Important Message from Foscam Digital Technologies Regarding US Sales & Service

Foscam.US (aka Foscam Digital Technologies and now Amcrest Technologies) is an independent United States based distributor of "Foscam" branded products. We have been offering telephone support, US local warranty and building the Foscam brand in the US for the past 7 years. Based on our experiences with Foscam and feedback from end users we have launched our own new and improved line of wireless IP cameras and security systems under the Amcrest brand. Working in partnership with the second largest security camera manufacturer in the world, Amcrest was founded with a deep commitment to end-user privacy and security, highly reliable software and hardware as well a seamless and intuitive user experience. For more information, please visit www.Amcrest.com

If you are having trouble with your Foscam cameras, we sincerely apologize for this inconvenience and would love to help. For technical support, response to inquiries and for obtaining replacements for any Foscam IP Cameras or NVR products, please reach out to tech@foscam.com or call 1-844-344-1113.

If you are interested in exchanging your Foscam camera for an Amcrest camera, we can offer you a massive loyalty discount, even if you are out of warranty. Please send an email to support@amcrest.com, sales@amcrest.com or call 1-888-212-7538

If you are subscribed to Foscam Cloud (www.foscamcloud.com), please contact cloud@foscam.us for support.

If you currently use the manufacturer's cloud service (www.myfoscam.com or linked in any way to www.foscam.com), you will need to contact them directly for support, at www.myfoscam.com.


MJPEG .54 Firmware Bug - User Logon Bypass

Users can ask and answer questions regarding Foscam IP Cameras

Moderators: mycam, FOSCAM

Re: MJPEG .54 Firmware Bug - User Logon Bypass

Postby stisev » Fri Jan 24, 2014 1:41 am

To add insult to injury, it happens anytime I go to any part of the foscam site.


Also, Don -- my screen looks different than yours (latest Chrome & IE)

Image


When I press OK, it says PLEASE ENTER USERNAME AND PASSWORD.

Am I safe?
stisev
 
Posts: 7
Joined: Fri Nov 01, 2013 3:23 am

Re: MJPEG .54 Firmware Bug - User Logon Bypass

Postby TheUberOverLord » Fri Jan 24, 2014 1:58 am

stisev wrote:I am on 54 and doesn't look like I am vulnerable. It is asking me for user/pass; however, my screen doesn't look like that.

At any rate, thanks for the heads up. Saw the post on Kreb security.



EDIT: sigh, tried to get the new firmware. Now I am getting a message in chinese when trying to get the firmware. Translated:

Your request is too often has been the site administrator set up to intercept!
Possible causes: the pages you visit too often
How to solve:

1) Wait for some time to re-visit;
2) If the web hosting, please contact space provider;
3) general site visitors, after cleaning up the browser Cookie re-visit, or contact the site administrator;




..... I went to the web site once.

The tester is NOT supposed nor does look like the Standard Camera Interface that comes with the camera.

Please read again:

http://foscam.us/forum/mjpeg-54-firmware-bug-user-logon-bypass-t8442.html#p40593

Don
TheUberOverLord
 
Posts: 13110
Joined: Fri Jun 22, 2012 11:52 pm

Re: MJPEG .54 Firmware Bug - User Logon Bypass

Postby FOSCAM » Fri Jan 24, 2014 10:36 am

SENWiEco wrote:I have been trying to set up a FOSCAM FI8905W construction camera for a couple of weeks now.

Regardless of the HTML used to access the camera on a web page (Recently tried Don's amazing utility), the user was asked for a user name and password the first time they went to view even when these were correctly provided in the HTML code. The prompt for user/pwd would only appear the first access to the page and the user would not be prompted again as long as they did not completely shut down their browser.

I discovered fairly early in my testing, that the user could just press OK in the dialogue window without filling in a user or pwd and they would be taken to the image. I assumed this was because the code was passing the credentials to the firmware in the background.

However, I used Don's testing utility yesterday and discovered I was taken to the image even when I did not provide a user and pwd. I confirmed this by creating a test web page that again does not provide ANY user or pwd. If the viewer just presses OK when prompted and leaves both fields blank, they are still taken to the image.

The test page is http://www.senwi.ca/Misc/test.html

The camera has the latest firmware available Version 11.35.2.54 and Embeded Web UI Version 2.4.20.8

This appears to be a serious security hole in the firmware. :shock:

Don did not believe me until he tested this morning and confirmed that this is a firmware bug. I have two users set up in the firmware. One is set as administrator and the other as visitor. Both have passwords.

I would encourage you to investigate your own cameras to ensure users are not able to bypass the credentials you have set up. I would be interested in hearing if anyone else has this issue.

Don has reported back to me that he has notified FOSCAM of the issue.


Hi, SENWiEco

Thanks for your feedback!
We have released a new firmware version 55 to fix the bug that no need to do authentication when using some CGI command.
Please go to our official download center http://www.foscam.com/down3.aspx and upgrade your camera to the latest firmware version 55.
Note: Please always keep your camera with the latest firmware.

Best regards
FOSCAM
 
Posts: 766
Joined: Thu Nov 03, 2011 9:11 pm

Re: MJPEG .54 Firmware Bug - User Logon Bypass

Postby SENWiEco » Fri Jan 24, 2014 12:48 pm

Thanks FOSCAM, but your fix is broken as well. Please see rest of this thread.

Thanks Don for all your work on this.
SENWiEco
 
Posts: 8
Joined: Mon Jan 20, 2014 1:24 am

Re: MJPEG .54 Firmware Bug - User Logon Bypass

Postby TheUberOverLord » Sun Jan 26, 2014 1:23 am

SENWiEco wrote:Thanks FOSCAM, but your fix is broken as well. Please see rest of this thread.

