LSC Smart Connect Indoor IP Camera Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in the LSC Smart Connect Indoor IP Camera running firmware version 1.4.13. The issue arises in the 'start_app.sh' script, which improperly handles the 'update.nor.sh' file from the SD card. During the boot process, the camera mounts the SD card and copies 'update.nor.sh' to a temporary location without validating its contents or permissions. The script is then executed as root, before the main 'ipc_service' starts, allowing for exploitation in a high-privilege environment.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected camera, with the executed code running as the root user.

Reproduction

To reproduce this vulnerability, create a shell script that includes the desired payload and name it 'update.nor.sh'. Place this script on an SD card and insert it into the camera. During the boot process, the camera will execute the script as root, providing a telnet shell on an open port, which can be accessed to confirm successful exploitation.