other brand affected aswell

[geestr]

I have found that another brand/type ip camera is affected aswell. As far as the poc python scripts is concerned they all work.

it is the cip-37551KV of smartwares wich utilizes the IPC360 app on android and ios.

i have not opened up the camera so i do not have a firmwaredump but it communicated on the same port so i tried the poc scripts.

do you know if the reboot poc can be modified to start the rtsp daemon or telnet to be able to start onvif/rtsp

[tezeb]

Thanks for checking and nice to hear that my PoC works. I will try to get my hands on this device or it's firmware. I am pretty sure that all cameras that work with IPC360 app are vulnerable. Regarding the reboot script, it just sends a command that makes camera reboot itself, no hacking involved. So it cannot be modified to do something else. I am also pretty sure that there is no command to run telnet or rtsp daemon. I don't think the rtsp daemon is even present in the firmware. But if you want to have telnet access, I think there was also a script injection via a file stored on SD Card. I can check that and let you know if you're interested.

[geestr]

Yes i am interested thank you. As you said i think it is a lot of camera's that utilize ipc360 that are probably vulnerable. When they use the same chipset and firmware/os for sure.

Going through some firmwares of other types from the same manufacturer i found a lot of consistencies but also small differences.