TRENDnet IP Camera Multiple Vulnerabilities

1. TRENDnet IP Camera Multiple Vulnerabilities
Discovered by insight-labs [hip]
Thanks Team Members [Monster] [Anthr@X] [Bacde][Dragon]
Brand: TRENDnet
Model: TV-IP422W
Abstract:
Get into your internal network from your IP camera is actually happening, stay alert.
Vulnerability analysis:
1.Arbitrary Upload Vulnerability
Environment: This IP cam is an ARM cpu platform, use Busybox embedded Linux as
OS. The one I have got is upgraded to latest firmware.
Vulnerabile File: upload.asp
This program exists at 2 locations:
1./upload.asp
2./admin/upload.asp
web source code:

2. Both program post to /cgi/debug/upload.cgi
upload.cgi receives 2 input parameters, path0 and data0
However, these 2 parameters are never filtered or checked whatsoever.
We can get some information from the strings.
Now we do some testing on the upload program. Target0: Physical location of the
webroot is /server/cgi-bin , how about we upload a asp webshell :P
From the following screenshot, we certain that the webshell is successfully uploaded,
but a few key functions are not supported, for example, eval().
Now we upload CGI webshell.

3. During our testing, we found that cgi run on the IP cam must follow certain format,
otherwise it will appear to be uploaded but unable to run, result in a 404 not found.
The desired CGI is compiled from C, which has specific compile requirements:
ELF 32-bit LSB executable, ARM, version 1, dynamically linked (uses shared libs),
stripped
Later on, although the file we uploaded followed the compile requirements, but still
result in 404 error. Could there be a white list on file names?
Upload one more time, this time we overwrite an existing cgi file, and it works :D
http://domain/reboot.cgi?action=asd;ls;date%3E/dev/null

4. BTW: many other models are also vulnerable.
2. TRENDnet Config.cfg Weak encryption issue
Config.cfg file stores all the configuration of the device, in an encrypted format, a
very weak one. If the device is configured to use FTP or SMTP, usernames and
passwords will be stored in config.cfg in plaintext format.

5. How the file is encrypted:
download config.cfg can be through path: http://domain/backup.cgi
First, bitwise NOT the entire file in binary, then XOR against 0x6a, which is the ASCII
character 'j'
Therefore decryption is reverse the steps:

6. Decryption script:
decrypt.py
def conf_decode(data):
r = ""
for c in data:
x = ord(c) ^ ord('j')
x = (~x)&0xff
r += chr(x)
return r
def main():
f = open("config.cfg", 'rb+')
d = open("decode.gz", 'wb+')
x = f.read()
y = conf_decode(x)
d.write(y)
f.close()
d.close()
if __name__ == "__main__":
main()

7. 3. SecurView Mobile (Android) Insecure Data Storage - Plaintext password in db
File:SecurViewMobile_1.0.apk
Did a quick analysis on the apk file, stored password is not encrypted.
Steps:
1.open Andorid simulator.
2.adb install SecurViewMobile_1.0.apk
3.Input a record.
4. Get in ddms, retrieve cameraprovider.db
5.open cameraprovider.db