Networking

Linksys WVC54GC: Exploit discloses system configuration

A Linksys Web camera is vulnerable to SetSource() boundary error. This vulnerability will disclose sensitive system information in plain text to an attacker.

As I was checking out my weekly e-mail from US-Cert, I came across Vulnerability Note VU#528993, which states:

"The Linksys WVC54GC wireless video camera insecurely sends initial configuration information over the network, which can allow a remote, unauthenticated attacker to intercept video streams, access wireless network authentication credentials, modify the device firmware, or cause a denial-of-service to the video camera."

The following image of the Linksys WVC54GC is courtesy of Linksys:

wvc54gc_med.jpg

That's not good

Most Linksys devices use port 916 UDP for remote management commands. This vulnerability allows an attacker to craft a packet and send it to the Web camera, and the Web camera will return sensitive system information to the attacker. The information that's sent back amounts to login credentials, wireless network connection information, including encryption keys and SSID, and normal system management information.

Keys to the kingdom

If the attacker is successful in retrieving the configuration information, owning the network just became a whole lot easier. Depending on where the attacker is physically located, access may be possible via the Internet or Wi-Fi. To add insult to injury the attacker also has access to the Web camera and who knows how embarrassing that could be.

Final thoughts

Please remember attackers always take the simplest approach to gain access to networks, and this attack vector is just that. The vulnerability applies to all Linksys WVC54GC cameras that are using firmware prior to version 1.25. It's advisable to update as soon as possible. Why take the chance when updating the firmware is simple to do. This is yet another reminder to make sure firmware on all networking devices is up to date, because this exploit may not be confined to the WVC54GC.

Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic's Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!

About

Information is my field...Writing is my passion...Coupling the two is my mission.

21 comments
jimamily
jimamily

Setting up Internet Security Cameras System for your home is less complicated than you might think. The cameras can be connected directly to your IP network, which you can then control, monitor and view directly through a computer with Internet access. This gives you a lot of flexibility in how you customize your video surveillance. Read More: Internet Security Camera System, http://www.internetsecuritycamerasystem.com/

gmgypsi87
gmgypsi87

I have this camera and I was trying to set it up, and kept getting error messages. Telling me that Vista isn't compatible with the model. I was looking for a solution and I came across you. Is there a way to fix this security problem and use this camera or not?!

Jaqui
Jaqui

web cam ... oh, yeah, one of them multimedia things right? can't be bothered to get one of ANY brand.

Jacky Howe
Jacky Howe

if the vulnerability exists in other manufacturers products. There are a few out there. I dont own one so I am OK. Looks to be solved though with the firmware update. The hard part is educating the masses.

Michael Kassner
Michael Kassner

The Web camera is vulnerable to an exploit that will send an attacker sensitive network information. Allowing the attacker to take control the network and even worse yet the camera. If you own one, please read the article.

Neon Samurai
Neon Samurai

Of course I couldn't find negative user reviews before I baught the unit.. grr.. It runs hot, it transfers slow and there is no considerations of security even as a distant afterthought. Other then that, it's a great little box for quick and cheap RAID1. What I did find is that the initial setup required the setup wizard off the Linksys driver disk. The setup wizard would only run under Windows. My solution was to run the setup wizard for the initial config from a Windows VM after that, it worked with any machine. In your case, I'd expect the newest drivers/firmware from the linksys support website would provide a Vista setup wizard if applicable. Just watch for that though encase you do need a WindowsXP machine for the initial update.

Michael Kassner
Michael Kassner

Just update the device with the latest firmware from LinkSys.

Michael Kassner
Michael Kassner

I use mine for Skype and security. Logitech has one that allows some pointing control that's fun to play with.

Michael Kassner
Michael Kassner

This article wasn't even on my radar until I received the US-Cert e-mail. The consequences are so dire that I felt it important to at least inform the members.

Neon Samurai
Neon Samurai

I have been considering a wifi cam or two to play with though so this is a good heads up.

Michael Kassner
Michael Kassner

Dahh, I'm filing that away, simple yet elegant and should fool the appliance.

Jaqui
Jaqui

not under linux they don't logitech won't release linux drivers. and the qc module for linux to run the logitech quick cams barely works, for still images. [ the open source community effort. ]

Jacky Howe
Jacky Howe

will have a heads up thanks to you Michael.

santeewelding
santeewelding

Just where is your camera, and where do you have it aimed, Michael?

Michael Kassner
Michael Kassner

I didn't see the need to mention it in the article, but Linksys was notified about this last August privately and chose not to do anything until the information was made public early in December.

Neon Samurai
Neon Samurai

It's a router.. easy to reflash and config right? So when the router randomly decided to forget it's config, I decided it was time to keep a last good and most recent copy of the config. I've retyped the list of allowed MAC enough times now. ;)

Michael Kassner
Michael Kassner

DD-WRT has a great backup screen. As you make more rules don't forget to backup the config file. I more often than not forget myself, should I should talk.

Neon Samurai
Neon Samurai

I was happy to discover that the init wizard ran from it's own directory. No need to install if your running it off the CD. I went with the latest driver download and firmware. The wizard ran from the temp directory it was downloaded too. You should be able to stuff it on a usb or cd tool kit. It locates the appliance by mac then initializes it. I couldn't tell if it was a tftp or some interesting connection type; I may have to reset the box and try again with my sniffer in place. After questions (dhcp or static? password?) it asks if you want to install the local software. You can skip that and the rest unless you will be using something specific like the backup client software. I was even able to update the firmware from Mandriva/Firefox after the init connection did it's thing from the Windows VM. (Edit): Forgot the bit about ddwrt. I use ddWRT's WAN time/policy settings to block local nodes that shouldn't have any connection to the outside in the first place. I was stunned to discover that the NAS200 or the latest firmware lack https let alone ssh. The slow 10/100 nic is fine but supporting only http for administration, let alone user file access, is all clear text. Maybe it will turn up in future firmware releases if the box sells enough units. My solution for now is more rules in ddWRT but it should be at the appliance level not the switch. In the longer term, there are a few firmware projects that like the NAS200 so I'm watching for something to mature more like a ddNAS. The Visionman Visionvault is a better choice if you just want a home or small office appliance. 400$ plus two 500 gig hard drives for RAID1 (not sure if it does raid10 but there are four hot swap slots). gig ethernet, https, one can backup to a second, usb slot on front can be set to autobackup connected storage. https, itunes, cifs, pnp, media server protocols all supported. Nice starter NAS.

Michael Kassner
Michael Kassner

I'm more concerned about the attacker gaining network access than what was viewable on the Web cam.

Editor's Picks