Good day, dear readers. Once, I already wrote here about the vulnerability in the access controllers from IronLogic. More details - here . There the vulnerability was (and is, since the IronLogic engineer believes that "The vulnerability is not critical, we will not fix it.") In the software bug of the z5r firmware. Here I want to share another study, this time the vulnerability is present in the cloud video surveillance and intercom service from Orion Telecom and Rosdomofon. The miracle is called "Intercom 2.0" (although "Rosdomofon" also has its own brand of the same name), and has been implemented (at least in Krasnoyarsk) since the beginning of 2020. Careful, a lot of photos.
Unlike a similar solution from Dom.ru, Intercom 2.0 does not require replacing the intercom panel and infrastructure, just install a camera and a small module (based on Raspberry Pi, oddly enough), and voila - you can control the opening / closing doors, receive calls from the intercom directly to the smartphone, watch cameras and so on. Personally, I became interested in how it works, and I registered in the application, entered the username and password for the Orion account, and it all worked. However, I wanted to catch the RTSP stream from the camera near the intercom for the home TV wall, and I started to analyze the application. The first thing that came to mind was Wireshark. Great, a link like " rtsp: //rdva10.rosdomofon.com: 554 / live /% CAMERA_NUMBER_IN_SYSTEM%"yes, but the remote side demanded a username-password. It is more difficult - Wireshark says that authentication is of the Digest type, and the password with the username in clear text does not flash. Let's form a list of tasks:
Intercept data transmitted by the application and back
Understand how the application communicates service commands
Understand where the login-password link comes from
, Android Studio, , .apk- , . , - rdva.rosdomofon.com, log.rosdomofon.com:12202/gelf, HTTP, . Bluestaks logcat. - . - , , HTTP-.
logcat'
, , . Postman , User-Agent . , , "https://panel.rosdomofon.com/". , , , , . - , , . - .
-a, , -rs, , "" , ". . . . ." , .
, , . , , , .
: - . , , , ( , ) - . , .
UPD. 2 At the moment, both companies have contacted me, work is underway to fix the vulnerability, exploitation of the vulnerability is currently impossible.