Three vulnerabilities have been found in Foscam security cameras. Owners of such cameras are urged to update as soon as possible. The flaws are described as an arbitrary file-deletion bug, a shell command-injection bug and a stack-based buffer oferflow vulnerability. The bugs were discovered by researchers at VDOO.
During their research, the experts came across zero-day vulnerabilities in devices of several vendors. These vulnerabilities were disclosed to the vendors, according to the responsible disclosure best practices, and will be shared gradually after the disclosure periods are concluded, the researchers said.
In terms of the vulnerabilities in Foscam products, a critical chain of flaws has been unearthed:
Combining the discovered vulnerabilities, an adversary who successfully obtains the address of the camera, can remotely gain root access to the cameras (via LAN or internet). VDOO has responsibly disclosed these vulnerabilities (CVE-2018-6830, CVE-2018-6831 and CVE-2018-6832) and engaged with Foscam’s security team to solve the matter.
The security team believes that the vulnerabilities have not been exploited in active attacks. In addition, it appears that the Foscam team acted promptly to patch the three bugs and push them to their exposed customers.
More about CVE-2018-6830, CVE-2018-6831 and CVE-2018-6832
An attack exploiting the bugs would revolve around a process in the cameras known as webService. The process receives requests from servers and can be deployed to verify the user’s credentials. It can also run the handler for the particular API command.
The first step of an attack involves an attack getting access to the vulnerable camera’s IP address or DNS name. This may not be difficult at all, depending on the circumstance, more specifically – if the camera has direct interface to the internet.
The second step is the attacker crashing the webService process by exploiting CVE-2018-6832, the stack-based buffer overflaw bug.
After the service is crashed, it will automatically restart via the watchdog daemon. During the time of the reload, the attack could leverage the second vulnerability, CVE-2018-6830, to delete particular critical files. This will lead to authentication bypass once the webService process reloads. This gives the attacker a chance to gain admin access. Once this is done, the attacker can use the third vulnerability, CVE-2018-6831, to execute root commands.
Here is the technical overview presented by the VDOO team:
The camera is running a Linux operating system and all processes run with root privileges. The web server is a lighttpd with additional vendor code, and it forwards API requests to its internal CGIProxy.fcgi process, by using the FastCGI protocol. The CGIProxy.fcgi executable forwards requests (by using a proprietary IPC mechanism) to the webService process – that verifies the user’s credentials (if needed) and runs the handler for the desired API command. Depending on the command, the handler may call additional code from the devMng process, that in turn usually runs shell commands by using the system() or popen()library calls, to configure system services. A watchdog daemon restarts important processes after they are terminated.