Thanks Don for all your work on this.

Thank You.

For your patience on this.

It appears that the MJPEG based cameras have logic that when 10 failed attempts are made to logon, due to an invalid User Id or Password back-to-back, from the same IP Address. That the IP Address that made those invalid logon requests, is suspended from accessing the cameras for 30 minutes.

After additional testing was done. Only the IP Address that had those 10 failed logon attempts is suspended by the camera for 30 minutes before that same IP Address can once again, access the camera.

Logon requests from other IP Addresses will be processed normally, by the camera and not fail.

Testing was somewhat complicated by me at the time only having one Internet connection to verify this. I finally was able to prove this is true.

To do same. You would need access to two Internet connections using one Internet connection to create 10 back-to-back failed logon attempts. Then try to use that same Internet connection to access the camera. It will fail and continue to fail, for 30 minutes.

Then use the other Internet connection, to try and access the camera, that has not had 10 back-to-back failed logons. It will be able to access the camera.

I was just told by Foscam, late afternoon yesterday, that the MJPEG based cameras had this logic and that this logic was not, and is not connected to firmware versions .54 or .55.

It took me some time to do testing, to verify that what Foscam told me, was correct. Having access to only one Internet connection, during testing, somewhat complicated this as well.

Don
TheUberOverLord
 
Posts: 13110
Joined: Fri Jun 22, 2012 11:52 pm

Re: MJPEG .54 Firmware Bug - User Logon Bypass

Postby casperk » Thu Jan 30, 2014 1:26 am

Not sure if it is related but I have an FI8910W with 11.37.2.52 firmware and another FI8910W with 11.22.2.41 firmware that when prompt for username and password, I clicked CANCEL and was able to get to the Device Status page without logging in. All other functions seem to require authorization (the login windows pops up again). I will try to update to the new firmware to see if it helps.
casperk
 
Posts: 3
Joined: Thu Jan 30, 2014 1:03 am

Re: MJPEG .54 Firmware Bug - User Logon Bypass

Postby TheUberOverLord » Thu Jan 30, 2014 1:38 am

casperk wrote:Not sure if it is related but I have an FI8910W with 11.37.2.52 firmware and another FI8910W with 11.22.2.41 firmware that when prompt for username and password, I clicked CANCEL and was able to get to the Device Status page without logging in. All other functions seem to require authorization (the login windows pops up again). I will try to update to the new firmware to see if it helps.

Some changes were also made in the .54 firmware version that now require things like device status to use a User Id and Password for the camera. Whereas in prior firmware releases. This was not required and one could get this information. Without any need to use a User Id and password.

While this may seem like a trivial change. It's a major one. Because now someone would need to have a camera User Id and Password to be able to determine what firmware releases are installed in a camera, whereas before. Anyone could query a camera, using the device status to determine what firmware was installed in the camera. Allowing that information to be used, to try this or that based on some known issue, with that specific firmware version.

That said. If you allow others to access your cameras using a Visitor or Operator User Level Id for the camera. Since those are valid users for the camera. Using those User Ids and Passwords allows getting access to the device status. Showing things like, what firmware is installed in the camera. So, it' even MORE important than normal, for those camera owners that do allow others to access their cameras, using a Visitor or Operator User Id. To ALWAYS be on the most current version of firmware as other camera owners, should also always be.

Don
TheUberOverLord
 
Posts: 13110
Joined: Fri Jun 22, 2012 11:52 pm

Re: MJPEG .54 Firmware Bug - User Logon Bypass

Postby casperk » Fri Jan 31, 2014 2:23 am

Thanks Don. I upgraded the camera to the latest 11.37.2.55 and cannot seem to bypass the login screen now. My "IP Cam Viewer" and "tinyCam Monitor" apps on Andriod are both working without changes.

However my other FI8918W has the latest firmware 11.22.2.51 which I was able to get to the Device Status page without logging in. Any insight of when or if an upgrade to this firmware is coming?
casperk
 
Posts: 3
Joined: Thu Jan 30, 2014 1:03 am

Re: MJPEG .54 Firmware Bug - User Logon Bypass

Postby TheUberOverLord » Fri Jan 31, 2014 8:41 pm

casperk wrote:Thanks Don. I upgraded the camera to the latest 11.37.2.55 and cannot seem to bypass the login screen now. My "IP Cam Viewer" and "tinyCam Monitor" apps on Andriod are both working without changes.

However my other FI8918W has the latest firmware 11.22.2.51 which I was able to get to the Device Status page without logging in. Any insight of when or if an upgrade to this firmware is coming?

Older cameras, which are many years old, such as those running 11.22.x.x or lower. Might not have continued support or may have delayed support for being kept current on firmware releases.

Not sure if Foscam intends to bring 11.22.2.51 for example to 11.22.2.55, which is the 11.37.x.x current firmware version.

Don
TheUberOverLord
 
Posts: 13110
Joined: Fri Jun 22, 2012 11:52 pm

Re: MJPEG .54 Firmware Bug - User Logon Bypass

Postby DaveGadgeteer » Sun Sep 28, 2014 8:03 pm

My Foscam cameras test vulnerable to the Shellshock exploit.
I have seen nothing from Foscam addressing this enormous problem.
This Bash exploit allows executing anything at all, complete insecurity.
http://shellshock.brandonpotter.com/
DaveGadgeteer
 
Posts: 4
Joined: Sun Sep 28, 2014 7:30 pm

PreviousNext

Return to Technical Support

Who is online

Users browsing this forum: No registered users and 3 guests