Save up to 30% on select Foscam IP Cameras


MJPEG .54 Firmware Bug - User Logon Bypass

Users can ask and answer questions regarding Foscam IP Cameras

Moderators: mycam, FOSCAM

MJPEG .54 Firmware Bug - User Logon Bypass

Postby SENWiEco » Mon Jan 20, 2014 1:29 pm

I have been trying to set up a FOSCAM FI8905W construction camera for a couple of weeks now.

Regardless of the HTML used to access the camera on a web page (Recently tried Don's amazing utility), the user was asked for a user name and password the first time they went to view even when these were correctly provided in the HTML code. The prompt for user/pwd would only appear the first access to the page and the user would not be prompted again as long as they did not completely shut down their browser.

I discovered fairly early in my testing, that the user could just press OK in the dialogue window without filling in a user or pwd and they would be taken to the image. I assumed this was because the code was passing the credentials to the firmware in the background.

However, I used Don's testing utility yesterday and discovered I was taken to the image even when I did not provide a user and pwd. I confirmed this by creating a test web page that again does not provide ANY user or pwd. If the viewer just presses OK when prompted and leaves both fields blank, they are still taken to the image.

The test page is http://www.senwi.ca/Misc/test.html

The camera has the latest firmware available Version 11.35.2.54 and Embeded Web UI Version 2.4.20.8

This appears to be a serious security hole in the firmware. :shock:

Don did not believe me until he tested this morning and confirmed that this is a firmware bug. I have two users set up in the firmware. One is set as administrator and the other as visitor. Both have passwords.

I would encourage you to investigate your own cameras to ensure users are not able to bypass the credentials you have set up. I would be interested in hearing if anyone else has this issue.

Don has reported back to me that he has notified FOSCAM of the issue.
SENWiEco
 
Posts: 8
Joined: Mon Jan 20, 2014 1:24 am

Re: Firmware Bug - User login not enforced.

Postby TheUberOverLord » Mon Jan 20, 2014 1:39 pm

I would like to thank SENWiEco for being so patient in trying to inform me about the initial bug. Which also allowed me to do some additional testing, to find other bugs, relating to this same issue.

A New .55 Firmware version has been released, that resolves this issue that can be download here:

http://www.foscam.com/down3.aspx

Don
:?: Click on these links for HELP :!:
View Cameras On ANY Devices: MJPEG Cameras H.264 Cameras
How To: Setup IP Cameras Securely Display IP Cameras On Web
About Me
TheUberOverLord
 
Posts: 10847
Joined: Fri Jun 22, 2012 11:52 pm

Re: MJPEG .54 Firmware Bug - User Logon Bypass

Postby TheUberOverLord » Mon Jan 20, 2014 5:22 pm

As far as I know after testing this issue. This issue is restricted to system firmware version .54 for the MJPEG Indoor and Outdoor camera models, which I tested.

If anyone sees this as being possible, before this firmware version, with their MJPEG based Indoor or Outdoor camera model. Please post about it here as well.

If anyone that has a MJPEG based camera model, that is using system firmware version .54 and that camera model, does NOT show this issue, while having empty User Id Slots in the cameras configuration. Please also post about it here as well.

The following MJPEG based camera models, have a system firmware version of .54 currently released:

FI8904W, FI8905E, FI8905W, FI8906W, FI8907W, FI8909W, FI8910E, FI8910W, FI8916W, FI8918W, FI8919W

Thanks

Don
:?: Click on these links for HELP :!:
View Cameras On ANY Devices: MJPEG Cameras H.264 Cameras
How To: Setup IP Cameras Securely Display IP Cameras On Web
About Me
TheUberOverLord
 
Posts: 10847
Joined: Fri Jun 22, 2012 11:52 pm

Re: MJPEG .54 Firmware Bug - User Logon Bypass

Postby TheUberOverLord » Tue Jan 21, 2014 1:20 am

Here is a quick way to verify and confirm IF your MJPEG based camera which is using system firmware .54 has this issue, which is to use this. When prompted to enter a User Id and Password simply click the OK button. Without entering ANY User Id or Password. You can use this tool with ANY browser from ANY Internet capable device which is running ANY Operating System. To do this check.

