Geovision Downloads
| Geovision | |
|---|---|
| Geovision Drivers | 8.5.3 |
| Geovision Main System | 8.5.3 |
| Multiview | 8.5.3 |
| Remote View Log | 8.5.3 |
Raysharp Password Hack \ Exploit
This is a follow up of my last post about Raysharp DVRs. (http://seanmsiegel.com/blog/raysharp-insecurity/)
Here is an application I wrote to automate the process and reveal all usernames and passwords on various Raysharp DVRs. All you need to know is the IP address and media port(9000 by default) of the DVR
Note: At least .Net 2.0 is required to run this application as it was developed in C#
Update
It looks like Raysharp has released new firmware that fixes this exploit. I know for a fact that the newer Zmodo brand DVRs come with the fix. The fix works by instead of making a new unauthenticated TCP connections for each request, the client software now maintains a single constant TCP connection that is properly authenticated before any commands can take place.
Raysharp Insecurity
Over the years of working in the video surveillance industry, I have tried many different models of embedded DVRs. I have worked for a company that went through model after model until we finally felt that we had found a good solid unit. These units have a much lower rate of failure compared to other units.
Aside from stability issues and a high rate of failure, most DVRs made in China have horrible software that's filled full of bugs. This software seemed different, it seemed to run almost perfect until one day I was doing some reasearch on how we could integrate the DVRs with our own custom video monitoring software.
I began by firing up wireshark and started from the beginning by logging into the DVR via its web interface. I was immediately shocked! I had logged into the DVR with its guest username and password and the DVR returned a list of all users and passwords in a packet.
It became clear that the DVRs were doing all their authentication on the client side. Who in the right mind would do such a thing, and especially on a SECURITY device! The only thing I can imagine is that the authentication code was much easier to write using managed code in windows as compared to writing the C code for an embedded device. Sure this saved them a lot of time and money on R&D but this is the exact reason why so many products from China are so terrible. They always seem to cut corners with any chance they get.
Since the DVR is just handing over all the usernames and passwords at the first logon, I imagined that the various commands between the web gui and the DVR lacked authentication and I was right. In the DVR web gui, there is an option to mange users. I clicked on this option and watched the results in wireshark.
The wireshark data stream after clicking "User". (the red packets sent from my computer to the dvr and the blue are packets from the dvr back to my computer):
On this DVR I have the following accounts:
- User: Admin Password: 121212
- User: User1 Password: 111111
- User: User2 Password: 222222
- User: User3 Password: 333333
- User: User4 Password: 444444
- User: User5 Password: 555555
- User: User6 Password: 666666
Here is the packet from the DVR that contains all the accounts. I colorized all the different data in the packet to help make a crack later on. The only really import data for my purpose is the data delimiter (0d 0a 0d 0a or \r\n\r\n) and the fact that each user account is exactly 224 bytes. Knowing all this, we can later parse out everything before the two line breaks (0d 0a 0d 0a) and then read 224 bytes 7 times to read all 7 accounts. 
BFD Rules for Asterisk
It was about 1am and I had glanced at my Trixbox system and noticed the network cards lights blinking away. It's this type of thing that drives me crazy at times(not knowing what a system is up to, whether it be tons of unexpected network activity, or hearing a hard drive churning away for no apparent reason). I remember trying Windows Vista for the first time, only to be drove up the wall by Windows "Superfetch".
After tailing some log files, I quickly noticed there was a brute force attack going on. It seems that Trixbox, Freepbx, and plain old Asterisk do not have any protection in place out of the box.
Being a regular user of APF and BFD by RF Networks, I decided to make my own BFD scripts. I did find some very similar scripts on the internet, however I always ran into problems with other peoples scripts.
Create a file called "asterisk_badauth" in "/usr/local/bfd/rules/":
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# failed logins from a single address before ban
# uncomment to override conf.bfd trig value
TRIG="5"
# file must exist for rule to be active
REQ="/usr/sbin/asterisk"
if [ -f "$REQ" ]; then
LP="/var/log/asterisk/full"
TLOG_TF="asterisk_badauth"
TMP="/usr/local/bfd/tmp"
## Asterisk badauth
ARG_VAL=<code>$TLOG_PATH $LP $TLOG_TF | grep -i "wrong password" | awk '{print $(NF-3)}' | tr -d '\'\'
fi |
Asterisk seems to create two different log entries, one for an incorrect passwords which is covered by the script above, and also a completely different one for invalid extensions. The below script will protect against logins with invalid extensions or possibly an attempt to guess or scrape for extensions.
Create a file called "asterisk_nopeer" in "/usr/local/bfd/rules/":
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# failed logins from a single address before ban
# uncomment to override conf.bfd trig value
TRIG="5"
# file must exist for rule to be active
REQ="/usr/sbin/asterisk"
if [ -f "$REQ" ]; then
LP="/var/log/asterisk/full"
TLOG_TF="asterisk_nopeer"
TMP="/usr/local/bfd/tmp"
## Asterisk nopeer
ARG_VAL=</code>$TLOG_PATH $LP $TLOG_TF | grep -i "no matching peer found" | awk '{print $(NF-5)}' | tr -d '\'\'
fi |
The following is an email I received from BFD after testing my system with some invalid logins:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
The following is a summary event for exceeded login failures on trixbox.local:
SOURCE ADDRESS: 76.195.223.226
TARGET SERVICE: asterisk_nopeer
FAILED LOGINS: 6
EXECUTED COMMAND: /etc/apf/apf -d 76.195.223.226 {bfd.asterisk_nopeer}
SOURCE LOGS FROM SERVICE 'asterisk_nopeer' (GMT -0500):
[Feb 16 07:31:18] NOTICE[11692] chan_sip.c: Registration from '<sip:123@26.129.23.164>' failed for '76.195.223.226' - No matching peer found
[Feb 16 07:31:18] NOTICE[11692] chan_sip.c: Registration from '<sip:123@26.129.23.164>' failed for '76.195.223.226' - No matching peer found
[Feb 16 07:32:06] NOTICE[11692] chan_sip.c: Registration from '<sip:123@26.129.23.164>' failed for '76.195.223.226' - No matching peer found
[Feb 16 07:32:06] NOTICE[11692] chan_sip.c: Registration from '<sip:123@26.129.23.164>' failed for '76.195.223.226' - No matching peer found
[Feb 16 07:32:12] NOTICE[11692] chan_sip.c: Registration from '<sip:123@26.129.23.164>' failed for '76.195.223.226' - No matching peer found
[Feb 16 07:32:12] NOTICE[11692] chan_sip.c: Registration from '<sip:123@26.129.23.164>' failed for '76.195.223.226' - No matching peer found
-----------------------------------------------
BFD (Brute Force Detection) 1.4 < bfd@rfxn.com > |
It seems that I have been getting 1 to 3 brute force attempts for common extensions (100,101,2102) on a daily basis and 1 invalid peer brute force attempt every few days. I like to receive emails when there is any kind of attempt but this was getting really annoying being on a daily basis. I have since moved my Trixbox system from the standard sip port of 5060 to a random one and updated all my phones(internal and remote).
