Reading firmware - Foscam

Few months ago - as you probably remember - I started section related to 'reading firmwares'. Few results from the journey you have already published on the blog (for example: 1, 2, 3). In September I found another firmware, this time related to Foscam and this is what I found inside...

More details about Foscam you can find here. Here we go...

I was looking for some new firmware(s) to check it in our 'new prepared lab'. That's how I found firmware ZIP called: FI8620-3.2.2.2.1-20120815. (I don't know if the details described below are available in any other Foscam-firmware. I will leave it to you as an exercise ;))

When I was looking for some default/hardcoded passwords:

I found that there is also a small binary file called upgweb. It turned out that this is a web server. :)

Checking strings:

Then I decided to switch to Ida and see what's inside the binary:

So now we are here:

It looks like we found strcpy() used to 'copy' username and password ;) After a while it should look similar to this:

More:

Bug should be located here:

More strcpy()'s:

And now the best ;)

I think this strcpy() is exploitable. User who will know default password to the Foscam, can access admin's panel and go to the 'change password' to exploit 'username' and/or 'password' field.

Unfortunately I wasn't able to run this HTTP server (upgweb) in my super-cool-lab.
I tried to run it in Azeria's lab as well as with Billy's materials - no luck.

That's why I decided to publish it. Maybe you will find a way to run it (if so, feel free to let me know how. I found some similar cases, for example here, but still wasn't able to run the binary anyway.
Any hints are welcome) ;)

Binary/httpd-file you can find here on my github.
Maybe you will find it useful.

Cheers