Root with no password on an embedded device!

[woodchuck]

Hi Guys-

Not really the forum for it, but it's hard to really find a place to get feedback on messing with an embedded device. Let me know if you guys know of a good forum for it.

I recently uncovered the fact that my cheapo security camera DVR system can be telneted into, and has no root password! Wonderful! Thankfully I never expose this insecure thing to the internet, but I would like to get a root password on it. The problem is that the filesystem is mounted as read-only, so running passwd or vi /etc/passwd gets nowhere cause the file cannot be saved. I'm looking for ideas here on how to get a password on this sucker.

[smcmillan2]

Hi Guys-

Not really the forum for it, but it's hard to really find a place to get feedback on messing with an embedded device. Let me know if you guys know of a good forum for it.

I recently uncovered the fact that my cheapo security camera DVR system can be telneted into, and has no root password! Wonderful! Thankfully I never expose this insecure thing to the internet, but I would like to get a root password on it. The problem is that the filesystem is mounted as read-only, so running passwd or vi /etc/passwd gets nowhere cause the file cannot be saved. I'm looking for ideas here on how to get a password on this sucker.

Have you tried mount -rw / and then running passwd?

I've seen some *nix based devices such as routers that dynamically create the filesystem structures based on config files, so changing the password via conventional methods may not "stick" upon reboot - You would have to find the config file(s) that generates the passwd/shadow file and make your changes there (if your camera is such a device).

[woodchuck]

Hadn't tried it, thanks. The result is "Failed to access volume 'rootfs': No such file or directory". Not sure what to make of that.

[adam1991]

The phrase "you got what you paid for" suddenly will not leave my mind.

[STC]

Is the hub IP only or does it have console/serial access?

[woodchuck]

I can get serial access, if I open it up.

[smcmillan2]

Hadn't tried it, thanks. The result is "Failed to access volume 'rootfs': No such file or directory". Not sure what to make of that.

Interesting. What is the output of the following?
uname -a
mount
df -h

[woodchuck]

login: root
Last login: Sun Mar 9 14:23:07 on pts/0
root@dm814x-evm:~# uname -a
Linux dm814x-evm 2.6.37 #4 Fri Sep 21 11:11:53 CST 2012 armv7l unknown
root@dm814x-evm:~# mount
rootfs on / type rootfs (rw)
/dev/root on / type cramfs (ro,relatime)
devtmpfs on /dev type devtmpfs (rw,relatime,size=36516k,nr_inodes=9129,mode=755)
proc on /proc type proc (rw,relatime)
tmpfs on /mnt/.splash type tmpfs (rw,relatime,size=40k)
sysfs on /sys type sysfs (rw,relatime)
none on /dev type tmpfs (rw,relatime,size=1024k,nr_inodes=8192,mode=755)
devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620)
usbfs on /proc/bus/usb type usbfs (rw,relatime)
tmpfs on /var/volatile type tmpfs (rw,relatime,size=16384k)
tmpfs on /dev/shm type tmpfs (rw,relatime,mode=777)
tmpfs on /media/ram type tmpfs (rw,relatime,size=16384k)
/dev/mtdblock5 on /mnt/app type cramfs (ro,relatime)
/dev/mtdblock6 on /mnt/para type yaffs2 (rw,relatime)
tmpfs on /mnt/cache type tmpfs (rw,noatime,nodiratime,size=8192k,nr_inodes=4000)
/dev/sda1 on /mnt/sda type ext3 (rw,noatime,nodiratime,errors=continue,barrier=0
,data=writeback)
tmpfs on /mnt/tmp type tmpfs (rw,relatime,size=2048k)
root@dm814x-evm:~# df -h
Filesystem Size Used Available Use% Mounted on
/dev/root 17.5M 17.5M 0 100% /
devtmpfs 1.0M 72.0K 952.0K 7% /dev
tmpfs 40.0K 0 40.0K 0% /mnt/.splash
none 1.0M 72.0K 952.0K 7% /dev
tmpfs 16.0M 28.0K 16.0M 0% /var/volatile
tmpfs 35.8M 0 35.8M 0% /dev/shm
tmpfs 16.0M 0 16.0M 0% /media/ram
/dev/mtdblock5 25.9M 25.9M 0 100% /mnt/app
/dev/mtdblock6 4.0M 2.1M 1.9M 52% /mnt/para
tmpfs 8.0M 168.0K 7.8M 2% /mnt/cache
/dev/sda1 7.9G 680.3M 6.8G 9% /mnt/sda
tmpfs 2.0M 44.0K 2.0M 2% /mnt/tmp

