BS Producten Petcam Stack-Based Buffer Overflow Vulnerability in P2P API Service Allowing Remote Code Execution

A stack-based buffer overflow vulnerability has been identified in the P2P API service of BS Producten Petcam, specifically in firmware version 33.1.0.0818. This vulnerability allows unauthenticated attackers within network range to overwrite the instruction pointer and execute arbitrary code remotely. The issue arises from the application's failure to properly validate the length of URI resources before copying them into a fixed-size stack buffer, leading to stack corruption. The vulnerability can be exploited by sending a specially crafted HTTP request to the device's P2P API service on port 8001.

Impact

Exploitation of this vulnerability allows for unauthorized remote code execution on the device, with the executed commands running as the root user. This could lead to a complete system compromise, including access to sensitive data such as live camera feeds and stored credentials.

Reproduction

The vulnerability can be reproduced by sending an HTTP request to the device's P2P API service on port 8001. The request must include a resource name that exceeds 260 bytes, which will trigger the buffer overflow by overwriting the return address on the stack. After verifying the crash, remote code execution can be achieved by calculating the offset to the return pointer and redirecting execution to a gadget within the binary that initializes a Telnet server.

Remediation

As of now, there is no official patch available from the vendor. Users are advised to disconnect the device from the internet and place it on an isolated VLAN, disable the ONVIF service and related P2P settings, and avoid using the 'Local Mode' feature, which emits an unauthenticated wireless network.