Wednesday, 23 October 2013

Sunluxy DVR backdoor

A couple of news items that recently caught my attention discussed backdoors found in network routers [1] [2]. I'll throw in something similar in case anyone is keeping track.

I picked up a Sunluxy CCTV DVR from ebay at the start of the year to record bluetits nesting in one of my bird boxes. Unfortunately both parents apparently succumbed to predation and the chicks perished but that is beside the point. The product itself was pretty good and unsurprisingly it has quite a few positive reviews on Amazon. Nothing unusual so far.

One thing that did annoy me slightly though was the way videos had to be exported. You had to manually export videos (to USB) on a day by day basis, which isn't really what I was after. I'd rather pull recordings for the last week or so over the network in one go but this didn't seem like an existing feature. Oh well, time to have a poke around!


Sunluxy itself appears to just be a front for the OEM JuanDVR. The sunluxy website is, well, very beta to say the least. Most links don't actually go anywhere and there are no firmware updates available. Poking around on the Juandvr site I found something that seemed pretty similar, but not exact. It was enough to start getting a feel of what was going on though.

Annoyingly, the box runs telnet but it is restricted to root and and the root password is only known to JuanDVR by the looks of things (you don't get to set it). From /etc/passwd it is clear the box only has user root (nice, single exploit to win the day). Incidentally, the /etc/passwd file looks like this:

root:$1$$Tq0vqGpgZ5IEA8LdEOI9F.:0:0::/root:/bin/sh

I didn't figure out the password, but then again, I didn't try cloudcracker.

Update: Chris has posted the password in the comments below.

Time to pop off the cover to check for debug points on the board. There were four helpful looking points and a quick probe later confirms them to be a 5V TTL serial port. Hooking up a USB to serial converter got me to some debugging output.

The debugging output was nice, but not overly helpful. Time to check the startup scripts to see if there was anything in there that could be taken advantage of. At this stage I also have access to U-Boot, so I could overwrite the image with a custom one, but that was being left as option of last resort purely because it had more chance of something going wrong.

Luckily, it looked like some code to facilitate testing had been left in the run_app.sh script:

echo "do you want to run app.out(y or n)?"
read -t 1 -n 1 char

insmod /lib/modules/2.6.24-rt1-hi3520v100/kernel/fs/nls/nls_cp936.ko

if [ "$char" == "n" ];then
        echo "Don't run program!"
else
        cd /root/dvr_app;./dvr_reset
        if [ "$?" == "0" ];then
                cd /root/dvr_app;./dvr_resource
                cd /root;./upnp_server &
                sleep 3
                cd /root/dvr_gui;./dvr_gui &
                cd /root/dvr_app;./dvr_app
        else
                echo "System reset!"
        fi
fi

So you have a 1 second window to hit 'n' during bootup to stop the main app running. Doing so brings you to a shell. This is handy to copy files onto USB for analysis but not exactly a practical way of getting root. The device isn't working as intended and any changes won't be preserved on the file system.

Cutting a long story short, the plan of attack was to reverse the cgi's in the hope of finding a bug that could be exploited to give me a root shell. The approach was to search for command injection vulnerabilities so a quick bit of readelf + grep showed that there were six binaries that linked to system(). Of those six, one didn't actually have ANY authorisation checks in place and it simply passed the parameters of the request straight into system(). Needless to say, that is a rather serious flaw considering these boxes are designed to allow access from outside the network and this is trivial to exploit.

Since Sunluxy don't appear to provide firmware updates and the generic ones from JuanDVR won't load onto a Sunluxy box (the signature in the header is different) it looks like users are going to be stuck for a while. I won't mention the name of the backdoor cgi for now as I'm waiting to hear back from Sunluxy.

I'm not suggesting these DVRs are going to be anywhere near as common as the routers mentioned above, but if you have one you probably want to reconsider allowing it through your firewall for now.

15 comments:

  1. I have updated firmware on my sunluxy like an idiot and ut wont pass the screen if system inilizing screen. Can i reset this at all to get back my factory firmware or do i have to buy a new unit?

    ReplyDelete
    Replies
    1. The update process overwrites the original firmware so it isn't possible to reset unfortunately. Best bet would be to get a new unit, although you might want to consider a different brand. Sunluxy probably haven't fixed the backdoor issue yet.

      Delete
    2. It would very useful if you can tell the actual firmware file name and where you got it from so that we can all avoid. Thanks

      Delete
  2. Replies
    1. Nice one, thanks for posting it.

      Delete
  3. thanks but i want to reset the password for my dvr i have logged into the device through telnet...can u let me know the further process

    ReplyDelete
    Replies
    1. Unfortunately you can't reset the password without rewriting the firmware and that is far from straight forward. You could put the box behind a firewall and deny access to port 23 but you still have the cgi backdoor to worry about. Your options are either to ask juandvr for a firmware update (very unlikely to work) or get a better dvr.

      Delete
  4. There are people claiming they updated sunluxy DVRs with juantech firmware:
    http://www.cctvforum.com/viewtopic.php?t=35141

    However i tried myself and all the time the DVR was not recognizing the firmware - so it didn't worked for me (it is a risk to update because you can end up with a bricked box)

    ReplyDelete
    Replies
    1. I'd seen that post when I first started playing with the box, but it was clear from the loading code disassembly that the juantech firmware wouldn't pass the sanity check. Basically at the start of the firmware is a signature string that looks something like "JUAN HI3515 R2008 FIRMWARE DESIGNED BY LAW". These didn't match and the loading routine bails at that point. I wasn't going to risk hacking the string to bypass that check just it case it screwed something else up.

      Delete
  5. Did somebody get the Email Motion Alert working??? I tried several settings, but none is working...

    THX
    Chris

    ReplyDelete
  6. I use xjuan h264 network dvr, anbody know what port for that dvr

    ReplyDelete
  7. I use xjuan h264 network dvr, anbody know what port for that dvr

    ReplyDelete
  8. Interesting write-up. I'm actually working on brand-new, from-scratch firmware for dvrs (fiddling with a nightowl zeus-dvr [uses the raysharp_dvr binary], going to buy a newer one from samsung based on a similar chipset as I don't think there are too many of those nightowl's in use in the wild anymore). Don't suppose you'd be willing to supply information on whatever devices you have handy?

    ReplyDelete
    Replies
    1. That sounds like a very interesting and worthwhile project. I can have a look at the kit I have, although only one of my DVRs still works. Email reversatronics at gmail dot com and let me know what you'd need.

      Delete
  9. Help me i need password root for GM LOGIN in telnet please

    ReplyDelete