CVE-2017-5674
published 2017-03-13CVE-2017-5674: A vulnerability in a custom-built GoAhead web server used on Foscam, Vstarcam, and multiple white-label IP camera models allows an attacker to craft a…
PriorityP266critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
21.57%
97.3th percentile
A vulnerability in a custom-built GoAhead web server used on Foscam, Vstarcam, and multiple white-label IP camera models allows an attacker to craft a malformed HTTP ("GET system.ini HTTP/1.1\n\n" - note the lack of "/" in the path field of the request) request that will disclose the configuration file with the login password.
Detection & IOCsextracted from sources · hover to see the quote
yara↗
rule Persirai { meta: description = "Detects Persirai Botnet Malware" author = "Tim Yeh" reference = "Internal Research" date = "2017-04-21" hash1 = "f736948bb4575c10a3175f0078a2b5d36cce1aa4cd635307d03c826e305a7489" hash2 = "e0b5c9f874f260c840766eb23c1f69828545d7820f959c8601c41c024044f02c" hash3 = "35317971e346e5b2a8401b2e66b9e62e371ce9532f816cb313216c3647973c32" hash4 = "ff5db7bdb4de17a77bd4a552f50f0e5488281cedc934fc3707833f90484ef66c" hash5 = "ec2c39f1dfb75e7b33daceaeda4dbadb8efd9015a9b7e41d595bb28d2cd0180f" strings: $x1 = "ftpupload.sh" fullword ascii $x2 = "/dev/misc/watchdog" fullword ascii $x3 = "/dev/watchdog" ascii $x4 = ":52869/picsdesc.xml" fullword ascii $x5 = "npxXoudifFeEgGaACScs" fullword ascii $s1 = "ftptest.cgi" fullword ascii $s2 = "set_ftp.cgi" fullword ascii $s3 = "2580e538f3723927f1ea2fdb8d57b99e9cc37ced1" fullword ascii $s4 = "023ea8c671c0abf77241886465200cf81b1a2bf5e" fullword ascii condition: uint16(0) == 0x457f and filesize < 300KB and ( ( 1 of ($x*) and 1 of ($s*) ) or 2 of ($s*) ) }- →Exploit request is a malformed HTTP GET with no leading slash in the path: 'GET system.ini HTTP/1.1' (double newline, no '/'), targeting GoAhead-based IP camera web interfaces to retrieve the plaintext configuration/password file. ↗
- →Vulnerable IP cameras expose their web interface on TCP port 81; scan/alert on inbound HTTP to port 81 on camera devices. ↗
- →Trend Micro IDS signatures 1133578 and 1133642 cover CVE-2017-5674 GoAhead system.ini information disclosure; use these rule IDs as reference for custom NIDS signatures. ↗
- →Malware runs only in memory after deleting itself from disk; forensic/memory analysis is required for post-reboot detection since the device reverts to vulnerable state on reboot. ↗
- →C&C communication uses the .ir (Iran) country-code TLD and Persian special characters; network traffic to gtpnet.ir domains from IP cameras is a high-confidence C&C indicator. ↗
- ·The vulnerability affects a custom-built GoAhead web server used across multiple OEM/white-label IP camera brands (Foscam, Vstarcam, and others); detection must account for all affected OEM variants, not just named brands. ↗
- ·The malware only persists in memory and is removed on reboot, but the device returns to a vulnerable state after reboot — patching/firmware update is required for persistent remediation. ↗
- ·At time of research, the IP camera manufacturer claimed the latest firmware addressed the vulnerability, but the test device already reported running the latest firmware version — patch availability should be independently verified. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Trendmicro
Drupal Bug Exploited to Deliver Monero-Mining Malware
blogs_trendmicro·2018-06-21·CVSS 9.8
CVE-2018-7602 [CRITICAL] Drupal Bug Exploited to Deliver Monero-Mining Malware
Malware
# Drupal Bug Exploited to Deliver Monero-Mining Malware
We were able to observe a series of network attacks exploiting, a security flaw (CVE-2018-7602) in the Drupal content management framework. For now, these attacks aim to turn affected systems into Monero-mining bots.
By: Smart Home Network Team, IoT Reputation Service Team
2018/06/21
Read time: ( words)
Save to Folio
We were able to observe a series of network attacks exploiting CVE-2018-7602, a security flaw in the Drupal content management framework. For now, these attacks aim to turn affected systems into Monero-mining bots. Of note are its ways of hiding behind the Tor network to elude detection and how it checks the affected system first before infecting it with a cryptocurrency-mining malware. While these attacks c
Trendmicro
Persirai: New IoT Botnet Targets IP Cameras
blogs_trendmicro·2017-05-09
Persirai: New IoT Botnet Targets IP Cameras
Cyber Threats
# Persirai: New IoT Botnet Targets IP Cameras
A new IoT botnet called Persirai has been discovered targeting over 1,000 IP Camera models based on various Original Equipment Manufacturer (OEM) products.
By: Tim Yeh, Dove Chiu, Kenney Lu
2017/05/09
Read time: ( words)
Save to Folio
Updated on May 10, 2017, 6:52 PM (UTC-7): We updated the source code and made changes to Figures 4 and 6.
A new Internet of Things (IoT) botnet called Persirai (Detected by Trend Micro as ELF_PERSIRAI.A) has been discovered targeting over 1,000 Internet Protocol (IP) Camera models based on various Original Equipment Manufacturer (OEM) products. This development comes on the heels of Mirai—an open-source backdoor malware that caused some of the most notable incidents of 2016 via Distributed Den
https://www.cybereason.com/cve-ip-cameras/https://www.cybereason.com/zero-day-exploits-turn-hundreds-of-thousands-of-ip-cameras-into-iot-botnet-slaves/https://www.cybereason.com/cve-ip-cameras/https://www.cybereason.com/zero-day-exploits-turn-hundreds-of-thousands-of-ip-cameras-into-iot-botnet-slaves/
2017-03-13
Published