Remote Code Execution via XMEye P2P Cloud in XiongMai IP Cameras, NVRs and DVRs

sanmigueelbeer on 10/10/2018 - 17:49
Last edited 10/10/2018 - 17:49

Remote Code Execution via XMeye P2P Cloud in XiongMai IP Cameras, NVRs And DVRs

  1. An attacker can guess account IDs because they've been based on devices' sequential physical addresses (MACs);
  2. All new XMEye accounts use a default admin username of "admin" with no password;
  3. Users aren't prompted to change this default password during the account setup process;
  4. Even if the user has changed the XMEye admin account password, there is also a second hidden account with the username and password combo of default/tluafed; and finally
  5. Access to this account allows an attacker to trigger a firmware update because the firmware aren't signed.

XiongMai is an OEM company. Their products are not branded: Instead the company makes the camera and puts the brand/logo for their "partners".

The product are listed under the following "brands":

9Trading, Abowone, AHWVSE, ANRAN, ASECAM, Autoeye, AZISHN, A-ZONE, BESDER/BESDERSEC, BESSKY, Bestmo, BFMore, BOAVISION, BULWARK, CANAVIS, CWH, DAGRO, datocctv, DEFEWAY, digoo, DiySecurityCameraWorld, DONPHIA, ENKLOV, ESAMACT, ESCAM, EVTEVISION, Fayele, FLOUREON , Funi, GADINAN, GARUNK, HAMROL, HAMROLTE, Highfly, Hiseeu, HISVISION, HMQC, IHOMEGUARD, ISSEUSEE, iTooner, JENNOV, Jooan, Jshida, JUESENWDM, JUFENG, JZTEK, KERUI, KKMOON, KONLEN, Kopda, Lenyes, LESHP, LEVCOECAM, LINGSEE, LOOSAFE, MIEBUL, MISECU, Nextrend, OEM, OLOEY, OUERTECH, QNTSQ, SACAM, SANNCE, SANSCO, SecTec, Shell film, Sifvision / sifsecurityvision, smar, SMTSEC, SSICON, SUNBA, Sunivision, Susikum, TECBOX, Techage, Techege, TianAnXun, TMEZON, TVPSii, Unique Vision, unitoptek, USAFEQLO, VOLDRELI, Westmile, Westshine, Wistino, Witrue, WNK Security Technology, WOFEA, WOSHIJIA, WUSONLUSAN, XIAO MA, XinAnX, xloongx, YiiSPO, YUCHENG, YUNSYE, zclever, zilnk, ZJUXIN, zmodo, and ZRHUNTER.

If anyone owns any one of these internet-facing camera, DVR or NVR, please take them off the network.

If anyone wants to buy a "reasonably priced" internet camera, DVR or NVR, check first if it's using an XMEye account. If it is, walk away.

Hope this helps.

Electrical & Electronics

Comments

  • No Username on 10/10/2018 - 18:13
    +2

    Already knew this was possible a long time ago, which is why I warned anyone who were going to buy the cheap CCTV camera on ebay to change the SSH password, and close unneeded ports etc.

  • Diji1 on 10/10/2018 - 18:46
    -1

    So like 90% of internet of shit devices then.

    I don't know why people are bothering to mention the default passwords issue when it has a backdoor.

  • doptimal on 12/10/2018 - 13:17

    Q:
    So is it safe if you change both passwords???
    Can anyone see any major issues with using these cameras for outdoor use only? (less privacy concern if facing street and backyard only)
    Thanks!

    • sanmigueelbeer on 18/10/2018 - 21:18

      So is it safe if you change both passwords???

      There is also a second hidden account with the username and password combo of default/tluafed which cannot be changed. Next, because this username/password cannot be changed, anyone can reverse engineer the Mirai botnet and target these cameras/dvr and can do whatever they want.

      It is best to save your money and buy something which is "suitable".

  • tempura on 16/10/2018 - 09:55

    I was actually thinking buying AnRan Wireless 1080p IP Camera but maybe I should be getting GenBolt ones instead.

    • sanmigueelbeer on 18/10/2018 - 21:21

      but maybe I should be getting GenBolt ones

      Before buying, check the instructions manual. Check first if this product uses the XMEye account. If it does, this product is manufactured by XM (and this means it's vulnerable).

Login or Join to leave a comment
Login Join