Posts

CVE-2014-1849 Foscam Dynamic DNS predictable credentials vulnerability

Image
CVE-2014-1849 Foscam Dynamic DNS predictable credentials vulnerabilityDate Published: 05-08-2014Class: Design errorRemotely Exploitable: yesVulnerability Description:Foscam IP camera vendor provides a Dynamic DNS (DynDNS) service. Every Foscam camera has a preassigned FQDN of xx####.myfoscam.org format, where 'x' is an alphabetic ASCII character and '#' is a digit. Each camera has a unique host name associated with it. That host name is flashed into the camera memory and is printed on a sticker on the bottom of the camera. The corresponding unique entry is created in Foscam DNS server for every manufactured camera. If the Foscam DynDNS option on the camera is enabled then that entry is updated with the current IP address of the user on every camera boot.For updating DNS entries Foscam employs a custom protocol over UDP. This custom protocol uses the camera subdomain as a username and password to verify the authenticity of the request thus making it possible for an atta…

SlowHTTPTest 1.6 is out

Image
Yesterday I released another version of SlowHTTPTest, that includes all the performance fixes that were sitting in the repository since last year, as well as:   - CLI got funny colors and less scrolling for better perception
   - HTML reports look prettier
   - Help screen is finally readable
I tested it on OSX Mavericks, Ubuntu Precize Pangoline and latest Fedora. Things looks fine, but just in case, here are some useful tips:- if configure complains about the version of automake that was used to generate it, running autoreconf  and following on screen instructions should fix most of the problems- there is some chance that you'll need to install libssl-devel- if you hate colors, edit them in slowlog.h or undef USE_COLOR in config.h- if you don't like the new CLI layout, using other than default verbosity (-v 2 and up) level will turn on the old good logging-style output Hope this version doesn't add more trouble and any feedback is always welcome. Enjoy!

Funny OS/Browser fingerprinter

As of today, this page should crash any webkit-based application that uses CoreText font rendering framework on iOS or OSX 10.8.4

Using getmecamtool

To support the presentation about controlling IP cameras all over the world, we'll try to share some details on what the getmecamtool is doing and how to make it work.getmecamtool is a tool-set to manipulate software of Foscam FI8910W, FI8908W, FI8909W and their clones.It has the following components:- packer/unpacker for system, WebUI and camera settings files (syspack, sysextract, uipack, uiextract, confpack, confextract)- the main shell script that automates the flow with predefined commands (getmecamtool)getmecamtool DOES NOT bypass authentication or get credentials for you. Instead, authentication credentials should be provided to the tool to successfully manipulate the camera software.Check out the presentation to get the idea on how credentials can be potentially harvested.

Before building getmecamtool, there are couple of prerequisites:
 - genromfs is needed to manipulate romfs, which is used on the camera ($ sudo apt-get install genromfs)
- cmake is required to build the get…

Go, IP cameras and DNS

While working on presentation about IP cameras, Artem crafted a handy shell script that searches for active IP cameras by going over camera vendor's DNS records. The result was some handy numbers, as well as information on how people are using camera vendor provided DDNS service.Last week I was visting a friend (привет, Виктор!) in Seattle. Between beers, he mentioned Go - a programming environment he uses in one of his projects. He combined next pint with a Go programming lesson and as a result, we wrote a 100 line amazingly simple multi-threaded  scanner that does the same as above mentioned script, but in much more configurable and reliable way.Get the Go, get the getmecamtool, and in the misc directory you will find the scanner.go file. Simply type:$ go run scanner.go --helpand the rest should be clear. It currently searches for records with prefix xx1234(two letters and 4 digits), but it should be trivial to change the pattern that matches particular camera vendor's DNS r…

To Watch or Be Watched: Turning Your Surveillance Camera Against You

Image
Last year I was lucky enough to attend the Hack In The Box security conference in Amsterdam. Dhillon and the rest of organizers put a great event and since then I was eager to return.
Subject line of this post is the title of the talk that we are going to present at #HITB2013AMS with my fresh colleague and old neighbor back in Armenia - Artem Harutyunyan.`
We'll try to get some attention on security flaws of widely available IP surveillance cameras that you can get at Home Depot for as low as $70. It's quite a challenge for us, because we never dealt with embedded devices before, although security issues in the embedded web server of the camera themselves are enough to do whatever you/bad guy/Chinese government want.See you in Amsterdam.

Follow The RFC!

About 40 minutes before our WebSocket presentation at BayThreat I decided to do the final dry run. The slide with stacktrace of crashed desktop Safari caught my attention and I re-checked if there is still a problem. While current OSX Safari was fixed and I removed the slide, I decided to navigate to that page using Safari on my iPhone running IOS6.The result was quite surprising, since I thought Apple is using the same webkit engine for all platforms: Safari simply hanged, while minimizing and re-opening caused a crash. Chrome on IOS6 behaved in similar way, while Chrome on OSX was always handling that code properly. Trying it on friends' Galaxy something caused the entire UI of Android to behave funny.For those who are curious what the code is doing: it does nothing but trying to open several thousand WebSocket connections to non-existing server.RFC 6455 is quite clear on this:"There MUST be no more than one connection in a CONNECTING state. If multiple connections to the s…