[smcmillan2]

root@dm814x-evm:~# uname -a
Linux dm814x-evm 2.6.37 #4 Fri Sep 21 11:11:53 CST 2012 armv7l unknown
root@dm814x-evm:~# mount
rootfs on / type rootfs (rw)
/dev/root on / type cramfs (ro,relatime)

OK, try this

Code: Select all

mount -rw /dev/root /

or

Code: Select all

mount -o remount,rw /dev/root /

That should get your root filesystem to read-write mode.

[milli260876]

Can't you just set your router to allow access to specific mac addresses only ?

[woodchuck]

smcmillan2-

Thanks for the help. The first command results in:

Code: Select all

ntfs-3g: Failed to access volume '/dev/root': No such file or directory

ntfs-3g 2012.1.15 integrated FUSE 27 - Third Generation NTFS Driver
                Configuration type 1, XATTRS are on, POSIX ACLS are off

Copyright (C) 2005-2007 Yura Pakhuchiy
Copyright (C) 2006-2009 Szabolcs Szakacsits
Copyright (C) 2007-2011 Jean-Pierre Andre
Copyright (C) 2009 Erik Larsson

Usage:    ntfs-3g [-o option[,...]] <device|image_file> <mount_point>

Options:  ro (read-only mount), remove_hiberfile, uid=, gid=,
          umask=, fmask=, dmask=, streams_interface=.
          Please see the details in the manual (type: man ntfs-3g).

Example: ntfs-3g /dev/sda1 /mnt/windows

News, support and information:  http://tuxera.com

the second command returns no information, but when I try vi /etc/passwd, I still get the "Read-only file system" message.

milli260876-

I can and do exactly that. But leaving it with no password feels the same as leaving my HTPC with no admin password. Not cool...

[STC]

By no means an expert here, isn't it possible to just disable telnet/SSH?

[barnabas1969]

Try reading this:
http://console-cowboys.blogspot.com/201 ... urity.html

[woodchuck]

Try reading this:
http://console-cowboys.blogspot.com/201 ... urity.html

Yeah, that's the other post I frequent. I'm the guy at the bottom of the thread!

As for telnet, there is no option to disable it in the web gui. I can kill it, but it restarts when the dvr reboots.

[smcmillan2]

My bad, entirely missed that /dev/root is cramfs which is a read-only filesystem. No mount options to make it read-write.

The ability to add/change anything on this machine would be up to whatever tools/interfaces the manufacturer supplied. You might want to contact them and see if they can provide a way to set the password.

Or, if you can get an image of the system you could potentially convert it to an EXT3 or 4 filesystem, but that would be a lot of work.

[barnabas1969]

I just played around with mine. That python script only returns a bunch of gibberish. I ran WireShark and logged into the thing, then went to the user config tab. WireShark does, indeed, see all the usernames and passwords in the clear. I modified the python script to send the hex string that the ActiveX plugin was sending, but when I run the python script with that string alone, the DVR returns an empty string. It appears that my DVR has been patched to disallow fetching the usernames/passwords without logging in first. It also does not allow me to login via Telnet using the usernames/passwords that are configured... so it appears that even if someone got my usernames/passwords, they wouldn't be able to access the OS anyway.

I have mine configured to use non-default port numbers, so that does help a little. One thing I wish is that I could change the default Admin username to something else. The fact that the username is always Admin, and the password is always 6-digits numeric (and this is documented on the manufacturer's website) makes it pretty easy to hack via a brute force attack.

[woodchuck]

Hey barnabas, if you telnet in and just type root as the username, no password, can you get in?

[barnabas1969]

No. I tried that. I also tried Password, password, root, etc.

[woodchuck]

Wow, so on mine, I can telnet in as root with no password, then vi /mnt/para/usr.cfg, I can see all the webGUI users and passwords in clear text. Yuck. Yes my dvr isn't exposed to the internet, but wow is that ever a hideous security hole!

[barnabas1969]

Yeah, and if you Google "web client for edvs/edvr" you get thousands of hits. A simple little program could be used to do a brute force attack to get the password. Since it's all numeric and you know the Admin username, it would probably only take a few minutes to get in.