I managed to get hold on an Axis 225FD IP camera (EOL already) powered by the Axis made ETRAX 100LX CPU, which is a simplified 32 RISC CPU (see http://kernel.org/doc/Documentation/cris/README).
First I flashed the latest firmware (and probably the last released one) on the device, 4.49.
The output was promising:
So it does run Linux :)Preparing system for upgrade ...
Starting run level 4 (stop most daemons) ...
Waiting for run level 4 to start ...
Run level 4 started.
Waiting for run level 4 to finish ...
... waiting ...
... waiting ...
... waiting ...
... waiting ...
... waiting ...
Run level 4 finished.
Stopping some remaining processes.
sending TERM signal ...
Most processes stopped.
The file system will be upgraded after reboot.
Unmounting file system /var ...
Unmounting file system /mnt/flash ...
File systems successfully shut down.
found magic
Receiving new firmware ...
Receiving new firmware ...
Receiving new firmware ...
Erasing old file system ...
/dev/part/kernel
1% 2% 3% 4% 5% 6% 7% 8% 9% 10% 11% 12%
13% 14% 15% 16% 17% 18% 19% 20% 21% 22% 23% 24%
25% 26% 27% 28% 29% 30% 31% 32% 33% 34% 35% 36%
37% 38% 39% 40% 41% 42% 43% 44% 45% 46% 47% 48%
49% 50% 51% 52% 53% 54% 55% 56% 57% 58% 59% 60%
61% 62% 63% 64% 65% 66% 67% 68% 69% 70% 71% 72%
73% 74% 75% 76% 77% 78% 79% 80% 81% 82% 83% 84%
85% 86% 87% 88% 89% 90% 91% 92% 93% 94% 95% 96%
97% 98% 99% 100%
Loading new file system ...
/dev/part/kernel
1% 2% 3% 4% 5% 6% 7% 8% 9% 10% 11% 12%
13% 14% 15% 16% 17% 18% 19% 20% 21% 22% 23% 24%
25% 26% 27% 28% 29% 30% 31% 32% 33% 34% 35% 36%
37% 38% 39% 40% 41% 42% 43% 44% 45% 46% 47% 48%
49% 50% 51% 52% 53% 54% 55% 56% 57% 58% 59% 60%
61% 62% 63% 64% 65% 66% 67% 68% 69% 70% 71% 72%
73% 74% 75% 76% 77% 78% 79% 80% 81% 82% 83% 84%
85% 86% 87% 88% 89% 90% 91% 92% 93% 94% 95% 96%
97% 98% 99% 100%
The system upgrade completed successfully.
The unit will now reboot.
To continue, please connect to the unit again.
There may be a short delay before the new connection is accepted.
This connection will now close.
Next, I enabled the ftp feature on the system. After logging on with the meaningful "root" account, I saw this:
Connected to 192.168.0.90 (192.168.0.90).
220 AXIS 225FD Network Fixed Dome Camera 4.49 (Mar 15 2010) ready.
Name (192.168.0.90:root): root
503 Bad sequence of commands.
SSL not available
331 User name okay, need password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 Command okay.
150 Opening data connection.
-rw-r--r-- 1 root root 30720 Mar 15 2010 .var.tar
drwxr-xr-x 1 root root 2444 Mar 15 2010 bin
drwxr-xr-x 1 root root 2020 Mar 15 2010 dev
lrwxrwxrwx 1 root root 13 Mar 15 2010 etc -> mnt/flash/etc/
drwxr-xr-x 1 root root 1228 Mar 15 2010 lib
-rwxr-xr-x 1 root root 1555 Mar 15 2010 linuxrc
drwxr-xr-x 1 root root 104 Mar 15 2010 mnt
dr-xr-xr-x 78 root root 0 Oct 18 11:08 proc
drwx------ 1 root root 0 Mar 15 2010 root
drwxr-xr-x 1 root root 588 Mar 15 2010 sbin
drwxr-xr-x 1 root root 16 Mar 15 2010 share
drwxr-xr-x 11 root root 0 Oct 18 11:08 sys
lrwxrwxrwx 1 root root 7 Mar 15 2010 tmp -> var/tmp/
drwxr-xr-x 1 root root 120 Mar 15 2010 usr
drwxr-xr-x 10 root root 200 Oct 18 11:08 var
226 Transfer complete.
ftp>
LOL, I got into the root directory of the device filesystem over the factory ftp server just using the root account. And yes, everything is writable.
Next stop, start looking at the filesystem with some more visual tool (I prefer mc :). It looks like an industry standard embedded linux, with busybox and such. And voilĂ ! There IS a /usr/sbin/telnetd symlink, which points to the busybox binary. Now I just had to start it.
Looking at /etc/init.d/ there is a start script called http - the boa web server, which is mandatory starting with the device. Adding one line (/usr/sbin/telnetd)" into the start section does the trick.
After a reset of the device i just do a telnet and do the victory dance.
Some more goodies:
Next stop, start looking at the filesystem with some more visual tool (I prefer mc :). It looks like an industry standard embedded linux, with busybox and such. And voilĂ ! There IS a /usr/sbin/telnetd symlink, which points to the busybox binary. Now I just had to start it.
