zepolo a écrit :
Yes. It 'll be OK for remote and safe (I hope) administration . But I'll loose the ability of distant access from anywhere and especially from my Iphone.
Or is there any other way to explore ?
|
Unfortunately no. The Firmware actually has a directory structure where files are maintained. Which is located in the cameras memory instead of using a hard-drive or SD card to do the same. Much like your Computer has directories and files. It's because of this. That an actual firmware change is required to deny access to the directory in these cameras, where this information is being exploited vs. allowing it, to be accessed, as it is now.
Here is some more details on the internals of these cameras and how their directories and files are stored in the cameras memory:
http://www.openipcam.com/forum/ind [...] 473.0.html
In the recent past. I have reported a similar vulnerability for the Foscam FI9820W Model cameras and many other brands and models as well:
http://www.kb.cert.org/vuls/id/265532
Firmware was changed ("By Foscam Only" ) for the exploit above, rather quickly, after I reported the vulnerability above and the camera model was still very new. However. Soon afterwards. That camera model was discontinued by Foscam and is no longer being sold. Other Brands and models are still being sold and still may have this problem as well.
In this situation here, with these cameras, with these two exploits. The impact covers many brands, models, clones and knockoffs that have been sold over many years by many different sellers. No seller. Including Foscam. Actually created/creates ANY of the firmware releases for these cameras.
All sellers of these cameras used/use a 3rd party to actually create and maintain the firmware. What this means is anytime a seller of these cameras needs firmware changes. Minus say, minor Web UI ("Web User Interface" ) changes, which sellers and even you can do by yourself. These sellers pay that 3rd party for those changes. Which maybe why so few IP Camera sellers care to modify firmware for these exploits. Because of the additional costs to do so.
Quote By Foscam: "The reason Foscam decided to hire their own R&D team was because of the delays of firmware updates from third party software developers (this software can be seen in all the MJPEG models and older H.264 models such as the FI8910W and FI9820W). After the issues of the FI9820W camera being unstable and the software developers unwilling to help us change firmware for our customers who were having problems".
From: http://foscam.us/forum/fi9821w-iss [...] rty#p24436
It's because of this that I think it is not receiving as much attention as other vulnerabilities reported in the past have.
Depending on the Foscam hardware version and model of the camera. Foscam has issued firmware upgrades, that do deal and fix Exploit One, which requires no camera User Id or camera password of the two methods used in these exploits. The second exploit, would require someone to have an Operator level User Id and password, in order to still gain access to the same data that the first exploit uses, which requires no User Id and password, to do.
As far as I know. Foscam is the only seller of these cameras that has actually made some firmware releases to cover the first exploit and no sellers, including Foscam, have released a firmware update to deal with the second exploit which requires an Operator User Id and password for the camera, to exploit.
Note: The Second exploit was found and published after Foscam had released a new version of firmware for some camera models, thinking that there was only one exploit. Specifically regarding Foscam MJPEG based camera models. ALL Foscam MJPEG camera models have at least two different hardware versions for the same camera model. It would appear that Foscam did release new firmware for the most recent hardware versions of a MJPEG based camera model that they still sell for Exploit one only. Other older hardware versions of the same camera model, may not have had a firmware version released. You can check here to see if there is a newer version of firmware for your Foscam MJPEG based camera here:
http://www.foscam.com/down3.aspx
Note: The firmware version. If it exists for the hardware version of your camera model. Will end in .49 for the system firmware version. If the system firmware versions ends in anything less than .49 then your hardware version of your camera model. Has not had any new firmware created to protect you from anyone, without using a camera User Id or Password to gather your cameras configuration data. Which may or may not include the ability to dump from your cameras configuration information: DDNS and DDNS password, Email and Email Password, FTP and FTP password, Admin and Password and other information. Better known as protection from Exploit one.
Even if you do see and install a newer system firmware version for your cameras hardware version and model that does end with .49. Your camera is NOT protected from Exploit two.
You cannot use any system firmware version that is NOT for your camera hardware version and model or that does not match the first two sets of digits in your system firmware version. Example: You cannot upgrade to system firmware version 11.37.x.x if the current version of system firmware in your camera is 11.22.x.x and vise versa. If you do. You will lose wireless ability of your camera. If you install the wrong firmware for another camera model into your camera model. You can brick your camera. Making it impossible to use, without opening up the camera and creating a serial interface to the camera to try to recover. Even then. That might not fix your camera. So please be careful.
As stated earlier here. I am personally NOT aware of any other seller that has even released a new firmware version to protect from Exploit one. Besides Foscam, for some camera hardware versions and models. No seller, including Foscam, has released a new firmware version to fix Exploit two, as of this date. That I personally am aware of. Including Foscam. I monitor these issues closely.
So. If you do have access to a firmware upgrade that protects your camera from anyone without using any User Id or password for the camera, to retrieve the camera configuration information ("Exploit One" ). If you do not allow others whom you do not have total and complete trust to have access to an Operator User Id and password. Then you can protect yourself from the second exploit ("Exploit Two" ), in a round-about way. While it's not a fix. Limiting whom has access to a cameras Operator User Id and password will give you protection.
