Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi password. This application is installed on the device and an attacker who can provide the right payload can execute code on the user's system directly. Any breach of this system can allow an attacker to get access to all the data that the user has access too. The application uses a dynamic link library(DLL) called "avilib.dll" which is used by the application to send binary packets to the device that allow to control the device. One such action that the DLL provides is change password in the function "sendchangepass" which allows a user to change the Wi-Fi password on the device. This function calls a sub function "sub_75876EA0" at address 0x7587857C. The function determines which action to execute based on the parameters sent to it. The "sendchangepass" passes the datastring as the second argument which is the password we enter in the textbox and integer 2 as first argument. The rest of the 3 arguments are set to 0. The function "sub_75876EA0" at address 0x75876F19 uses the first argument received and to determine which block to jump to. Since the argument passed is 2, it jumps to 0x7587718C and proceeds from there to address 0x758771C2 which calculates the length of the data string passed as the first parameter.This length and the first argument are then passed to the address 0x7587726F which calls a memmove function which uses a stack address as the destination where the password typed by us is passed as the source and length calculated above is passed as the number of bytes to copy which leads to a stack overflow.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/153241/Shekar-Endoscope-Weak-Default-Settings-Memory-Corruption.html | Third Party Advisory VDB Entry |
https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Shekar_boriscope_sec_issues.pdf | Exploit Third Party Advisory |
https://seclists.org/bugtraq/2019/Jun/8 | Mailing List Third Party Advisory |
http://packetstormsecurity.com/files/153241/Shekar-Endoscope-Weak-Default-Settings-Memory-Corruption.html | Third Party Advisory VDB Entry |
https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Shekar_boriscope_sec_issues.pdf | Exploit Third Party Advisory |
https://seclists.org/bugtraq/2019/Jun/8 | Mailing List Third Party Advisory |
Configurations
Configuration 1 (hide)
AND |
|
History
21 Nov 2024, 03:06
Type | Values Removed | Values Added |
---|---|---|
References | () http://packetstormsecurity.com/files/153241/Shekar-Endoscope-Weak-Default-Settings-Memory-Corruption.html - Third Party Advisory, VDB Entry | |
References | () https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Shekar_boriscope_sec_issues.pdf - Exploit, Third Party Advisory | |
References | () https://seclists.org/bugtraq/2019/Jun/8 - Mailing List, Third Party Advisory |
Information
Published : 2019-06-17 22:15
Updated : 2024-11-21 03:06
NVD link : CVE-2017-10722
Mitre link : CVE-2017-10722
CVE.ORG link : CVE-2017-10722
JSON object : View
Products Affected
ishekar
- endoscope_camera
- endoscope_camera_firmware
CWE
CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer