Thursday, 24 November 2016

Trying to identify a cheap security DVR's real manufacturer

So, someone I know has a cheap security DVR from Aldi. Distributed by "WinPlus Australia", it's been designated the brand and model "Cocoon Digital Video Security System IT115008".

With the latest hype around the Mirai botnet commandering things exactly like such a security DVR, I decided to get in touch with the local distributor and ask them if any issues had been reported, advisories released, or updates made available.
I was told:
Thanks for your query.
There has not been security issues reported or identified for this product.
There is no software update for this product at this stage.
This didn't put me at ease. As it was made in China for the Australian market, it doesn't have an FCC ID, just an A-tick and I don't want to physically crack it open juuuust yet. I'm also convinced whilst the local distributor had a home-brand stamped on it, it's likely an off-the-shelf product from some Chinese OEM.

I tried to hit it via the web, and on port 8080 it responded that I must use Internet Explorer or I cannot access it. Ok, so it has an ActiveX bundle it wants to foist on me - I use Linux, and even if I didn't, that's not happening, thanks!

Alrighty, I search webpage source code, find the reference to a .cab file, pull it down, extract it, and then run all the Windows binary files through "exiftool" looking for something that might hint at a manufacturer, and I find:
It bundles GPL components - I wonder if there's source code available for them? :)

What's strange, is that the web page source code also references older Chrome and Safari plugins, but their use has been disabled/commented out, and they're not included in the webserver output. The source code of the page also has several HTML comments in Mandarin, but none of them refer to a business name.

In the mean time, I'm running a port scan on it, and it comes back with:

$ exiftool *.dll *.ocx | egrep -i 'File Name|Company Name|File Description|Comments|Special\ Build'
File Name                       : AVI.dll
File Name                       : hi_h264dec_w.dll
Company Name                    : HiSilicon Technologies Co.,LTD
File Description                : H.264 PC Decoder
Original File Name              : hi_h264dec_w.dll
File Name                       : hisi_voice_engine.dll
Comments                        : 语音编解码器 (Translation: Speech CODEC)
Company Name                    : Co., Ltd.
File Description                : hisi_voice_engine
Original File Name              : hisi_voice_engine.dll
Special Build                   : 
File Name                       : lib_VoiceEngine_dll.dll
Comments                        : 语音编解码器 (T/L: Speech CODEC)
Company Name                    : 海思半导体有限公司 Hisilicon, Co., Ltd.
File Description                : lib_VoiceEngine_dll
Original File Name              : lib_VoiceEngine_dll.dll
Special Build                   : 
File Name                       : RSNet.dll
File Flags                      : Special build
File Description                : RSNet 动态链接库 (T/L: Dynamic Link Library)
Original File Name              : RSNet.dll
Special Build                   : 5.20 修改设备信息结构(登录时返回),使后续扩展不需要重新编译该库;修改搜索设备收到非法消息后错误中止的BUG;DDNS,Email test;参数查询方法内存泄露;增加远程抓拍功能;add force I frame;1.0.1.14:兼容数据包1400/8K;1.0.1.14:消息加密;16:ForecIframe加密修正;17:全消息加密
... (Translation: Modify the search device to receive illegal messages after the error stop BUG; DDNS, Email test; parameter query method memory leak; increase the remote capture function; modify the device information structure (log back) Add power I frame; 1.0.1.14: compatible packet 1400 / 8K; 1.0.1.14: message encryption; 16: ForecIframe encryption correction; 17: full message encryption)
File Name                       : RSPlay.dll
File Flags                      : Special build
File Description                : RSPlay.dll
Original File Name              : RSPlay.dll
Special Build                   : ffmeg裁减版;使用ffmpeg-0.8;11.10.12:动态加载ffmpeg,解码海斯编码器编码数据可以不打包ffmpeg相关库;111022:修正音频解码失败后无法再次打开音频的bug。AES解密,1.0.2.14:AES_ENC_LEN 64。1.0.2.15:显卡加速;1.0.2.16:图片放大校正;UpdateFrame位置调整;1.0.2.17:player进度拖动报错处理;91旧UI录像文件播放;抓拍前一帧;单实例音频控制
... (Translation: Ffmegg-0.8; 11.10.12: dynamic loading ffmpeg, decoding Hess encoder encoding data can not be packaged ffmpeg related library; 111022: Fixed audio decoding failed to open the audio again after the bug. AES decryption, 1.0.2.14: AES_ENC_LEN 64.1.0.2.15: graphics acceleration; 1.0.2.16: picture magnification correction; UpdateFrame position adjustment; 1.0.2.17: player progress drag error processing; 91 old UI video file playback; Frame; single instance audio control)
File Name                       : RSSkinNormal.dll
File Name                       : RSVideo.ocx
Original File Name              : RSVideo.ocx

I set up a remote VPN connection to this person I know's house and set about probing the box. A partial port-scan reveals:

  • Port 23 - Telnet ... hrrrmm
  • Port 8080 - HTTP ... served by Boa webserver
  • Port 9000 - Used by various Android and iOS clients that can talk to device

I can't help but think there's going to be some hard coded credentials on the telnet server, or otherwise there wouldn't be a reason to have it enabled by default.

Has anyone else dug a bit deeper into this particular DVR unit? I'm guessing I may just need to bite the bullet at some point and open it up... might be a good excuse to get a serial line level adaptor and go fiddling :)



1 comment:

  1. Hi, I asked myself a similar question, since most things are done in China today. You can try to check it's with this program d3dx9_43.dll download https://fix4dll.com/d3dx9_43_dll . In any case, with this help I solved some of my problems.

    ReplyDelete