Headline
CVE-2022-28743: Keeping A Critical Eye on IoT Devices
Time-of-check Time-of-use (TOCTOU) Race Condition vulerability in Foscam R2C IP camera running System FW <= 1.13.1.6, and Application FW <= 2.91.2.66, allows an authenticated remote attacker with administrator permissions to execute arbitrary remote code via a malicious firmware patch. The impact of this vulnerability is that the remote attacker could gain full remote access to the IP camera and the underlying Linux system with root permissions. With root access to the camera’s Linux OS, an attacker could effectively change the code that is running, add backdoor access, or invade the privacy of the user by accessing the live camera stream.
Trellix Labs is excited to announce the beginning of a new video series which captures one of our senior vulnerability researchers work on hacking an IoT device from beginning to end. This will conclude with the releasing of a new zero-day CVE-2022-28743 which the team discovered and reported to the vendor through Trellix’s responsible disclosure program. If you are technically minded, interested in the nitty gritty details, or maybe want to learn how to hack yourself, the five-part video series maybe a better fit for you (LINK HERE), than the rest of this blog. In this video series, we will tag along with Sam Quinn, who found this vulnerability, and walk through the entire process of hacking this IP camera, live.
We are now in the age of the smart home; no longer are Ironman’s Jarvis-type homes so far-fetched. Insurance specialists with PolicyAdvice claim that 47% of US-based millennials have at least one smart home product within their homes. With new technology being integrated into more and more products, also known as IoT (internet of things), the proportion of homes with smart gadgets is expected to keep rising. The Threat Labs team at Trellix recently investigated one such smart home device: the Foscam R2C IP camera.
Typically, the team goes through a target selection and review process before we begin to investigate new research projects. However, this project did not originate from the formal process and instead became of interest since it was installed in Sam’s home. As you may have expected, no piece of technology inside of a senior researcher’s home is safe from a little extra exploration. However, only after the camera started to misbehave did it gain a spotlight. Being a security-minded person, he began to dive into the issue. This is when he noticed that the device’s software was out of date, but Foscam had taken many security precautions that other IoT devices lacked. Most importantly, Foscam sends their firmware updates encrypted. This sparked Sam’s interest to dive into just how deep was their security applied?
After poking around physically on the device using advanced hardware hacking techniques, Sam eventually discovered a vulnerability that allowed for an authenticated user to upload a specially crafted “fake” update file to gain access to the operating system of the camera. If someone can gain access to the operating system on the camera via physical access, they can bypass the login settings and control the device in a way that even a legitimate administrator wouldn’t be able to identify or block, essentially giving them full access to the device, including the video feed.
It is common for IoT devices, which are vying for prevalence in a very competitive market, to undergo extreme measures of cost cutting. Often, this results in the omission of the critical engineering time needed to incorporate security principles from the start of development. However, this did not appear to be the case when speaking to the Foscam team about mitigations for this issue. Foscam was responsive to our team and worked with us to make sure that this vulnerability was patched.
So, you now may be wondering how you can keep your devices safe on your own network. The first step is to first ask the question, “does this need to be on my network?”. Many new home appliances ship with network connectivity, but do you really need your coffee maker or your toaster linked to your other devices? Second, if you want a smart home device on your network, it is best practice to have that device live on a sperate network where it is logically isolated from your PC and smartphone. This can easily be achieved by placing your smart gadget onto, for example, the guest network that many routers have support for. The third and arguably the easiest precaution to take is to simply keep your devices updated with the latest firmware. Our research pair with responsible disclosure helped bring this issue to the attention of Foscam, to which they have since released a security update which mitigates this issue entirely. Keeping devices patched and up to date is the best way to prevent attackers from accessing any of your devices. If you own a Foscam R2C we suggest you patch by looking for the firmware version 2.72 or newer.
