Root with no password on an embedded device!

Chat with other TGB members about whatever is on your mind.
User avatar
woodchuck

Posts: 338
Joined: Tue Jun 14, 2011 9:43 pm
Location:

HTPC Specs: Show details

Root with no password on an embedded device!

#1

Post by woodchuck » Sun Mar 09, 2014 3:15 pm

Hi Guys-

Not really the forum for it, but it's hard to really find a place to get feedback on messing with an embedded device. Let me know if you guys know of a good forum for it.

I recently uncovered the fact that my cheapo security camera DVR system can be telneted into, and has no root password! Wonderful! Thankfully I never expose this insecure thing to the internet, but I would like to get a root password on it. The problem is that the filesystem is mounted as read-only, so running passwd or vi /etc/passwd gets nowhere cause the file cannot be saved. I'm looking for ideas here on how to get a password on this sucker.

smcmillan2

Posts: 82
Joined: Mon Jul 22, 2013 6:09 pm
Location: Farmington, MI

HTPC Specs: Show details

#2

Post by smcmillan2 » Sun Mar 09, 2014 3:37 pm

woodchuck wrote:Hi Guys-

Not really the forum for it, but it's hard to really find a place to get feedback on messing with an embedded device. Let me know if you guys know of a good forum for it.

I recently uncovered the fact that my cheapo security camera DVR system can be telneted into, and has no root password! Wonderful! Thankfully I never expose this insecure thing to the internet, but I would like to get a root password on it. The problem is that the filesystem is mounted as read-only, so running passwd or vi /etc/passwd gets nowhere cause the file cannot be saved. I'm looking for ideas here on how to get a password on this sucker.
Have you tried mount -rw / and then running passwd?

I've seen some *nix based devices such as routers that dynamically create the filesystem structures based on config files, so changing the password via conventional methods may not "stick" upon reboot - You would have to find the config file(s) that generates the passwd/shadow file and make your changes there (if your camera is such a device).

User avatar
woodchuck

Posts: 338
Joined: Tue Jun 14, 2011 9:43 pm
Location:

HTPC Specs: Show details

#3

Post by woodchuck » Sun Mar 09, 2014 3:56 pm

Hadn't tried it, thanks. The result is "Failed to access volume 'rootfs': No such file or directory". Not sure what to make of that.

adam1991

Posts: 2893
Joined: Sat Jun 11, 2011 2:31 pm
Location:

HTPC Specs: Show details

#4

Post by adam1991 » Sun Mar 09, 2014 4:06 pm

The phrase "you got what you paid for" suddenly will not leave my mind.

User avatar
STC

Posts: 6808
Joined: Mon Jun 06, 2011 4:58 pm
Location:

HTPC Specs: Show details

#5

Post by STC » Sun Mar 09, 2014 4:11 pm

Is the hub IP only or does it have console/serial access?
By the Community, for the Community. 100% Commercial Free.

Want decent guide data back? Check out EPG123

User avatar
woodchuck

Posts: 338
Joined: Tue Jun 14, 2011 9:43 pm
Location:

HTPC Specs: Show details

#6

Post by woodchuck » Sun Mar 09, 2014 4:30 pm

I can get serial access, if I open it up.

smcmillan2

Posts: 82
Joined: Mon Jul 22, 2013 6:09 pm
Location: Farmington, MI

HTPC Specs: Show details

#7

Post by smcmillan2 » Sun Mar 09, 2014 4:40 pm

woodchuck wrote:Hadn't tried it, thanks. The result is "Failed to access volume 'rootfs': No such file or directory". Not sure what to make of that.
Interesting. What is the output of the following?
uname -a
mount
df -h

User avatar
woodchuck

Posts: 338
Joined: Tue Jun 14, 2011 9:43 pm
Location:

