beadon
commented
2 years ago Further details on a deeper scan:
:~$ sudo nmap -sS -sUV 192.168.1.154 Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-31 21:21 EDT NSOCK ERROR [1051.2450s] mksock_bind_addr(): Bind to 0.0.0.0:445 failed (IOD #19): Address already in use (98) Nmap scan report for VMB4000 (192.168.1.154) Host is up (0.0046s latency). Not shown: 1996 closed ports PORT STATE SERVICE VERSION 554/tcp open rtsp? 5061/tcp open ssl/sip-tls? 8100/tcp open xprint-server? 5353/udp open mdns DNS-based service discovery MAC Address: A0:40:A0:8D:05:8D (Netgear)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1051.27 seconds
So, I see there are a few ports open on the local device. TCP port 554 for example, is RTSP open to a local connection, and it also appears that there control using is SIP over TLS which may be vulnerable to attack. Notably - if you have a closed system, and there's been a CA which has signed a public and private key - then simply extracting one of the keys (the private key, likely on the base station), then you should be able to decode the SIP TLS stream. Some light searching, and it also seems that SIP messages can be injected since only the connection when established is encrypted, not the SIP messages themselves. If this is true, then spoofing the source IP address from a 'local' client and sending commands should get the hardware doing your bidding without needing to drive it all from an internet-connected website.
nmap results: Host is up (0.011s latency). Not shown: 997 closed ports PORT STATE SERVICE 554/tcp open rtsp 5061/tcp open sip-tls 8100/tcp open xprint-server
Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds
I believe that everything currently done with this set of scripts relies on authentication to the 'cloud' service over port 443 ? I suspect with these vulnerabilities, it may be possible to locally drive the devices. Has anyone spent any time skipping the cloud controls and going right at the gateway device ?