What makes an attacker take interest in a simple IP camera in the first place? IP cameras are a great target for attackers since not only were there speculated to be around a billion active cameras in 2021, but they often inherit poor security practices from traditional IoT devices. Typically referred to as “low hanging fruit” these vulnerabilities can not only allow the camera feed to be viewed through a compromised camera but history has shown compromised cameras can be used in large-scale botnet attacks. Sometimes we often forget that modern cameras are actually minicomputers, providing enough power and technology to accomplish more than just viewing live footage. If you like to watch live footage and are eggar for a more in-depth look at CVE-2022-28743 remember to keep an eye out for our five-week video series that is starting today!
Related news
OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content.
OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content. NOTE: this issue exists because of an incomplete fix for CVE-2022-28367.
Student Grading System v1.0 was discovered to contain a SQL injection vulnerability via /student-grading-system/rms.php?page=grade.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin.php?id=posts&action=display&value=1&postid=.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/posts.php&action=edit.
Victor v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the component admin/profile.php?section=admin.
Purchase Order Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via /purchase_order/admin/?page=user.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via BabyCare/admin.php?id=theme&setid=.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&action=type&userrole=User&userid=.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/inbox.php&action=read&msgid=.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/siteoptions.php&social=remove&sid=2.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/pagerole.php&action=edit&roleid=.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/inbox.php&action=delete&msgid=.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/siteoptions.php&action=displaygoal&value=1&roleid=1.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&&action=delete&userid=4.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&action=display&value=Hide&userid=.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&action=display&value=Show&userid=.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&action=type&userrole=Admin&userid=3.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin.php?id=siteoptions&social=display&value=0&sid=2.
An arbitrary file upload vulnerability in UCMS v1.6 allows attackers to execute arbitrary code via a crafted PHP file.
KiteCMS v1.1.1 was discovered to contain an arbitrary file read vulnerability via the background management module.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/pagerole.php&action=display&value=1&roleid=.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/posts.php&action=delete.
Simple Real Estate Portal System v1.0 was discovered to contain a SQL injection vulnerability via /reps/admin/?page=agents/manage_agent.
Student Grading System v1.0 was discovered to contain a SQL injection vulnerability via /student-grading-system/rms.php?page=school_year.
Student Grading System v1.0 was discovered to contain a SQL injection vulnerability via /student-grading-system/rms.php?page=student_p&id=.
Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/posts.php&find=.
The Bulletproofs 2017/1066 paper mishandles Fiat-Shamir generation because the hash computation fails to include all of the public values from the Zero Knowledge proof statement as well as all of the public values computed in the proof, aka the Frozen Heart issue.
The Labeling tool in Titus Classification Suite 18.8.1910.140 allows users to avoid the generation of a classification label by using Excel's safe mode.
The CVEProject/cve-services is an open source project used to operate the CVE services api. In versions up to and including 1.1.1 the `org.conroller.js` code would erroneously log user secrets. This has been resolved in commit `46d98f2b` and should be available in subsequent versions of the software. Users of the software are advised to manually apply the `46d98f2b` commit or to update when a new version becomes available. As a workaround users should inspect their logs and remove logged secrets as appropriate.
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. When you pass the config to the javascript, some entries are filtered out. The variable ldap_pass is not filtered and when you look at the source code of the rendered page, we can see the password for the root dn. Users are advised to upgrade. There is no known workaround for this issue.
Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don't properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue.
Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to beta6 the `ajax.render.php?operation=wizard_helper` page did not properly escape the user supplied parameters, allowing for a cross site scripting attack vector. Users are advised to upgrade. There are no known workarounds for this issue.
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can exploit a lack of sanitization on SVG file uploads and inject javascript into their user avatar. As a result any user viewing the avatar will be subject to a cross site scripting attack. Users of GLPI are advised to upgrade. Users unable to upgrade should disallow SVG avatars.
An authenticated user may trigger an invariant assertion during command dispatch due to incorrect validation on the $external database. This may result in mongod denial of service or server crash. This issue affects: MongoDB Inc. MongoDB Server v5.0 versions, prior to and including v5.0.6.