HTPC Specs: Show details

#8

Post by woodchuck » Sun Mar 09, 2014 4:48 pm

login: root
Last login: Sun Mar 9 14:23:07 on pts/0
root@dm814x-evm:~# uname -a
Linux dm814x-evm 2.6.37 #4 Fri Sep 21 11:11:53 CST 2012 armv7l unknown
root@dm814x-evm:~# mount
rootfs on / type rootfs (rw)
/dev/root on / type cramfs (ro,relatime)
devtmpfs on /dev type devtmpfs (rw,relatime,size=36516k,nr_inodes=9129,mode=755)
proc on /proc type proc (rw,relatime)
tmpfs on /mnt/.splash type tmpfs (rw,relatime,size=40k)
sysfs on /sys type sysfs (rw,relatime)
none on /dev type tmpfs (rw,relatime,size=1024k,nr_inodes=8192,mode=755)
devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620)
usbfs on /proc/bus/usb type usbfs (rw,relatime)
tmpfs on /var/volatile type tmpfs (rw,relatime,size=16384k)
tmpfs on /dev/shm type tmpfs (rw,relatime,mode=777)
tmpfs on /media/ram type tmpfs (rw,relatime,size=16384k)
/dev/mtdblock5 on /mnt/app type cramfs (ro,relatime)
/dev/mtdblock6 on /mnt/para type yaffs2 (rw,relatime)
tmpfs on /mnt/cache type tmpfs (rw,noatime,nodiratime,size=8192k,nr_inodes=4000)
/dev/sda1 on /mnt/sda type ext3 (rw,noatime,nodiratime,errors=continue,barrier=0
,data=writeback)
tmpfs on /mnt/tmp type tmpfs (rw,relatime,size=2048k)
root@dm814x-evm:~# df -h
Filesystem Size Used Available Use% Mounted on
/dev/root 17.5M 17.5M 0 100% /
devtmpfs 1.0M 72.0K 952.0K 7% /dev
tmpfs 40.0K 0 40.0K 0% /mnt/.splash
none 1.0M 72.0K 952.0K 7% /dev
tmpfs 16.0M 28.0K 16.0M 0% /var/volatile
tmpfs 35.8M 0 35.8M 0% /dev/shm
tmpfs 16.0M 0 16.0M 0% /media/ram
/dev/mtdblock5 25.9M 25.9M 0 100% /mnt/app
/dev/mtdblock6 4.0M 2.1M 1.9M 52% /mnt/para
tmpfs 8.0M 168.0K 7.8M 2% /mnt/cache
/dev/sda1 7.9G 680.3M 6.8G 9% /mnt/sda
tmpfs 2.0M 44.0K 2.0M 2% /mnt/tmp

smcmillan2

Posts: 82
Joined: Mon Jul 22, 2013 6:09 pm
Location: Farmington, MI

HTPC Specs: Show details

#9

Post by smcmillan2 » Sun Mar 09, 2014 5:06 pm

woodchuck wrote: root@dm814x-evm:~# uname -a
Linux dm814x-evm 2.6.37 #4 Fri Sep 21 11:11:53 CST 2012 armv7l unknown
root@dm814x-evm:~# mount
rootfs on / type rootfs (rw)
/dev/root on / type cramfs (ro,relatime)
OK, try this

Code: Select all

mount -rw /dev/root /
or

Code: Select all

mount -o remount,rw /dev/root /
That should get your root filesystem to read-write mode.

milli260876

Posts: 726
Joined: Wed Jun 08, 2011 2:56 pm
Location: Barnsley Sth Yorks

HTPC Specs: Show details

#10

Post by milli260876 » Sun Mar 09, 2014 6:55 pm

Can't you just set your router to allow access to specific mac addresses only ?
Lee

User avatar
woodchuck

Posts: 338
Joined: Tue Jun 14, 2011 9:43 pm
Location:

HTPC Specs: Show details

#11

Post by woodchuck » Mon Mar 10, 2014 1:47 am

smcmillan2-

Thanks for the help. The first command results in:

Code: Select all


ntfs-3g: Failed to access volume '/dev/root': No such file or directory

ntfs-3g 2012.1.15 integrated FUSE 27 - Third Generation NTFS Driver
                Configuration type 1, XATTRS are on, POSIX ACLS are off

Copyright (C) 2005-2007 Yura Pakhuchiy
Copyright (C) 2006-2009 Szabolcs Szakacsits
Copyright (C) 2007-2011 Jean-Pierre Andre
Copyright (C) 2009 Erik Larsson

Usage:    ntfs-3g [-o option[,...]] <device|image_file> <mount_point>

Options:  ro (read-only mount), remove_hiberfile, uid=, gid=,
          umask=, fmask=, dmask=, streams_interface=.
          Please see the details in the manual (type: man ntfs-3g).

Example: ntfs-3g /dev/sda1 /mnt/windows

News, support and information:  http://tuxera.com

the second command returns no information, but when I try vi /etc/passwd, I still get the "Read-only file system" message.

milli260876-

I can and do exactly that. But leaving it with no password feels the same as leaving my HTPC with no admin password. Not cool...