Example Of Using an IE ("Internet Explorer") browser when prompted:

OkButton.png
OkButton.png (34.16 KiB) Viewed 12292 times

Please do NOT use ANY leading http:// simply enter the local IP Address and port for your camera from within your local network or the DDNS and port for your camera or your ISP IP Address and port for your camera:

Examples;

LocalIpAddress:PortForCamera
DDNS:PortForCamera
IspIPAddress:PortForCamera

http://www.saveontelephonebills.com/camera/YourCameraBIV25.htm

If you CAN see your camera when using the above, without entering a User Id and Password and only using the OK button when prompted to logon. Then you need to install the new .55 firmware version. That resolve this issue. More here at this link:

http://www.foscam.com/down3.aspx

Don
:?: Click on these links for HELP :!:
View Cameras On ANY Devices: MJPEG Cameras H.264 Cameras
How To: Setup IP Cameras Securely Display IP Cameras On Web
About Me
TheUberOverLord
 
Posts: 10847
Joined: Fri Jun 22, 2012 11:52 pm

Re: MJPEG .54 Firmware Bug - User Logon Bypass

Postby edrikk » Tue Jan 21, 2014 1:10 pm

Thank god I sit my cameras behind BlueIris... :/

Any idea Don why the foscam.com site has been down for over a week now?
edrikk
 
Posts: 19
Joined: Mon Aug 12, 2013 8:59 am

Re: MJPEG .54 Firmware Bug - User Logon Bypass

Postby TheUberOverLord » Tue Jan 21, 2014 1:52 pm

edrikk wrote:Thank god I sit my cameras behind BlueIris... :/

Any idea Don why the foscam.com site has been down for over a week now?

Not sure what you mean?

It's been available for me.

Don
:?: Click on these links for HELP :!:
View Cameras On ANY Devices: MJPEG Cameras H.264 Cameras
How To: Setup IP Cameras Securely Display IP Cameras On Web
About Me
TheUberOverLord
 
Posts: 10847
Joined: Fri Jun 22, 2012 11:52 pm

Re: MJPEG .54 Firmware Bug - User Logon Bypass

Postby edrikk » Thu Jan 23, 2014 10:25 am

Interesting...
Just tried again from PC at work, and to rule out blocking by work, also from Cell phone, but both timed out connecting to www.foscam.com
edrikk
 
Posts: 19
Joined: Mon Aug 12, 2013 8:59 am

Re: MJPEG .54 Firmware Bug - User Logon Bypass

Postby hispan1c » Thu Jan 23, 2014 2:31 pm

Yikes, just tried it. My 8910w with .54 firmware seems to be vurnerable. Im going to try out your workaround now.

Thanks Don.

I filled up all the user and password fields in usermanagement. Now i cant see my stream anymore using the abovementioned instructions.

https://www.dropbox.com/s/kc3m8jfvoxvf2 ... .51.35.png
hispan1c
 
Posts: 4
Joined: Thu Oct 31, 2013 11:31 am

Re: MJPEG .54 Firmware Bug - User Logon Bypass

Postby hispan1c » Thu Jan 23, 2014 3:17 pm

Just spotted your post about the new .55 firmware :
http://www.foscam.com/down3.aspx
hispan1c
 
Posts: 4
Joined: Thu Oct 31, 2013 11:31 am

Re: MJPEG .54 Firmware Bug - User Logon Bypass

Postby stisev » Fri Jan 24, 2014 1:32 am

I am on 54 and doesn't look like I am vulnerable. It is asking me for user/pass; however, my screen doesn't look like that.

At any rate, thanks for the heads up. Saw the post on Kreb security.



EDIT: sigh, tried to get the new firmware. Now I am getting a message in chinese when trying to get the firmware. Translated:

Your request is too often has been the site administrator set up to intercept!
Possible causes: the pages you visit too often
How to solve:

1) Wait for some time to re-visit;
2) If the web hosting, please contact space provider;
3) general site visitors, after cleaning up the browser Cookie re-visit, or contact the site administrator;




..... I went to the web site once.
stisev
 
Posts: 7
Joined: Fri Nov 01, 2013 3:23 am

Next

Return to Technical Support

Who is online

Users browsing this forum: No registered users and 6 guests