Blog: Internet Of Things
Nifty XSS in Annke SP1 HD wireless camera
We found an interesting, though low risk cross-site scripting issue in the ANNKE SP1 HD wireless camera, using firmware version v188.8.131.524071109.
What’s interesting is that the XSS is found when viewing available Wi-Fi access points in the Annke web interface. Hence, if you set up a rogue access point in range of your victim with SSID of the format:
As a proof of concept we made this script to steal an image from the camera. This was hosted at //xjs.io/
PoC code is here https://github.com/pentestpartners/bits-for-blog/blob/master/annke-basic.js.
Here’s the image we stole with our XSS exploit:
This has to be the best or lamest vendor response ever:
“Thanks for your message. I suppose you are a programmer. I will forward your discovery to our product apartment.” – 5th August 2016
Since then we’ve had no further updates – they may have fixed it in more recent firmware, and obviously, one needs to be physically close to even start exploiting this issue, so it’s not a huge vulnerability. It does illustrate that vendors need to be careful to validate input from any source, not just the standard GET/POST parameters on the web interface.
Many thanks to Luke and Senad for help developing this proof of concept – Luke for finding a URL I could grab an image from, and Senad for helping with transferring the data without it getting mangled.
Stealing a camera image
Making the camera pan