CVE-2014-1849 Foscam Dynamic DNS predictable credentials vulnerability

[Sergey Shekyan <shekyan () gmail com>]

CVE-2014-1849 Foscam Dynamic DNS predictable credentials vulnerability

Date Published: 05-08-2014

Class: Design error

Remotely Exploitable: yes

Vulnerability Description:

Foscam IP camera vendor provides a Dynamic DNS (DynDNS) service. Every
Foscam camera has a preassigned FQDN of
xx####.myfoscam.org<http://xxyyyy.myfoscam.org/> format,
where 'x' is an alphabetic ASCII character and '#' is a digit. Each camera
has a unique host name associated with it. That host name is flashed into
the camera memory and is printed on a sticker on the bottom of the camera.
The corresponding unique entry is created in Foscam DNS server for every
manufactured camera. If the Foscam DynDNS option on the camera is enabled
then that entry is updated with the current IP address of the user on every
camera boot.

For updating DNS entries Foscam employs a custom protocol over UDP. This
custom protocol uses the camera subdomain as a username and password to
verify the authenticity of the request thus making it possible for an
attacker to overwrite an arbitrary camera record in the Foscam DNS server.
Existing setup doesn't have a mechanism to change the username/password
neither on DynDNS nor on the camera.

Several attack scenarios are possible using this vulnerability:

- Attacking the camera: rewrite the DNS entry to point to fake camera login
page to steal credentials/respond with HTTP 401 to capture credentials
cached by the browser

- Attacking the browser: set up a reverse proxy that injects script element
in the original response pointing to malicious script to do ui redress
attacks, hook with BeEF, etc.

- Attacking third party website: rewrite multiple DynDNS records to a
victim IP address and HTTP request flood DDoS. Not confirmed, as our ISP
filters IP packets with spoofed source. UDP proxies to the rescue, may be

With >250K active DynDNS entries, it looks quite promising.

Report timeline:

* January 30th, 2014 - Foscam was notified

* February 6th, 2014 - Vendor acknowledges the receipt of the email and
asks for technical details

* February 19th, 2014 - Vendor contacted again and asked to confirm the
vulnerability

* February 19th, 2014 - Vendor acknowledges the vulnerability and outlines
the plan to address the issue. Vendor asks to withhold the disclosure until
May 1st, 2014 so that the fix can be rolled out.

* April 30th, 2014 - Vendor notifies that newly manufactured cameras will
contain the fix. Vendor confirms that the existing cameras will not be
fixed.

More details can be found at

http://blog.shekyan.com/2014/05/cve-2014-1849-foscam-dynamic-dns-predictable-credentials-vulnerability.html

Proof of concept code:

https://github.com/artemharutyunyan/getmecamtool/blob/master/src/dnsmod.c


Best Regards,

Sergey Shekyan

Artem Harutyunyan

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/