The most important thing to remember about ALL of this, IMHO. Is that these two exploits allow others to gain access to ANY Email addresses and Email passwords you use as well as ANY FTP and FTP passwords you use in the cameras configuration. So, this is not simply resetting the camera if needed. Once someone has access to your Email addresses and Email passwords and FTP User and FTP password. Much, much, more damage can be done to YOU personally then simply recovering your cameras by resetting those cameras and going about your day.
My suggestions are:
1. If your camera has no firmware release for Exploit one and you allow remote access, which allows your camera configuration to be dumped by ANYONE worldwide. If you are not using a VPN or some sort of secure HTTPS interface ("Like the example below" ) you should NOT use any primary Email address in the cameras configuration. You should create a NEW Email address specifically that you use just for your cameras Email alarm notifications and nothing else that contains personal information. Knowing, that at anytime, someone can access that Email account and that you could lost it.
If you have FTP alarm notifications setup. I would create a FTP User Id that is confined to a specific directory that has NO tree to other directories and file information. If possible, I would make sure that the FTP User cannot change their password as well. Knowing, that at sometime, someone can delete any and all files using that FTP User Id. If that FTP User Id is allowed to be able to change their password. Know, that at sometime, someone can change that password at anytime.
If the above is too risky for you? I would NOT use any Email or FTP alarm notifications. Knowing that ALL your camera User Ids and Passwords for ALL camera User Ids and your DDNS and password could still be changed, at anytime.
If the above is too risky for you. I would disable remote access or create a VPN or use other methods such as creating a secure HTTPS interface, using a server for your cameras.
Example: http://bitsofinfo.wordpress.com/20 [...] -proxying/
2. If you do have firmware that fixes Exploit one. I would not allow ANYONE that you do not have complete trust with to have any camera User Id, higher than a Visitor level User Id. Because anyone you give a Operator User Id and password to. Will be able to do EVERYTHING that can be done in #1 above, at anytime. From anywhere. Even if you trust the person(s) who you may still want to have an Operator User level Id for your cameras. You need to think about their device security. Their computers, Tablets and Phones. If they lose any of their devices or if any of their devices are stolen. If those devices can be accessed and that information about the Operator User Id and Password for your camera can/could be accessed. You run a risk that is beyond personal trust.
Whatever you choose to do. I would do testing, to make sure that you verify, what you think you currently are protected from. For both Exploit one and Exploit two.
Legend
xxx.xxx.xxx.xxx = Local IP Address from within your network or ISP IP Address or DDNS
#### = Port For Camera
OperatorId = Operator User Id for Camera ("Case Sensitive" )
Password = Password for Operator User Id ("Case Sensitive" )
Replace the legend values below with the proper values for your camera. Enter each line below. One at a time, with those changes into the browser window of your choice. If you see ANY data returned in your browser window returned for any of the two exploits shown below ("String of different characters that make no sense" ). Then your camera is exposed to that exploit. If you do NOT have an Operator level User Id defined for your camera. You will need to create one for testing Exploit two. You can delete it after testing, if needed.
Test to determine if your camera is exposed to Exploit One ("Note: The // is not a typo" ):
http://xxx.xxx.xxx.xxx:####//proc/kcore
|
Test to determine if your camera is exposed to Exploit Two ("Requires Using a Operator level User Id and Password for the Camera" )
http://xxx.xxx.xxx.xxx:####/decoder_control.cgi?command=1&user=OperatorId&pwd=Password&next_url=/proc/kcore
|
How would someone go about gathering the information in my camera if someone were to use one of these exploits?
While you may not visually be able to see clearly what the above data returned includes. Due to the vast amount of information being returned. When one of these exploits takes place successfully. The Admin User Id and Password, for the camera in question, is returned in the data. Then virtually the entire configuration for ALL data in the camera can be accessed and dumped by replacing AdminId and Password ("Both case sensitive" ) in the line below, in the browser window of your choice. Using that returned information as well as the legend information for the IP and port of the camera, using this.
You can also try the below in the browser window of your choice by simply using the Admin User Id and password for your camera to see what would be accessed by someone using these exploits:
http://xxx.xxx.xxx.xxx:####/get_params.cgi?user=AdminId&pwd=Password
|
Note: The camera has no log showing that any camera access, by anyone took place. Using ANY of the three lines above. So, you cannot ever tell, if it ever has or has not taken place. Once someone has access to the data in your camera configuration. Nothing bad may happen right away. They might gather other data from other cameras and then sell all the data. This could take time. So thinking nothing bad happened today, by no means is any assurance that can be said in the near future. Email addresses, FTP User Ids and their password, have value. Sometimes they are packaged in bulk and sold to the highest bidder.
I hope this shows that this is not some form of paranoia, but instead, is truly and truthfully a sad reality, at this time. Hopefully this information shows both the risks and protection options and methods to test that protection, to protect you the camera owner, from issues you may not have known you maybe currently exposing yourself to. If your camera, is one of these cameras.
Don
Message édité par theuberoverlord le 04-05-2013 à 08:45:20
---------------
CV - About Me: Français English Conseils et exemples gratuits pour vos Camera IP Live IP Cam Demos