### Vulnerabilities SummaryThe following advisory describes three (3) vulnerabilities found in Ichano IP Cameras.AtHome Camera is “a remote video surveillance app which turns your personal computer, smart TV/set-top box, smart phone, and tablet into a professional video monitoring system in a minute.”The vulnerabilities found are:* Hard-coded username and password – telnet* Hard-coded username and password – Web server* Unauthenticated Remote Code Execution### CreditAn independent security researcher, Tim Carrington, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.### Vendor responseWe tried to contact Ichano since November 21st 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for these vulnerabilities.### Vulnerabilities details#### Hard-coded username and password – telnetThe device runs a telnet server at startup with a default password of 123.#### Hard-coded username and password – Web serverIn `/app/www/doc/script/login.js`, in the function `DoLogin()`, client side validation is used to login a user:“`if($("#UserName").val()=="super_yg"){jumpPage();return}“`A user can login with these credentials and can then take control of the device over http:#### Unauthenticated Remote Code ExecutionThe device runs “noodles” binary – a service on port 1300 that allows a remote (LAN) unauthenticated user to run arbitrary commands.The binary has a set of commands he can run – if a user will use the following “protocol”, command to be run is enclosed like html tags, i.e. `<system>id</system>`, a successful execution results in `<system_ack>ok</system_ack>`.
