>About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Vulnerabilities Identified in Nooie Baby Monitor- 780

Bit DefenderPosted 3 Years Ago
  • The device is a Baby Monitor that can be accessed remotely.
  • The camera uses the MQTT is a protocol commonly used by IoT services. Typically, there is a global service that the device reaches out to. In this instance, the server does not require any authentication to subscribe to, leaking device and user ids.
  • Real Time Streaming Protocol (RTSPS) is a protocol used for live streaming of data. To use this service, the application will request access to a specific camera feed. With this request, a destination is given back which will have the real time data.
  • Even though this happens via an HTTPs request, the MQTT service offers the same functionality. Since the MQTT service does not require any authentication, this call can be made to arbitrary cameras. Since we control the destination of the call, the data can be loaded to an attackers server.
  • The URL (destination) must be parsed by the device once it has been received from the MQTT server. However, the parsing has a fairly straight forward vulnerability: the URL is copied into a static buffer without a bounds check.
  • This appears to be an ARM device without very good randomization. So, to exploit this, a ret2libc attack is performed by corrupting the EIP on the stack. Since the value of r11 is controlled by the attacker, we can use the pointer to this as the string to execution in the attack.
  • The camera has a REST API to obtain AWS credentials used to store the recordings in the cloud; these credentials are unique per device. However, the credentials are not generated securely! By knowing the user id and device id, we can craft this authentication token ourselves.
  • To make matters worse, the credentials for accessing the S3 bucket are not scoped properly! By using these credentials, all data in the bucket is accessible. By simply using the S3 CLI it is possible to see all recordings for all cameras! Damn, that's real bad.
  • Overall, this was a really good report with many different vulnerability classes. From lack of authentication, poor password generation to memory corruption, this was an interesting write up to go through!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed