Vulnerabilities > CVE-2017-2855 - Classic Buffer Overflow vulnerability in Foscam C1 Firmware 2.52.2.43

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
foscam
CWE-120
critical

Summary

An exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept HTTP connections will be able to fully compromise the device by creating a rogue HTTP server.

Vulnerable Configurations

Part Description Count
OS
Foscam
1
Hardware
Foscam
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Seebug

bulletinFamilyexploit
description### Summary An exploitable buffer overflow vulnerability exists in the DDNS client used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. On devices with DDNS enabled, an attacker who is able to intercept HTTP connections will be able to fully compromise the device by creating a rogue HTTP server. ### Tested Versions * Foscam Indoor IP Camera C1 Series * System Firmware Version: 1.9.3.18 * Application Firmware Version: 2.52.2.43 * Plug-In Version: 3.3.0.26 ### Product URLs http://www.foscam.com/downloads/index.html ### CVSSv3 Score 8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H ### CWE CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') ### Details Foscam produces a series of IP-capable surveillance devices, network video recorders, and baby monitors for the end-user. Foscam produces a range of cameras for both indoor and outdoor use and with wireless capability. One of these models is the C1 series which contains a web-based user interface for management and is based on the arm architecture. Foscam is considered one of the most common security cameras out on the current market. The device can be configured to use a DDNS client to associate to a hostname the public IP address of the network hosting the camera. Clients have to be configured via the web interface by choosing between one of the supported DDNS providers together with a hostname, username and password. When the "webService" process starts it creates several threads, one of them is the "DDNS update thread", function `ThreadEntry_DdnsUpdate`. At [1] `r0` contains the seconds elapsed since the last loop execution. Every 10 seconds [2], the function retrieves the public IP address [3] and if it detects a difference the new IP is updated [4]. The function `getMyGloableIp` takes a pointer to the global structure at 0xa8074 as parameter [5]. This structure is located in the `.bss` segment and has a size of 140 bytes. ``` ... ThreadEntry_DdnsUpdate ... .text:00051BC4 09 00 50 E3 CMP R0, #9 ; [1] .text:00051BC8 00 00 A0 D3 MOVLE R0, #0 .text:00051BCC 01 00 A0 C3 MOVGT R0, #1 .text:00051BD0 00 00 50 E3 CMP R0, #0 ; [2] .text:00051BD4 12 00 00 0A BEQ loc_51C24 .text:00051BD8 04 00 A0 E1 MOV R0, R4 ; [5] .text:00051BDC 8B FF FF EB BL getMyGloableIp ; [3] .text:00051BE0 00 00 50 E3 CMP R0, #0 .text:00051BE4 0C 00 00 0A BEQ loc_51C1C ... .text:00051C5C 04 00 A0 E1 MOV R0, R4 .text:00051C60 CB FE FF EB BL sub_51794 ; [4] ``` The function `getMyGloableIp`, checks if the configured hostname is not empty [6], then it retrieves the "ddnsServer" which is currently set [7]: this is a number between 0 and 5. 0 means that no DDNS is set [8], and retrieving the public IP address with DDNS number 3 is not supported [9]. Using this index, another function is called [10] that returns the "ddnsServer" instance (using a singleton pattern). The function responsible for retrieving the public IP address is then called [11], passing as arguments the "ddnsServer" instance and a buffer for storing the IP address [12]. This buffer starts at offset 0x58 in the global structure at 0xa8074. Note that for every provider a different function is used to retrieve the public IP address. ``` .text:00051A10 getMyGloableIp ... .text:00051A20 00 40 A0 E1 MOV R4, R0 ... .text:00051A28 08 30 90 E5 LDR R3, [R0,#8] .text:00051A2C 00 30 D3 E5 LDRB R3, [R3] .text:00051A30 00 00 53 E3 CMP R3, #0 ; [6] .text:00051A34 34 00 00 1A BNE loc_51B0C ... .text:00051A44 30 00 00 EA B loc_51B0C .text:00051A48 .text:00051A48 loc_51A48 .text:00051A48 30 10 94 E5 LDR R1, [R4,#0x30] .text:00051A4C 34 20 94 E5 LDR R2, [R4,#0x34] .text:00051A50 C8 30 9F E5 LDR R3, =sub_51D20 .text:00051A54 BF F0 FF EB BL sub_4DD58 ; [10] .text:00051A58 58 50 84 E2 ADD R5, R4, #0x58 .text:00051A5C 05 10 A0 E1 MOV R1, R5 ; [12] .text:00051A60 00 30 90 E5 LDR R3, [R0] .text:00051A64 00 30 93 E5 LDR R3, [R3] .text:00051A68 33 FF 2F E1 BLX R3 ; [11] ... .text:00051B00 loc_51B00 .text:00051B00 00 00 A0 E3 MOV R0, #0 .text:00051B04 14 D0 8D E2 ADD SP, SP, #0x14 .text:00051B08 30 80 BD E8 LDMFD SP!, {R4,R5,PC} .text:00051B0C .text:00051B0C loc_51B0C .text:00051B0C 0C 00 94 E5 LDR R0, [R4,#0xC] ; [7] .text:00051B10 03 00 50 E3 CMP R0, #3 ; [9] .text:00051B14 00 00 50 13 CMPNE R0, #0 ; [8] .text:00051B18 F8 FF FF 0A BEQ loc_51B00 .text:00051B1C C9 FF FF EA B loc_51A48 ``` When the DDNS provider in use is "3322.net" (DDNS number 2), the function `sub_4CD30` is called. This function calls `sub_53808` [13] to establish a connection with "ip.3322.net" on port 80. An HTTP request is built [14] and sent to the socket by calling `CDdnsClient__readyToSend` [15]. The response from the remote server is then retrieved using `CDdnsClient__readyToRead` [16], which will read at most 1024 bytes [17]. ``` .text:0004CD30 sub_4CD30 .text:0004CD30 .text:0004CD30 F0 40 2D E9 STMFD SP!, {R4-R7,LR} .text:0004CD34 C1 DE 4D E2 SUB SP, SP, #0xC10 .text:0004CD38 0C D0 4D E2 SUB SP, SP, #0xC .text:0004CD3C 00 40 A0 E1 MOV R4, R0 .text:0004CD40 C1 0E 8D E2 ADD R0, SP, #0xC30+var_20 .text:0004CD44 04 00 80 E2 ADD R0, R0, #4 .text:0004CD48 01 50 A0 E1 MOV R5, R1 ... .text:0004CD6C FC 11 9F E5 LDR R1, =aIp_3322_net ; "ip.3322.net" .text:0004CD70 7D 19 FF EB BL _ZNSs6assignEPKc .text:0004CD74 00 30 94 E5 LDR R3, [R4] .text:0004CD78 03 1B 8D E2 ADD R1, SP, #0xC30+var_30 .text:0004CD7C 10 C0 93 E5 LDR R12, [R3,#0x10] ... .text:0004CD90 3C FF 2F E1 BLX R12 ; [13] ... .text:0004CDB8 C1 0E 8D E2 ADD R0, SP, #0xC30+var_20 .text:0004CDBC 04 00 80 E2 ADD R0, R0, #4 .text:0004CDC0 B0 11 9F E5 LDR R1, =aGetHttp1_1 ; "GET / HTTP/1.1\r\n" .text:0004CDC4 F4 17 FF EB BL _ZNSspLEPKc .text:0004CDC8 C1 0E 8D E2 ADD R0, SP, #0xC30+var_20 .text:0004CDCC 04 00 80 E2 ADD R0, R0, #4 .text:0004CDD0 A4 11 9F E5 LDR R1, =aAccept ; "Accept: */*\r\n" .text:0004CDD4 F0 17 FF EB BL _ZNSspLEPKc .text:0004CDD8 C1 0E 8D E2 ADD R0, SP, #0xC30+var_20 .text:0004CDDC 04 00 80 E2 ADD R0, R0, #4 .text:0004CDE0 98 11 9F E5 LDR R1, =aUserAgentFosca ; "User-Agent: Foscam ipcam\r\n" .text:0004CDE4 EC 17 FF EB BL _ZNSspLEPKc .text:0004CDE8 C1 0E 8D E2 ADD R0, SP, #0xC30+var_20 .text:0004CDEC 04 00 80 E2 ADD R0, R0, #4 .text:0004CDF0 8C 11 9F E5 LDR R1, =aHostIp_3322_ne ; "Host: ip.3322.net\r\n" .text:0004CDF4 E8 17 FF EB BL _ZNSspLEPKc .text:0004CDF8 C1 0E 8D E2 ADD R0, SP, #0xC30+var_20 .text:0004CDFC 04 00 80 E2 ADD R0, R0, #4 .text:0004CE00 80 11 9F E5 LDR R1, =(asc_8D92C+2) ; "\r\n" .text:0004CE04 E4 17 FF EB BL _ZNSspLEPKc .text:0004CE08 0C 00 8D E2 ADD R0, SP, #0xC30+dest .text:0004CE0C 14 1C 9D E5 LDR R1, [SP,#0xC30+src] .text:0004CE10 5D 1A FF EB BL strcpy ; [14] .text:0004CE14 00 30 94 E5 LDR R3, [R4] .text:0004CE18 C1 0E 8D E2 ADD R0, SP, #0xC30+var_20 .text:0004CE1C 04 00 80 E2 ADD R0, R0, #4 .text:0004CE20 14 70 93 E5 LDR R7, [R3,#0x14] .text:0004CE24 10 6C 9D E5 LDR R6, [SP,#0xC30+var_20] .text:0004CE28 C2 18 FF EB BL _ZNKSs6lengthEv .text:0004CE2C 00 30 A0 E1 MOV R3, R0 .text:0004CE30 06 10 A0 E1 MOV R1, R6 .text:0004CE34 04 00 A0 E1 MOV R0, R4 .text:0004CE38 0C 20 8D E2 ADD R2, SP, #0xC30+dest .text:0004CE3C 37 FF 2F E1 BLX R7 ; [15] ... .text:0004CE60 01 3B A0 E3 MOV R3, #0x400 ; [17] .text:0004CE64 3C FF 2F E1 BLX R12 ; [16] ``` The function then ensures that the string "200 OK" is present anywhere in the response [18] and then finds the string "\r\n\r\n" [19]. After this string the function expects to find the IP address. From this point every character is copied in the buffer passed to the function [20] using a loop, which will only exit when a carriage return [21] is found. Since the size of the destination buffer is not taken into account, a malicious HTTP server could exploit this vulnerability to write out of bounds. ``` .text:0004CE68 00 00 50 E3 CMP R0, #0 .text:0004CE6C 20 00 00 DA BLE loc_4CEF4 .text:0004CE70 02 6B 8D E2 ADD R6, SP, #0xC30+var_430 .text:0004CE74 0C 60 86 E2 ADD R6, R6, #0xC .text:0004CE78 06 00 A0 E1 MOV R0, R6 .text:0004CE7C 08 11 9F E5 LDR R1, =str.200OK ; [18] .text:0004CE80 69 19 FF EB BL strstr .text:0004CE84 00 00 50 E3 CMP R0, #0 .text:0004CE88 09 00 00 1A BNE loc_4CEB4 ... .text:0004CEB4 loc_4CEB4 .text:0004CEB4 06 00 A0 E1 MOV R0, R6 .text:0004CEB8 DC 10 9F E5 LDR R1, =asc_8D92C ; "\r\n\r\n" .text:0004CEBC 5A 19 FF EB BL strstr ; [19] .text:0004CEC0 00 00 50 E3 CMP R0, #0 .text:0004CEC4 01 00 00 1A BNE loc_4CED0 .text:0004CEC8 09 00 00 EA B loc_4CEF4 .text:0004CECC .text:0004CECC loc_4CECC .text:0004CECC 01 30 45 E5 STRB R3, [R5,#-1] ; [20] .text:0004CED0 .text:0004CED0 loc_4CED0 .text:0004CED0 04 30 D0 E5 LDRB R3, [R0,#4] .text:0004CED4 05 20 A0 E1 MOV R2, R5 .text:0004CED8 0D 00 53 E3 CMP R3, #0xD ; [21] .text:0004CEDC 01 50 85 E2 ADD R5, R5, #1 .text:0004CEE0 01 00 80 E2 ADD R0, R0, #1 .text:0004CEE4 F8 FF FF 1A BNE loc_4CECC .text:0004CEE8 00 50 A0 E3 MOV R5, #0 .text:0004CEEC 00 50 C2 E5 STRB R5, [R2] .text:0004CEF0 03 00 00 EA B loc_4CF04 ``` ### Timeline * 2017-07-17 - Vendor Disclosure * 2017-11-13 - Public Release
idSSV:96857
last seen2017-11-19
modified2017-11-14
published2017-11-14
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-96857
titleFoscam IP Video Camera webService 3322.net DDNS Client Code Execution Vulnerability(CVE-2017-2855)

Talos

idTALOS-2017-0358
last seen2019-05-29
published2017-11-13
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0358
titleFoscam IP Video Camera webService 3322.net DDNS Client Code Execution Vulnerability