Telnet and Root on the Sercomm iCamera2


tldr;

  • URL http://[IP]/adm/file.cgi?todo=inject_telnetd
  • Telnet username root
  • Telnet password Aq0+0009

History

Four years ago to the day, I wrote an exposé of the hideous security failings of Sercomm IP Cameras. The blog has since attracked 200 comments - as people try to unlock their cameras, and find out what flaws they have.

Despite my best efforts at contacting Sercomm - the OEM who manufactures the cameras - and the "security" resellers who irresponsibly sell them to unsuspecting customers, the flaws remain unpatched.

Factory Reset

Most of the Sercomm cameras have a custom firmware which locks them down. As documented in my previous blog post, resetting the cameras is depressingly easy.

  1. Stick paperclip in the reset hole for a few seconds.
  2. The default login name is "administrator".
  3. There is no password set!

Turning on Telnet

The process for enabling Telnet was first published in 2011. It depends on the firmware that Sercomm have pre-loaded, but you just need to visit the specially crafted URl: http://[IP]/adm/file.cgi?todo=inject_telnetd

A web browser displaying the message "Open Telnet Daemon successfully!"

Firmware Trickery

Over on my GitHub repo of Sercomm API commands, you'll find a copy of the firmware for the iCamera 1000.

A contributor to the blog, Paul Chambers, describes how he deciphered the firmware.

The firmware is a modified SquashFS filesystem.
Inside, it contains a symlink from /etc/passwd -> /mnt/ramdisk/tmp/passwd

/etc/rc.sethost contains the string passwd

Running rc.sethost does various things including writing a passwd file to /mnt/ramdisk/tmp/passwd

Inside that, I saw root:9sXicXdz8JrVk:0:0:root:/root:/bin/sh

The string 9sXicXdz8JrVk is a traditional DES based hash

I patched rc.sethost to skip the call to crypt. Then I got:

root:Aq0+0009:0:0:root:/root:/bin/sh

I double-checked it was correct by running

squashfs-root$python -c "import crypt;print crypt.crypt('Aq0+0009', '9s')"
9sXicXdz8JrVk

So the username is root and the password is Aq0+0009

There you have it. Different cameras may have different firmwares with different passwords - but I'd guess that they all follow a similar pattern. This particular password works on Firmware version V3.0.01.29

Enjoy!

Leave a Reply

Your email address will not be published. Required fields are marked *