Category Archives: vulnerabilities

Many Internet Connected Security Cameras are Open to Remote Exploit

Thousands of wireless IP cameras connected to the Internet have serious security weaknesses that allow attackers to hijack them and alter their firmware, according to two researchers from security firm Qualys.

The cameras are sold under the Foscam brand in the U.S., but the same devices can be found in Europe and elsewhere with different branding, said Qualys researchers Sergey Shekyan and Artem Harutyunyan, who analyzed the security of the devices and are scheduled to present their findings at the Hack in the Box security conference in Amsterdam on Thursday.

Tutorials provided by the camera vendor contain instructions on how to make the devices accessible from the Internet by setting up port-forwarding rules in routers. Because of this, many such devices are exposed to the Internet and can be attacked remotely, the researchers said.

Finding the cameras is easy and can be done in several ways. One method involves using the Shodan search engine to search for an HTTP header specific to the Web-based user interfaces of the cameras. Such a query will return more than 100,000 devices, the researchers said.

The vendors selling these cameras also have them configured to use their own dynamic DNS services. For example, Foscam cameras get assigned a hostname of the type [two letters and four digits].myfoscam.org. By scanning the entire *.myfoscam.org name space an attacker could identify most Foscam cameras connected to the Internet, the researchers said.

Around two out of every 10 cameras allow users to log in with the default “admin” user name and no password, the researchers said. For the rest that do have user-configured passwords, there are other ways to break in.

One method is to exploit a recently discovered vulnerability in the camera’s Web interface that allows remote attackers to obtain a snapshot of the device’s memory.

This memory dump will contain the administrator user name and password in clear text along with other sensitive information like Wi-Fi credentials or details about devices on the local network, the researchers said.

Even though the vendor has patched this vulnerability in the latest firmware, 99% of Foscam cameras on the Internet are still running older firmware versions and are vulnerable, they said. There is also a way to exploit this vulnerability even with the latest firmware installed if you have operator-level credentials for the camera.

Another method is to exploit a cross-site request forgery (CSRF) flaw in the interface by tricking the camera administrator to open a specifically crafted link. This can be used to add a secondary administrator account to the camera.

New Rootkit infects Linux Web servers

A previously unknown rootkit is infecting Linux web servers and injecting malicious code into web pages served by infected servers. The rootkit was discovered by a user of security mailing list Full Disclosure, who has posted his observations, including the suspicious kernel module, to the mailing list. The malware adds an iframe to every web page served by the infected system via the nginxproxy – including error pages.

Anyone who visits a web page on the server is then attacked by a specially crafted web page which is loaded in an iframe. Criminals typically use exploit kits such as BlackHole to examine the system of the victim to establish which one of a number of vulnerabilities in Flash, Java and other applications can be exploited. Once an exploitable hole is identified, it is used to install malware on the visitor’s system. The web server is ultimately being used to redirect users to another web server which can then infect their system, such as poorly maintained Windows systems, with malware.

Anti-virus software company Kaspersky Lab has analysed the malware. According to them, the rootkit, which it has dubbed Rootkit.Linux.Snakso.a, is designed to target 64-bit systems and has been compiled for kernel version 2.6.32-5, used in Debian Squeeze. The rootkit adds the line insmod /lib/modules/2.6.32 5-amd64/kernel/sound/module_init.ko to the /etc/rc.local script, ensuring that the malicious module is executed each time the system boots.

After booting, it determines the memory address of a number of kernel functions, which it then hooks into. This allows it both to hide itself from the user and to manipulate the server’s network traffic. The rootkit obtains deployment instructions from a command and control server. According to Kaspersky, the rootkit may still be under development, as it has been compiled with debug information in situ.

Security expert Georg Wicherski has also analysed the rootkit, and suggests that it was developed by an advanced beginner who does not yet have a great deal of experience with the kernel. According to Wicherski, the attacker who deployed the rootkit is probably based in Russia.

Attacking TrueCrypt Containers

TCHead decrypts and verifies the information in a TrueCrypt container’s header. Containers can range from files to copied system volumes from fully-encrypted hard drives. For this, you do of course need the password. If you don’t have the right one, TCHead can run through a word list. Unlike cracking tool John the Ripper, however, it is not able to systematically vary these details by, for example, converting lower case letters to upper case or converting letters to leetspeak.

Still faster than doing it by hand – TCHead tests out different passwords. TCHead also carries out this kind of dictionary attack very, very slooooooowly. In tests on a fairly fast computer, the tool required about a minute to run through 1,000 candidate passwords. By comparison, password crackers usually measure their speed in millions of attempts per second. This poor performance is largely due to the fact that TrueCrypt saves keys for testing internally using Password-Based Key Derivation Function 2 (PBKDF2), which is specifically designed to slow down these types of brute-force attacks.

TCHead is able to deal with standard encryption algorithms such as AES, Serpent and Twofish. TrueCrypt, however, also offers the option of using cascaded algorithms such as a combination of AES and Serpent. Our attempts to deploy TCHead against a combination container failed, with no error message, even though the target password was in the word list. The tool does not currently support mixed encryption algorithms, but that this is on their to-do list.

A statically linked Linux binary and source code, which we were able to compile under Ubuntu 12.04 LTS with a little tinkering, are available to download from the project’s site. There is also a script for building a Windows version using the g++ compiler, though we have not tested this.

In summary, TCHead is a useful addition to any forensic IT specialist’s collection and is one of the few available options for tackling encrypted TrueCrypt containers. But don’t expect too much: if the targeted TrueCrypt user followed even basic password rules, you don’t stand a chance.

USB Stick of Death

The people over at j00ru tech blog have been messing around with the complex and largely unexplored NTFS file system commonly used on Microsoft Windows. It didn’t take them long to find a bug. But the thing thats best about a bug in NTFS is that you can stick a USB drive into the targetcomputer and use it’s auto mount function to exploit any vulnerabilities in ntfs.sys. They found some very promising results, one being a bug that they were able to exploit into a local elevation of privileges.

Note that the presented issue requires the attacker to obtain physical access to the machine and have a local user in the system. Consequently, the only scenario in which it might be a problem security-wise is a local computer shared between multiple users with restricted privileges (e.g. schools, universities, hostels). You can check out the full explanation of the bug here.