Login Sign Up

CVE-2017-17761

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2017-17761 is a critical remote code execution vulnerability in Ichano AtHome IP Camera devices. It allows unauthenticated attackers on the same network to execute arbitrary commands via the 'noodles' service on port 1300. This affects all users of vulnerable Ichano AtHome IP Camera models.

💻 Affected Systems

Products:
  • Ichano AtHome IP Camera devices
Versions: All versions running vulnerable 'noodles' service
Operating Systems: Embedded Linux systems on IP cameras
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default configuration of affected devices. No special configuration is required for exploitation.

📦 What is this software?

Athome Ip Camera Firmware by Ichano

View all CVEs affecting Athome Ip Camera Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent malware, pivot to other network devices, disable cameras, or use devices in botnets.

🟠

Likely Case

Attackers gain full control of cameras to disable surveillance, steal video feeds, or use devices for cryptocurrency mining or DDoS attacks.

🟢

If Mitigated

Limited impact if cameras are isolated on separate VLANs with strict network segmentation and access controls.

🌐 Internet-Facing: HIGH if cameras are directly exposed to the internet, as the vulnerability is remotely exploitable without authentication.
🏢 Internal Only: HIGH as the vulnerability can be exploited by any attacker who gains access to the local network.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is trivial - attackers simply send XML commands with <system> tags to port 1300. Multiple public exploit scripts exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

No official patch available. Consider replacing affected devices with models from vendors that provide security updates.

🔧 Temporary Workarounds

Block port 1300 at network perimeter

linux

Prevent external access to the vulnerable service by blocking TCP port 1300 at firewalls.

iptables -A INPUT -p tcp --dport 1300 -j DROP
iptables -A OUTPUT -p tcp --dport 1300 -j DROP

Network segmentation

all

Isolate IP cameras on separate VLANs with strict access controls to prevent lateral movement.

🧯 If You Can't Patch

  • Immediately disconnect affected cameras from internet access
  • Place cameras on isolated network segments with no access to critical systems

🔍 How to Verify

Check if Vulnerable:

Test if port 1300 is open and responds to XML commands: echo '<system>id</system>' | nc <camera_ip> 1300

Check Version:

No standard version check command available for these embedded devices

Verify Fix Applied:

Verify port 1300 is no longer accessible or returns error when sending XML commands

📡 Detection & Monitoring

Log Indicators:

  • Unusual network connections to port 1300
  • Unexpected system command executions on camera devices

Network Indicators:

  • XML traffic to port 1300 containing <system> tags
  • Outbound connections from cameras to suspicious IPs

SIEM Query:

source_port:1300 OR dest_port:1300 AND (xml OR system)

📊 Metadata

CVE ID: CVE-2017-17761
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: December 19, 2017
Last Updated: April 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON