MERCURY MIPC252W RTSP Service Null Pointer Dereference Vulnerability Leading to Denial-of-Service

A null pointer dereference vulnerability has been identified in the RTSP service of the MERCURY MIPC252W IP camera, specifically in firmware version 1.0.5 Build 230306 Rel.79931n. The vulnerability arises during the processing of SETUP requests for the RTSP stream. The device fails to properly validate the Transport header, allowing for the transmission of malformed data that dereferences a NULL pointer. This exploitation causes the device to crash and automatically reboot, disrupting the RTSP stream and causing the camera to disconnect from the mobile application.

Impact

Exploitation of this vulnerability causes the device to crash and reboot, interrupting the RTSP service. This disruption leads to a denial-of-service condition, causing the camera to become unavailable and offline in the management application, with video streaming interrupted.

Reproduction

The vulnerability can be reproduced by sending a malformed RTSP SETUP request for the second media track, including an empty Transport header. After establishing a valid RTSP session and successfully setting up the first track, the second track can be set up with the improper header, triggering the null pointer dereference and causing the device to crash and reboot.