LSC Smart Indoor IP Camera Buffer Overflow Vulnerability in ONVIF Time Zone Parameter Allowing Remote Code Execution

A buffer overflow vulnerability has been identified in the LSC Smart Indoor IP Camera, specifically in versions prior to V7.6.32. The issue resides in the 'dgiot' binary, within the ONVIF configuration interface's Time Zone (TZ) parameter handling. The vulnerability arises because the TZ parameter's length is not properly validated before being copied into a fixed-size buffer using the unsafe 'strcpy' function. This flaw enables attackers to overwrite the Return Instruction Pointer (RIP), leading to arbitrary code execution. The presence of hardcoded ONVIF credentials facilitates full remote system compromise.

Impact

Exploitation of this vulnerability allows for unauthorized remote code execution on the device, with the potential for a complete system takeover, as attackers can gain root access. Additionally, the vulnerability could be exploited to cause a denial-of-service by crashing the camera's service, although this would be a temporary disruption.

Reproduction

To reproduce this vulnerability, send an ONVIF request to the camera's Time Settings endpoint with a Time Zone parameter that exceeds 267 characters. This will cause a segmentation fault by overwriting the Return Instruction Pointer, leading to a crash and an immediate device reboot. Once the vulnerability is confirmed, the same type of payload can be used to exploit the buffer overflow for remote code execution by overwriting the RIP with the address of a malicious payload or a series of gadgets.

Remediation

Users are advised to update to LSC Smart Indoor IP Camera version V7.6.32 or later. For developers, it is recommended to replace insecure functions like 'strcpy' with safer alternatives such as 'strncpy', implement strict input validation for all parameters received via the ONVIF interface, and recompile the firmware with modern security mitigations enabled.