FNKvision FNK-GU2 Cleartext Storage Vulnerability in WPA Supplicant Configuration File

A vulnerability exists in the FNKvision FNK-GU2 wireless IP camera, specifically in firmware versions up to 40.1.7. The issue arises from the cleartext storage of sensitive Wi-Fi credentials, including the network name and password, in the wpa_supplicant.conf file. This vulnerability can be exploited by an attacker with physical access to the device, who can access the unprotected serial interface to gain root privileges and read the configuration file. The vulnerability has been publicly disclosed and is known to be difficult to exploit.

Impact

Exploitation of this vulnerability allows for the retrieval of Wi-Fi credentials from the affected camera, which could be used to compromise the local network.

Reproduction

The vulnerability can be reproduced by physically accessing the FNKvision FNK-GU2 camera and connecting to its unprotected serial interface via a USB-to-serial adapter. Once connected, the camera can be powered on to access the boot logs and gain a root shell without any password prompt. With root access, the wpa_supplicant.conf file can be read, revealing the stored Wi-Fi credentials.