LSC Smart Indoor IP Camera Buffer Overflow Vulnerability in ONVIF GetStreamUri Function Allowing Remote Code Execution

A buffer overflow vulnerability has been identified in the LSC Smart Indoor IP Camera, specifically in versions prior to V7.6.32. The issue arises in the ONVIF GetStreamUri function, where the application fails to properly validate the length of the Protocol parameter within the Transport element of SOAP requests. This oversight allows authenticated attackers to send specially crafted requests with oversized protocol strings, overflowing the stack buffer and overwriting the return instruction pointer. The vulnerability can lead to a denial-of-service condition by causing the device to crash, or it can be exploited for remote code execution in the context of the ONVIF service.

Impact

Exploitation of this vulnerability causes a segmentation fault, leading to a device crash. However, due to the nature of the buffer overflow, it can also be exploited for remote code execution, with the potential for full root access on the camera's operating system.

Reproduction

To reproduce this vulnerability, send a SOAP request to the camera's ONVIF service that includes an oversized string in the Protocol parameter of the Transport element. The dgiot service will attempt to copy this string into a stack buffer using the strcpy() function, without proper length validation. This will overwrite the return instruction pointer, causing a segmentation fault and crashing the device.

Remediation

It is recommended to implement proper bounds checking in the ONVIF parameter handling, replacing unsafe string copy functions with safer alternatives that limit input length. Additionally, modern compiler protections should be enabled when building the dgiot binary, and a strict input validation schema should be enforced for ONVIF parameters.