Looking at /etc/init.d/ there is a start script called http - the boa web server, which is mandatory starting with the device. Adding one line (/usr/sbin/telnetd)" into the start section does the trick.
After a reset of the device i just do a telnet and do the victory dance.
Remember the hacker movies of the 90's? I'm in :)root@sysresccd /root % telnet 192.168.0.90
Trying 192.168.0.90...
Connected to 192.168.0.90.
Escape character is '^]'.
4.49
Linux 2.6.27 on a cris (12:37:54)
axis-00408c957432 login: root
Password:
[root@axis-00408c957432 /]659#
Some more goodies:
[root@axis-00408c957432 /]659# uname -aAnd of course:
Linux axis-00408c957432 2.6.27 #1 Mon Mar 15 11:24:43 CET 2010 cris unknown
[root@axis-00408c957432 /]659# dmesg
Linux version 2.6.27 (bogw@eater-1) (gcc version 3.2.1 Axis release R64/1.64) #1 Mon Mar 15 11:24:43 CET 2010
[root@axis-00408c957432 /]659# ps
PID Uid VmSize Stat Command
1 root 232 S init
2 root SW< [kthreadd]
3 root SW< [ksoftirqd/0]
4 root SW< [events/0]
5 root SW< [khelper]
20 root SW< [kblockd/0]
37 root SW [pdflush]
38 root SW [pdflush]
39 root SW< [kswapd0]
40 root SW< [aio/0]
78 root SW< [mtdblockd]
103 root SWN [jffs2_gcd_mtd2]
166 root 440 S /bin/sh
171 root 248 S /sbin/respawnd
175 root 264 S /bin/log_combiner -o40000
184 root 304 S /usr/sbin/syslogd -m 0 -o 40000
188 root 264 S /usr/sbin/klogd -x
194 root 248 S /sbin/ipchanged -e /etc/ipchanged.script
279 root 272 S /sbin/zeroconf-ip -i eth0
290 root 256 S /usr/bin/bw --directory /var/cache/bw --text-file bw
314 root 312 S /bin/time_handler
321 root 336 S /bin/vftpd -r -q 0 -Q 0
326 root 240 S /bin/client_counter -d
332 root 608 S /bin/parhand /dev/null 50011 -d /usr/etc/param -d /et
347 root 304 S /bin/axisns add -w -d
360 root 520 S /bin/infod
363 root 520 S /bin/infod
364 root 520 S /bin/infod
372 root 520 S /bin/infod
374 root 520 S /bin/infod
376 root 336 S /bin/vcd
390 root 656 S N /bin/image_viewer -q 0 -N 10
392 root 656 S N /bin/image_viewer -q 0 -N 10
393 root 656 S N /bin/image_viewer -q 0 -N 10
395 root 656 S N /bin/image_viewer -q 0 -N 10
397 root 656 S N /bin/image_viewer -q 0 -N 10
398 root 656 S N /bin/image_viewer -q 0 -N 10
400 root 656 S N /bin/image_viewer -q 0 -N 10
401 root 656 S N /bin/image_viewer -q 0 -N 10
402 root 656 S N /bin/image_viewer -q 0 -N 10
403 root 656 S N /bin/image_viewer -q 0 -N 10
404 root 656 S N /bin/image_viewer -q 0 -N 10
405 root 656 S N /bin/image_viewer -q 0 -N 10
407 root 656 S N /bin/image_viewer -q 0 -N 10
409 root 656 S N /bin/image_viewer -q 0 -N 10
411 root 656 S N /bin/image_viewer -q 0 -N 10
414 root 656 S N /bin/image_viewer -q 0 -N 10
415 root 656 S N /bin/image_viewer -q 0 -N 10
418 root 656 S N /bin/image_viewer -q 0 -N 10
421 root 656 S N /bin/image_viewer -q 0 -N 10
423 root 656 S N /bin/image_viewer -q 0 -N 10
426 root 656 S N /bin/image_viewer -q 0 -N 10
429 root 656 S N /bin/image_viewer -q 0 -N 10
432 root 656 S N /bin/image_viewer -q 0 -N 10
440 root 392 S /bin/recorder --backend /lib/recorder/artpec2-jpg.so
441 root 184 S /bin/recorder_cache_manager
463 root 552 S < /bin/media_server -R --nice -1 -r 3
497 root 280 S /bin/utask -f /etc/task.list -f /etc/user.task.list -
513 root 232 S /bin/mld /var/log/crit_mld_pipe -w /var/log/warning_m
531 root 752 S /usr/bin/motion -c /etc/emotiond.conf
541 root 368 S /bin/iod
547 root 560 S /bin/ssid
553 root 256 S /bin/ird /dev/cam0
559 root 600 S /usr/bin/tampering -c /etc/tampering.conf
571 root 272 S /bin/lang_handler
577 root 416 S /usr/sbin/telnetd
579 root 760 S /bin/boa -c /etc/httpd/conf
585 root 264 S /bin/sersrvd -d
605 root 280 S /usr/sbin/debugar.cgi
659 root 448 S -sh
668 root 376 R ps
On terms of security (as this is a security product)... we shall not speak again about the possibility of logging in as root.
No comments:
Post a Comment