IP cameras

Chinese firm Foscam has published firmware updates to address three vulnerabilities in multiple models of IP-based cameras. The flaws, when exploited, allow an attacker to take control of vulnerable cameras, and especially those left connected online via a public IP address.

These vulnerabilities have been discovered in the past month by security researchers from VDOO, a company specialized in IoT security.

VDOO says the three vulnerabilities are CVE-2018-6830, CVE-2018-6831, and CVE-2018-6832, and that an attacker can chain the three together in the following way to take over Foscam cameras.

Step 1: An adversary must first obtain the camera’s IP address or DNS name. It can be achieved in several ways, including:
    (1) If the camera and the network are configured by the user such that the camera has direct interface to the internet, its address might be revealed by some internet scanners.
    (2) If the adversary gained unauthorized (remote or local) access to a network to which the camera is connected, he might be able to find the local address of the camera.
    (3) If dynamic DNS is enabled by the user, the adversary might find a way to resolve the device name

Step 2: The adversary then uses CVE-2018-6830, an arbitrary file deletion vulnerability, to delete certain critical files that will result in authentication bypass when the webService process reloads.

Step 3: The adversary crashes the webService process by exploiting CVE-2018-6832, a stack-based buffer overflow vulnerability in the webService process. After it crashes, the webService process is automatically restarted by the watchdog daemon, and during the process reload, the changes from step 2 take effect. The adversary is now able to gain administrative credentials.

Step 4: The adversary executes root commands by exploiting CVE-2018-6831. This is a shell command injection vulnerability that requires administrator credentials. Since the adversary gained administrator credentials in the previous stage, he can now use this vulnerability to execute commands as the root user for privilege escalation.

VDOO experts claim the security bugs occurred because of multiple reasons, such as (1) device processes running as root; (2) using external processes (shell commands) for trivial tasks instead of using programming APIs and libraries; (3) bad input sanitization; and (4) use of weak encryption to protect the device's firmware from external analysis.

Foscam starts acting like a responsible company

The good news is that Foscam responded positively to the VDOO report, and issued firmware updates to address the flaws in its products, even thanking VDOO for their work.

This is a major change of attitude from a company that last year ignored reports of 18 security bugs discovered by F-Secure researchers.

VDOO researchers said they have not seen any botnet or threat actor exploiting the reported issues before the publication of their report. Nonetheless, this will no doubt change, as botnet herders are known to be quick to weaponize IoT vulnerabilities to their advantage.

Unknown number of white-labeled cameras affected

VDOO has published a technical write-up containing more information about each of the three vulnerabilities, including proof-of-concept code to reproduce the bug.

The VDOO write-up also contains the following table with the affected Foscam camera models and the firmware version that contains fixes for the reported issues. Instructions on how to update Foscam camera firmware are available here. Users are advised to update as soon as possible.

Besides the camera models listed in the table below, camera models from other vendors are also affected. This is because Foscam is one of the biggest sellers of white-label IP cameras that other vendors buy and put their logo on top, without customers knowing they're actually running a Foscam device. Unfortunately, this information is impossible to track down, and users are left at the mercy of the second-hand buyer who is now responsible of taking the Foscam firmware patches and sending it downstream to its own customers.

Camera models Application firmware version
C1 Lite V3
C1 V3
FI9800P V3
FI9803P V4
FI9816P V3
FI9821EP V2
FI9821P V3
FI9826P V3
FI9831P V3
FI9851P V3
FI9853EP V2
C1 V2
C1 Lite
C1 Lite V2
FI9800P V2
FI9803P V2
FI9803P V3
FI9815P V2
FI9816P V2
FI9851P V2
FI9821P V2
FI9826P V2
FI9831P V2
FI9821W V2
FI9818W V2
FI9828P V2

Related Articles:

Vendor Patches Seven Vulnerabilities Across 392 Camera Models

Flaws in Diqee 360 Smart Vacuums Let Hackers Spy on Their Owners

Passwords for Tens of Thousands of Dahua Devices Cached in IoT Search Engine

HNS Evolves From IoT to Cross-Platform Botnet

All That Port 8000 Traffic This Week! Yeah, That's Satori Looking for New Bots