Headquarters888-732-9406
Security Operations Center 888-732-9407

Password Disclosure in D-Link Surveillance Cameras (CVE-2012-4046)

Many people are using the popular D-Link network cameras available at Best Buy, Office Depot, Staples and amazon.com, expecting a private video feed to their home or office. However, this may not be the reality. In recent research, I exposed a critical security flaw in the way D-Link’s DCS-9xx Series IP cameras perform authentication which puts users at risk of eavesdroppers wanting to peer into their private lives or gather intelligence about a target organization. The flaw was identified during the operation of the camera’s setup wizard. In general, setup wizards are meant to provide users a quick and easy way to configure new devices, such as routers, printers, and several others, including this particular series of network cameras manufactured by D-Link. These wizards will commonly ask for a username and password before allowing the user to proceed in configuring the device. In order to accomplish this, the D-Link Setup Wizard will first send an anonymous request to the camera to retrieve its current password to then validate the user supplied password. However, the camera does not authenticate the requestor during the password request, so anyone (authorized or unauthorized) can mimic the wizard and send the same request, tricking the camera into giving up its password – that’s a problem. Maintaining a live video feed to a target organization or residence can obviously be very useful to an attacker. Common use cases for these cameras range from home and business surveillance to baby monitors. I reported the vulnerability to D-Link on June 14, 2012, and while they do claim to have a fix, new firmware has not yet been published at the time of this writing.

Exploitation

Using the D-Link Setup Wizard, the wizard will first perform an initial discovery of relevant IP cameras on the local LAN or subnet. Then, the user will be presented with a list of configurable devices discovered on the network. Any device may then be selected for an easy step-by-step configuration (example below).

In the case of the aforementioned series of D-Link cameras, the discovery mechanism is accomplished by sending out a UDP-based broadcast packet from the user’s computer. Broadcast packets, by definition, will be received by all systems on the same subnet. Any DCS-9xx series cameras that “hear” this initial discovery broadcast will respond with their camera attributes (e.g., hostname, device ID, etc.) via their own UDP-based broadcast. Again, the camera’s broadcast response will be received by all systems on the same subnet, [potentially] including the attacker who cracked your wireless password sitting in the parking lot, the visitors in your conference room, the social engineer who found an empty cubicle and set up shop, or the hacker who’s also logged into your system from the comfort of his own home.

Granted, the initial discovery only reveals the camera’s hostname, device ID and other mostly harmless attributes, but the D-Link wizard also uses the same mechanism to request the camera’s password in a separate broadcast request. This is the default behavior and design of the affected D-Link cameras. Now all your subnet guests, both authorized and unauthorized, can partake in the event. However, there’s no need to wait for a legitimate user to run the setup wizard; an attacker can request the password at any time while the camera is operating via the D-Link Setup Wizard or via the “autopwn” script someone is bound to write after this disclosure. Albeit, the password is encrypted “on the wire” but the ActiveX control within the web based setup wizard kindly decrypts it for you and leaves it in a Javascript variable as a base64 encoded string, which is as good as plain text.  You can retrieve the password with one line of Javascript code. A proof of concept is illustrated below.

Testing was conducted against the D-Link DCS-932L using the latest firmware (v1.02). No firmware updates are currently available to fix this vulnerability. Any updates will likely be made available here, in the support section.

Author

Jason Doyle
Security Consultant

Over 6 years of information technology security. CISSP. GWAPT.

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.