A few months back, I reported several issues to Loftek regarding their Nexus 543 IP camera, and I eventually received the following response:
Dear Craig Young,
Thanks for your message. Your suggestion already submit to our Tech department , they are seeking for solution. We highly appreciated for your concern and support. Actually almost more then half of IP Camera in the market are used the same project as ours . And It will a little bit long time to upgrade the product. If don’t set up the camera for WAN view , it will reduce the risk. And our camera just for average household user, not suitable for highly classified occasion . Hope you can understand. Thanks
After 10 weeks, I wrote to Loftek again asking for a timeline on when an updated firmware would be released and received this quite unsatisfactory response:
Dear Craig Young,
We release a Tool “Set DDNS” on our website , with this tool you can remove the camera DDNS . And if you don’t set up the camera for WAN View , remote unauthenticated attacker can’t make a request to access your camera. Thanks
Hope this can help for you
Based upon this response, I have decided that it is an appropriate time for full disclosure. I’m sure many of these vulnerabilities look familiar, and are familiar to some of you, but this is a popular camera on eBay and Amazon and I have not seen any other reports on this brand/model.
Here are the CVEs:
- CVE-2013-3311: The HTTP interface permits disclosure of /proc/kcore through directory traversal as demonstrated by the following request: ‘GET /../proc/kcore’ kcore can be trivially dissected to reveal configured passwords for camera viewing, FTP servers, mail servers, DynDNS, etc in the clear.
- CVE-2013-3312: The device provides no CSRF protection and is prone to password and firewall modification through crafted IMG tags (i.e. a img tag with source /set_users.cgi?next_url=rebootme.htm&user1=admin&pwd1=password&pri1=2&user2=anon&pwd2=password&pri2=0&user3=&pwd3=&pri3=1&user4=&pwd4=&pri4=0&user5=&pwd5=&pri5=0&user6=&pwd6=&pri6=0&user7=&pwd7=&pri7=0&user8=&pwd8=&pri8=0)
- CVE-2013-3313: Per CVE-2013-3311, the passwords are stored without hashing/crypto (GET /check_users.cgi to see your password)
- CVE-2013-3314: Unauthenticated GET requests can retrieve wifi credentials, firmware revision, and the device’s internal ‘real’ IP.
- /get_realip.cgi – reveals IP address (private address when behind NAT/firewall)
- /get_status.cgi – reveals firmware versions (ui and system), timestamp, serial number, p2p port number, and wifi status
- /../etc/RT2870STA.dat – reveals wifi SSID/credentials
The result of these issues is that unauthenticated attackers can remotely retrieve passwords to view the camera feed and control the camera, as well as fetching configured passwords for SMTP, FTP, and DynDNS in plaintext.
My advice is to dump Loftek cameras from your environment, but if this is not an option, consider putting it on an isolated network and using VPN or SSH tunneling (aka poor man’s VPN).
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock
Categories: Vulnerability Management