CVE-2017-10720

Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi name. This application is installed on the device and an attacker who can provide the right payload can execute code on the user's system directly. Any breach of this system can allow an attacker to get access to all the data that the user has access too. The application uses a dynamic link library(DLL) called "avilib.dll" which is used by the application to send binary packets to the device that allow to control the device. One such action that the DLL provides is change password in the function "sendchangename" which allows a user to change the Wi-Fi name on the device. This function calls a sub function "sub_75876EA0" at address 0x758784F8. The function determines which action to execute based on the parameters sent to it. The "sendchangename" passes the datastring as the second argument which is the name we enter in the textbox and integer 1 as first argument. The rest of the 3 arguments are set to 0. The function "sub_75876EA0" at address 0x75876F19 uses the first argument received and to determine which block to jump to. Since the argument passed is 1, it jumps to 0x75876F20 and proceeds from there to address 0x75876F56 which calculates the length of the data string passed as the first parameter. This length and the first argument are then passed to the address 0x75877001 which calls the memmove function which uses a stack address as the destination where the password typed by us is passed as the source and length calculated above is passed as the number of bytes to copy which leads to a stack overflow.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:ishekar:endoscope_camera_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:ishekar:endoscope_camera:-:*:*:*:*:*:*:*

History

21 Nov 2024, 03:06

Type Values Removed Values Added
References () http://packetstormsecurity.com/files/153241/Shekar-Endoscope-Weak-Default-Settings-Memory-Corruption.html - Third Party Advisory, VDB Entry () http://packetstormsecurity.com/files/153241/Shekar-Endoscope-Weak-Default-Settings-Memory-Corruption.html - Third Party Advisory, VDB Entry
References () https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Shekar_boriscope_sec_issues.pdf - Exploit, Third Party Advisory () https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Shekar_boriscope_sec_issues.pdf - Exploit, Third Party Advisory
References () https://seclists.org/bugtraq/2019/Jun/8 - Mailing List, Third Party Advisory () https://seclists.org/bugtraq/2019/Jun/8 - Mailing List, Third Party Advisory

Information

Published : 2019-06-17 22:15

Updated : 2024-11-21 03:06


NVD link : CVE-2017-10720

Mitre link : CVE-2017-10720

CVE.ORG link : CVE-2017-10720


JSON object : View

Products Affected

ishekar

  • endoscope_camera
  • endoscope_camera_firmware
CWE
CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer