cbcvebase.
CVE-2017-5674
published 2017-03-13

CVE-2017-5674: A vulnerability in a custom-built GoAhead web server used on Foscam, Vstarcam, and multiple white-label IP camera models allows an attacker to craft a…

PriorityP266critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
21.57%
97.3th percentile
A vulnerability in a custom-built GoAhead web server used on Foscam, Vstarcam, and multiple white-label IP camera models allows an attacker to craft a malformed HTTP ("GET system.ini HTTP/1.1\n\n" - note the lack of "/" in the path field of the request) request that will disclose the configuration file with the login password.

Detection & IOCsextracted from sources · hover to see the quote

commandGET system.ini HTTP/1.1\n\n
domainntp.gtpnet.ir
domainload.gtpnet.ir
path:52869/picsdesc.xml
hashf736948bb4575c10a3175f0078a2b5d36cce1aa4cd635307d03c826e305a7489
hashe0b5c9f874f260c840766eb23c1f69828545d7820f959c8601c41c024044f02c
hash35317971e346e5b2a8401b2e66b9e62e371ce9532f816cb313216c3647973c32
hashff5db7bdb4de17a77bd4a552f50f0e5488281cedc934fc3707833f90484ef66c
hashec2c39f1dfb75e7b33daceaeda4dbadb8efd9015a9b7e41d595bb28d2cd0180f
hashd00b79a0b47ae38b2d6fbbf994a2075bc70dc88142536f283e8447ed03917e45
hashf974695ae560c6f035e089271ee33a84bebeb940be510ab5066ee958932e310a
hashaf4aa29d6e3fce9206b0d21b09b7bc40c3a2128bc5eb02ff239ed2f3549532bb
hashaa443f81cbba72e1692246b5647a9278040400a86afc8e171f54577dc9324f61
hash4a5ff1def77deb11ddecd10f96e4a1de69291f2f879cd83186c6b3fc20bb009a
hash44620a09441305f592fb65d606958611f90e85b62b7ef7149e613d794df3a778
hasha58769740a750a8b265df65a5b143a06972af2e7d82c5040d908e71474cbaf92
hash7d7aaa8c9a36324a2c5e9b0a3440344502f28b90776baa6b8dac7ac88a83aef0
hash4a5d00f91a5bb2b6b89ccdabc6c13eab97ede5848275513ded7dfd5803b1074b
hash264e5a7ce9ca7ce7a495ccb02e8f268290fcb1b3e1b05f87d3214b26b0ea9adc
yara
rule Persirai { meta: description = "Detects Persirai Botnet Malware" author = "Tim Yeh" reference = "Internal Research" date = "2017-04-21" hash1 = "f736948bb4575c10a3175f0078a2b5d36cce1aa4cd635307d03c826e305a7489" hash2 = "e0b5c9f874f260c840766eb23c1f69828545d7820f959c8601c41c024044f02c" hash3 = "35317971e346e5b2a8401b2e66b9e62e371ce9532f816cb313216c3647973c32" hash4 = "ff5db7bdb4de17a77bd4a552f50f0e5488281cedc934fc3707833f90484ef66c" hash5 = "ec2c39f1dfb75e7b33daceaeda4dbadb8efd9015a9b7e41d595bb28d2cd0180f" strings: $x1 = "ftpupload.sh" fullword ascii $x2 = "/dev/misc/watchdog" fullword ascii $x3 = "/dev/watchdog" ascii $x4 = ":52869/picsdesc.xml" fullword ascii $x5 = "npxXoudifFeEgGaACScs" fullword ascii $s1 = "ftptest.cgi" fullword ascii $s2 = "set_ftp.cgi" fullword ascii $s3 = "2580e538f3723927f1ea2fdb8d57b99e9cc37ced1" fullword ascii $s4 = "023ea8c671c0abf77241886465200cf81b1a2bf5e" fullword ascii condition: uint16(0) == 0x457f and filesize < 300KB and ( ( 1 of ($x*) and 1 of ($s*) ) or 2 of ($s*) ) }
  • Exploit request is a malformed HTTP GET with no leading slash in the path: 'GET system.ini HTTP/1.1' (double newline, no '/'), targeting GoAhead-based IP camera web interfaces to retrieve the plaintext configuration/password file.
  • Vulnerable IP cameras expose their web interface on TCP port 81; scan/alert on inbound HTTP to port 81 on camera devices.
  • Trend Micro IDS signatures 1133578 and 1133642 cover CVE-2017-5674 GoAhead system.ini information disclosure; use these rule IDs as reference for custom NIDS signatures.
  • Malware runs only in memory after deleting itself from disk; forensic/memory analysis is required for post-reboot detection since the device reverts to vulnerable state on reboot.
  • C&C communication uses the .ir (Iran) country-code TLD and Persian special characters; network traffic to gtpnet.ir domains from IP cameras is a high-confidence C&C indicator.
  • ·The vulnerability affects a custom-built GoAhead web server used across multiple OEM/white-label IP camera brands (Foscam, Vstarcam, and others); detection must account for all affected OEM variants, not just named brands.
  • ·The malware only persists in memory and is removed on reboot, but the device returns to a vulnerable state after reboot — patching/firmware update is required for persistent remediation.
  • ·At time of research, the IP camera manufacturer claimed the latest firmware addressed the vulnerability, but the test device already reported running the latest firmware version — patch availability should be independently verified.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.