Nous W3 Smart WiFi Camera Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in the Nous W3 Smart WiFi Camera, specifically in firmware version 1.33.50.82. This issue arises from the firmware update mechanism, which allows unauthenticated and physically proximate attackers to gain root access. The vulnerability is exploited by inserting a FAT32-formatted SD card containing a crafted update.tar file into the camera. The malicious update is applied automatically, without user interaction, during the device's boot process or firmware update, taking advantage of an insufficient verification of data authenticity in the update mechanism.

Impact

Exploitation of this vulnerability leads to unauthorized root access, allowing full control over the device. It also involves permanent changes to the system configuration and could potentially expose the camera's video stream, raising privacy concerns.

Reproduction

To reproduce this vulnerability, insert a FAT32-formatted SD card containing a malicious update.tar file into the Nous W3 Smart WiFi Camera. The crafted update file should include a specially designed update_config.sh script that exploits the insufficient verification of data authenticity in the firmware update process. Once the SD card is inserted, the camera will automatically execute the malicious script with root privileges during the boot or update process.

Remediation

No official patch is available. Users are advised to restrict physical access to the devices.