| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAPkvmc_U2fxe=R-fYbivieU9C0FEnkaZeJ2=kigSbndAUbdthw@mail.gmail.com> Date: Thu, 8 May 2014 10:26:22 -0700 From: Sergey Shekyan <shekyan@...il.com> To: fulldisclosure@...lists.org Subject: [FD] CVE-2014-1849 Foscam Dynamic DNS predictable credentials vulnerability CVE-2014-1849 Foscam Dynamic DNS predictable credentials vulnerability Date Published: 05-08-2014 Class: Design error Remotely Exploitable: yes Vulnerability Description: Foscam IP camera vendor provides a Dynamic DNS (DynDNS) service. Every Foscam camera has a preassigned FQDN of xx####.myfoscam.org<http://xxyyyy.myfoscam.org/> format, where 'x' is an alphabetic ASCII character and '#' is a digit. Each camera has a unique host name associated with it. That host name is flashed into the camera memory and is printed on a sticker on the bottom of the camera. The corresponding unique entry is created in Foscam DNS server for every manufactured camera. If the Foscam DynDNS option on the camera is enabled then that entry is updated with the current IP address of the user on every camera boot. For updating DNS entries Foscam employs a custom protocol over UDP. This custom protocol uses the camera subdomain as a username and password to verify the authenticity of the request thus making it possible for an attacker to overwrite an arbitrary camera record in the Foscam DNS server. Existing setup doesn't have a mechanism to change the username/password neither on DynDNS nor on the camera. Several attack scenarios are possible using this vulnerability: - Attacking the camera: rewrite the DNS entry to point to fake camera login page to steal credentials/respond with HTTP 401 to capture credentials cached by the browser - Attacking the browser: set up a reverse proxy that injects script element in the original response pointing to malicious script to do ui redress attacks, hook with BeEF, etc. - Attacking third party website: rewrite multiple DynDNS records to a victim IP address and HTTP request flood DDoS. Not confirmed, as our ISP filters IP packets with spoofed source. UDP proxies to the rescue, may be With >250K active DynDNS entries, it looks quite promising. Report timeline: * January 30th, 2014 - Foscam was notified * February 6th, 2014 - Vendor acknowledges the receipt of the email and asks for technical details * February 19th, 2014 - Vendor contacted again and asked to confirm the vulnerability * February 19th, 2014 - Vendor acknowledges the vulnerability and outlines the plan to address the issue. Vendor asks to withhold the disclosure until May 1st, 2014 so that the fix can be rolled out. * April 30th, 2014 - Vendor notifies that newly manufactured cameras will contain the fix. Vendor confirms that the existing cameras will not be fixed. More details can be found at http://blog.shekyan.com/2014/05/cve-2014-1849-foscam-dynamic-dns-predictable-credentials-vulnerability.html Proof of concept code: https://github.com/artemharutyunyan/getmecamtool/blob/master/src/dnsmod.c Best Regards, Sergey Shekyan Artem Harutyunyan _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists