CVE-2014-1849
published 2014-05-14CVE-2014-1849: Foscam IP camera 11.37.2.49 and other versions, when using the Foscam DynDNS option, generates credentials based on predictable camera subdomain names, which…
PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
12.09%
95.6th percentile
Foscam IP camera 11.37.2.49 and other versions, when using the Foscam DynDNS option, generates credentials based on predictable camera subdomain names, which allows remote attackers to spoof or hijack arbitrary cameras and conduct other attacks by modifying arbitrary camera records in the Foscam DNS server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| foscam | ip_camera_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
01 50 49 44 3d 31 34 01 55 4e 61 6d 65 3d 63 68 31 32 36 36 01 50 57 44 3d 63 68 31 32 36 36 01 4f 45 4d 3d 72 65 65 63 61 6d 01 44 6f 6d 61 69 6e 43 6f 75 6e 74 3d 31 01 44 6f 6d 61 69 6e 30 3d 63 68 31 32 36 36 2e 6d 79 66 6f 73 63 61 6d 2e 6f 72 67 01 00
bytes↗
01 50 49 44 3d 31 30 01 55 4e 61 6d 65 3d 63 68 31 32 36 36 01 50 57 44 3d 63 68 31 32 36 36 01 4f 45 4d 3d 72 65 65 63 61 6d 01 4f 53 3d 4c 69 6e 75 78 01 42 75 69 6c 64 4e 4f 3d 31 33 38 30 01 44 6f 6d 61 69 6e 30 3d 63 68 31 32 36 36 2e 6d 79 66 6f 73 63 61 6d 2e 6f 72 67 01 00
- →Monitor for UDP traffic to port 8080 destined for myfoscam.org DDNS servers containing the OEM field value 'reecam' (0x72 0x65 0x65 0x63 0x61 0x6d) — this is the protocol marker used by the exploit to register/hijack camera DNS entries. ↗
- →Detect the exploit's initial registration payload by matching the 0x01-delimited protocol structure with fields PID=14, UName, PWD, OEM=reecam, DomainCount=1, and a Domain0 ending in .myfoscam.org over UDP. ↗
- →Detect the redirect/hijack payload (PID=10, BuildNO=1380, OS=Linux) sent over UDP to the forwarded DDNS server IP and port extracted from the initial response — this second-stage packet completes the DNS record takeover. ↗
- →Camera subdomains follow a predictable pattern (e.g., ch<digits>.myfoscam.org); alert on DNS queries or registrations for subdomains matching this pattern originating from unexpected sources. ↗
- ·The attack is two-stage over UDP: first a registration request to the DDNS server on port 8080, then a redirect/update request sent to a forwarded server IP:port extracted from the first response — both stages must be blocked to prevent DNS record hijacking. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://blog.shekyan.com/2014/05/cve-2014-1849-foscam-dynamic-dns-predictable-credentials-vulnerability.htmlhttp://seclists.org/fulldisclosure/2014/May/35https://github.com/artemharutyunyan/getmecamtool/blob/master/src/dnsmod.chttp://blog.shekyan.com/2014/05/cve-2014-1849-foscam-dynamic-dns-predictable-credentials-vulnerability.htmlhttp://seclists.org/fulldisclosure/2014/May/35https://github.com/artemharutyunyan/getmecamtool/blob/master/src/dnsmod.c
2014-05-14
Published