User avatar
STC

Posts: 6808
Joined: Mon Jun 06, 2011 4:58 pm
Location:

HTPC Specs: Show details

#12

Post by STC » Mon Mar 10, 2014 2:15 am

By no means an expert here, isn't it possible to just disable telnet/SSH?
By the Community, for the Community. 100% Commercial Free.

Want decent guide data back? Check out EPG123

barnabas1969

Posts: 5738
Joined: Tue Jun 21, 2011 7:23 pm
Location: Titusville, Florida, USA

HTPC Specs: Show details

#13

Post by barnabas1969 » Mon Mar 10, 2014 1:55 pm


User avatar
woodchuck

Posts: 338
Joined: Tue Jun 14, 2011 9:43 pm
Location:

HTPC Specs: Show details

#14

Post by woodchuck » Mon Mar 10, 2014 2:08 pm

barnabas1969 wrote:Try reading this:
http://console-cowboys.blogspot.com/201 ... urity.html
Yeah, that's the other post I frequent. I'm the guy at the bottom of the thread!

As for telnet, there is no option to disable it in the web gui. I can kill it, but it restarts when the dvr reboots.

smcmillan2

Posts: 82
Joined: Mon Jul 22, 2013 6:09 pm
Location: Farmington, MI

HTPC Specs: Show details

#15

Post by smcmillan2 » Mon Mar 10, 2014 2:23 pm

My bad, entirely missed that /dev/root is cramfs which is a read-only filesystem. No mount options to make it read-write.

The ability to add/change anything on this machine would be up to whatever tools/interfaces the manufacturer supplied. You might want to contact them and see if they can provide a way to set the password.

Or, if you can get an image of the system you could potentially convert it to an EXT3 or 4 filesystem, but that would be a lot of work.

barnabas1969

Posts: 5738
Joined: Tue Jun 21, 2011 7:23 pm
Location: Titusville, Florida, USA

HTPC Specs: Show details

#16

Post by barnabas1969 » Mon Mar 10, 2014 3:29 pm

I just played around with mine. That python script only returns a bunch of gibberish. I ran WireShark and logged into the thing, then went to the user config tab. WireShark does, indeed, see all the usernames and passwords in the clear. I modified the python script to send the hex string that the ActiveX plugin was sending, but when I run the python script with that string alone, the DVR returns an empty string. It appears that my DVR has been patched to disallow fetching the usernames/passwords without logging in first. It also does not allow me to login via Telnet using the usernames/passwords that are configured... so it appears that even if someone got my usernames/passwords, they wouldn't be able to access the OS anyway.

I have mine configured to use non-default port numbers, so that does help a little. One thing I wish is that I could change the default Admin username to something else. The fact that the username is always Admin, and the password is always 6-digits numeric (and this is documented on the manufacturer's website) makes it pretty easy to hack via a brute force attack.

User avatar
woodchuck

Posts: 338
Joined: Tue Jun 14, 2011 9:43 pm
Location:

HTPC Specs: Show details

#17

Post by woodchuck » Mon Mar 10, 2014 4:09 pm

Hey barnabas, if you telnet in and just type root as the username, no password, can you get in?

barnabas1969

Posts: 5738
Joined: Tue Jun 21, 2011 7:23 pm
Location: Titusville, Florida, USA

HTPC Specs: Show details

#18

Post by barnabas1969 » Mon Mar 10, 2014 4:25 pm

No. I tried that. I also tried Password, password, root, etc.

User avatar
woodchuck

Posts: 338
Joined: Tue Jun 14, 2011 9:43 pm
Location:

HTPC Specs: Show details

#19

Post by woodchuck » Mon Mar 10, 2014 6:31 pm

Wow, so on mine, I can telnet in as root with no password, then vi /mnt/para/usr.cfg, I can see all the webGUI users and passwords in clear text. Yuck. Yes my dvr isn't exposed to the internet, but wow is that ever a hideous security hole!

barnabas1969

Posts: 5738
Joined: Tue Jun 21, 2011 7:23 pm
Location: Titusville, Florida, USA

HTPC Specs: Show details

#20

Post by barnabas1969 » Mon Mar 10, 2014 6:38 pm

Yeah, and if you Google "web client for edvs/edvr" you get thousands of hits. A simple little program could be used to do a brute force attack to get the password. Since it's all numeric and you know the Admin username, it would probably only take a few minutes to get in.

Post Reply