Few months ago - as you probably remember - I started section related to 'reading firmwares'. Few results from the journey you have already published on the blog (for example: 1, 2, 3). In September I found another firmware, this time related to Foscam and this is what I found inside...
More details about Foscam you can find here. Here we go...
I was looking for some new firmware(s) to check it in our 'new prepared lab'. That's how I found firmware ZIP called: FI8620-3.2.2.2.1-20120815. (I don't know if the details described below are available in any other Foscam-firmware. I will leave it to you as an exercise ;))
When I was looking for some default/hardcoded passwords:
I found that there is also a small binary file called upgweb. It turned out that this is a web server. :)
Checking strings:
Then I decided to switch to Ida and see what's inside the binary:
So now we are here:
It looks like we found strcpy() used to 'copy' username and password ;) After a while it should look similar to this:
More:
Bug should be located here:
More strcpy()'s:
And now the best ;)
I think this strcpy() is exploitable. User who will know default password to the Foscam, can access admin's panel and go to the 'change password' to exploit 'username' and/or 'password' field.
Unfortunately I wasn't able to run this HTTP server (upgweb) in my super-cool-lab.
I tried to run it in Azeria's lab as well as with Billy's materials - no luck.
That's why I decided to publish it. Maybe you will find a way to run it (if so, feel free to let me know how. I found some similar cases, for example here, but still wasn't able to run the binary anyway.
Any hints are welcome) ;)
Binary/httpd-file you can find here on my github.
Maybe you will find it useful.
Cheers
Brak komentarzy:
Prześlij komentarz