at some point though…after all that was the main reason why I got the camera in the first place…:)

Happy hacking! :)