Critical flaws open Foscam C1 IP cameras to compromise

Cisco Talos researcher Claudio Bozzato has unearthed a dozen of critical vulnerabilities affecting the Foscam C1 series of indoor HD cameras.

Foscam C1 vulnerabilities

The Foscam C1 is one of the most commonly deployed IP cameras. “In many cases these devices may be deployed in sensitive locations. They are marketed for use in security monitoring and many use these devices to monitor their homes, children, and pets remotely,” the Cisco Talos team has noted.

About the vulnerabilities

The vulnerabilities are present in Foscam C1 Indoor HD Cameras running application firmware version 2.52.2.43.

They include bugs that could lead to information disclosure and remote code execution, as well as a flaw that allows unsigned firmware images to be uploaded on the vulnerable devices.

Four exploitable buffer overflow vulnerability exists in the cameras’ DDNS client. To trigger the vulnerabilities, the attacker must be able to answer the device’s HTTP requests with a malicious payload.

“On devices with DDNS enabled, an attacker who is able to intercept HTTP connections will be able to fully compromise the device by creating a rogue HTTP server,” the security advisories for these flaws explain.

The vulnerability that allows the upload and installation of unsigned firmware images is due to insufficient security checks in the recovery procedure.

“A HTTP request can allow for a user to perform a firmware upgrade using a crafted image. Before any firmware upgrades in this image are flashed to the device, binaries as well as arguments to shell commands contained in the image are executed with elevated privileges,” it has been explained.

Another missing check could allow an attacker to reset the user accounts to factory defaults, without authentication, via a specially crafted request on port 10001.

More details and links to specific advisories (and PoC code) can be found here.

Fixes available?

The vulnerabilities have been responsibly disclosed to Foscam on July 13, 2017, and the team says that the company has released a firmware update that fixes them.

“Users of the affected devices should update to this new version as quickly as is operationally feasible to ensure that their devices are not vulnerable,” they advise.

But a quick perusal of the official Foscam site reveals that the latest firmware updates provided for download for users of Foscam C1 cameras dates back to June 2017. Obviously, the company has yet to push out the firmware updates that plug these holes.

Users should, therefore, keep an eye on the site and react quickly when the updates are made available. Widely used vulnerable IP cameras are often roped into IoT botnets, and these botmasters are quick to exploit known flaws.

UPDATE (November 17, 2017):

Foscam has released the firmware updates for the affected cameras.