lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 5 Apr 2019 23:10:20 +0530
From: Sachin Wagh <wsachin092@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] HD Pan/Tilt Wi-Fi Camera NC450 Hard-Coded Credential
	Vulnerability

*Summary:*

The NC450 is your favorable companion that meets to home and office
surveillance needs, keeping you in touch with what matters most. With its
smooth and durable Pan/Tilt of up to 300/110 degrees, you can turn the
camera to almost any position you want and watch over a wider area of your
home.

HD Pan/Tilt Wi-Fi Camera NC450 contain hard-coded credentials within its
Linux distribution image. This credentials (root:root) cannot be changed
through any normal operation of the camera.

*Vendor:*

TP-LINK Technologies Co., Ltd. - http://www.tp-link.us

*Affected Version:*

NC450 1.5.0 Build 181022 Rel.3A033D

*Vendor Status*

N/A

*Proof Of Concept:*

/home/oit/Desktop/Firmware/_NC450_1.5.0_Build_181022_Rel.3A033D.bin.extracted/jffs2-root
[oit@...ntu] [10:34]
> grep -iRn "root:" .
Binary file ./fs_1/bin/pppd matches
./fs_1/etc/passwd:1:root:$1$gt7/dy0B$6hipR95uckYG1cQPXJB.H.:0:0:Linux
User,,,:/home/root:/bin/sh
./fs_1/etc/group:1:root:x:0:


root@...i:~# cat hash.me
root:$1$gt7/dy0B$6hipR95uckYG1cQPXJB.H.:0:0:Linux User,,,:/home/root:/bin/sh
root@...i:~# john hash.me --show
root:root:0:0:Linux User,,,:/home/root:/bin/sh

1 password hash cracked, 0 left

*Credit:*

Sachin Wagh (@tiger_tigerboy)

*Reference:*

https://www.tp-link.com/in/home-networking/cloud-camera/nc450/
https://www.tp-link.com/in/support/download/nc450/#Firmware

Best Regards,

*Sachin Wagh*
Security Researcher

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists