Vivotek Remote Stack Overflow Vulnerability

Author: Brian Karas, Published on Nov 14, 2017

A stack overflow vulnerability in Vivotek cameras has been discovered by bashis, the security researcher who has also found vulnerabilities in cameras from Axis and Dahua, among other brands. The vulnerability is very easy to exploit, and opens up a variety of ways for attackers to impact affected cameras from Vivotek.

Details of the vulnerability have been made public, after Vivotek failed to provide agreed-upon responses to bashis during the initial disclosure process.

In this report we analyze the vulnerability, and Vivotek's handling of it that caused details to be released prior to patched firmware being fully available.

* ***** ******** ************* ** ******* ******* *** **** ********** by ******, *** ******** ********** *** *** **** ***** *************** in ******* ****************, ***** ***** ******. *** ************* ** **** **** ** exploit, *** ***** ** * ******* ** **** *** ********* to ****** ******** ******* **** *******.

******* ** *** ************* **** **** **** ******, ***** ******* failed ** ******* ******-**** ********* ** ****** ****** *** ******* disclosure *******.

** **** ****** ** ******* *** *************, *** *******'* ******** of ** **** ****** ******* ** ** ******** ***** ** patched ******** ***** ***** *********.

[***************]

Vulnerability ********

**** ******* ** *** ************* **** *************** ** ****, *** ********' ****** *******. *** ************* ****** ** ********** ******* **** ** ****** ************* ** ******* ** ***** ****** *****. * *********-******* **** or *** *** ******** *** ************* **** *** *** ******** data ** ****** ** **** *** ******'* ********* *******. ********* are **** **** ** *********** ********* ****** *********, ***** *** cause *** ****** ** *****, ** ** ******* ********* ****.

Very **** *******

** ******* ********, *********, ** ******-******** *******/****** *** ******** ** execute ** ******* ******* ** ******** ******. ****** ******* * long *** **** *** ********* *******, ** ***** ** ******' proof-of-concept, *** ******* *** ********. **** ***** ** ********* **** to ******** ******* **** **** *************.

Affected ********

********* ** ******' ********, *** ********* ****** *** **** ******** with **** *************:

******, ******, ******, ******, *******, *******, *******-*, *******, *******, ********, FD8167AS, *******, *******, *******, ********, ********, ******, ******, *******, *******, FD816C, ******, *******, *******, ******, ******, ******, ******, ******, ******-**, FD8365A_v2, *******, *******, *******, *******, ******, *******, ******, ******, ******, FD8382, ******, ******, ******, ******, *********, *********, ******, *********, *********,******, FE9182, ******, ******, *******, *******, ******, *******, ******, ******, ******, IB8382, ******, ******, ******, ******, ******, ******, ******, ******, ******, SD9161, ******, ******, ******, ******, ******, ******, ******

*** ************* *** ** ******* ** ***** ******* ******** ** well, ******* ** ** ******* ** ********* ***** ****** *** affected.

Firmware ******* ********

*******'* ******** ** *** ******* ************* ********** ********** ********* **** firmware **** ***** ** ****** ********* ** ******** ****:

***** *** ******** *** ******* ** *** ********* ******** ****** starting ** ******** **** *** ******** ****.

Risk ******

***** ** *********** ********* ** ******, ** ** ******** **** vulnerability *** ** **** ** **** ****** ** * ***** shell, ** ** ****/*** ******** ****. ***** ** ** ***** the ****** ** ****/****** ** *** **** ****** ********, ***** could ** **** ** * **** ** ****** ** ******* attack ** *** ******.

Vivotek ****** ********

*** ***** ** ****** ******** ** ****** ** *** *********** claim **** ***** ******* *** ********* **********, *** ******* *** not ******* ** ** ***** **** ******, ***** ******** *** to ******** *** ************* ********, ** ********* ****** ****.

** ** ***** ** ****, ******* ************ *** **** ** communications ** ***** ****, ******* **** *** ******** ** *** for ********** **** ** ******** ******* ** *** ********.

Disclosure ***** ************ ************

***** ****** ***** **** ****** ** **** ** ******** *** details, ******* **** ******* *** ********** ** *** *************, ** was ***** ** ********** ** ** **. ** ***** *********, manufacturers *** ** * ************ ******** ** ******** ***********, *** upon *********** *************** *** *********** ******* *** ***** ** *** and **** *** ************* **** ** *********.

***** ************* *** ****** ** *** **** ********** ** * learning ** ******** ********** *** ***** ******** *****. ******* ********* processes, *** ******, ** ****** ***** ** ************** *** **** open **** *********** ** ***** ** ******** ******* ** ************* disclosures ********* ****** **** *** ***** ******** **** ******* ********.

Comments (7)

******* *** **** ******** *** ****** ******** *** ** ****** models *** **** ************* *****. ** ********* *** ***** ** update *** ******** ****. (***** *** *** ***** **** ****:****://********.*******.***/************/*******/*****-********/*******-*****-********-********-******-*****-********-**-***-******.***). ** ******* **** ** *** ********* ** ******* ******** and **** ***** ******** ****** ** *** ********* *** ******* products

*** ***** ** ****** ******** ** ****** ** *** *********** claim **** ***** ******* *** ********* **********, *** ******* *** not ******* ** ** ***** **** ******, ***** ******** *** to ******** *** ************* ********, ** ********* ****** ****.

* ***** ********** ***** ********, * *** *** ***** **** ** ********* ********** ** manufacturer ******, ****** ******* ** *** ***’* *** *** **** what ** *****.

****** ** **** ** **** *** **************** *** ***** *** ******, **** ** *** **** ***** **** ** less, ** ******** ****.

** *** ***** ***** ******* ** ** * *** **** careful, *** ***** *** **** ***** ** ******* ******* ** be ****** *** ** ******* ****.

********, * **** **** ******** * ** ******** ** ********* FD ** ** *** ****, ** **** ********** **** (************ to *** ******, ** ******).

* ****** ***** ** *********** **** ** **** ***** ** after ******* ******* ** ******, *** * ** ***** ******** for *** ** ****, *** *** *** ******** *** *** to ** ****, ** ***** *** ****** **** ****** ** and ******* *****.

**, * ***'* **** *** *** ***, *** * ****** don't ****, *** ****** ******** *** ***** - * ***** choose ** *** ******** ********, *** **** ** *** ******.

** *** ***** ***** ******* ** ** * *** **** careful, *** ***** *** **** ***** ** ******* ******* ** be ****** *** ** ******* ****.

* *** ****, ******* *** ******* ***** **** *****, ***** gives *** ********** **** *** **** ***** **** ******* ***** have ***** **** ****:

***** ****** ***** **** ****** ** **** ** ******** *** details, ******* **** ******* *** ********** ** *** *************, ** was ***** ** ********** ** ** **.

******** **** ** ********, * *** ********* ** *** *** so ******* **** ** ** ********* **** ***.

***** *** **** *** **** ***** ** **** *********

********, * **** **** ******** * ** ******** ** ********* FD ** ** *** ****, ** **** ********** **** (************ to *** ******, ** ******).

*******, **** ** ***** ** ******* ** *** ** **** actually ***** ***** ** *** **** ******, *** ** ****** how ********* * **** **, * ***** *** **** *** circumstances ****** *** ******** ** *** ****.

****, *'* *** ******* **** ****** ****** **** ***.

* ***'* **** * **** ***** *** *** **** ********, and ** **** * ***'* **** ** *** ***** ** Mr. ***** ** **. *****, **'* **** **** *******, *** mine.

**** ** *** ***** ** ****;

* ***** ** *** ***** *** **** ****, **** ** FD *** ** ****** *************, * ***** **** ** *********** and *** ***** **** *****, ***** *** **** ***** **** me *** **** ** **** **** ***** *********. *** * choose *** ** ** **, * ****** ** **** **** public ** **** *** *** **** **** *** *******.

** **** **, **** ** *** ********** ****** - **** eyes ** ****** ****?

****, *'* *** ******* **** ****** ****** **** ***.

********* ******?

* ****’* ********* *** ** **** ******* ** *** ***. I *** **** ****** * ****** ********, ** *******, “** your ** **** ******** ** ** ** **** ** ***********?”

* **** *** **** ******* *** **** **** ** ******* to *** **** ** **** ************.

/**** * **** ***.

**** ******.

*'* ****** **** ** ****** ************.

**** ****** * ********* (****: *** *******!), * ******** ***** specifically ** **** ***** ***** **** ** **** **** **** (after ** * ******* ** ****), ***** *** ** *** 15+ *************** *** **** **** ****** - *** ********, *** they **** "****** ** *** ** *******", ** ***** * respond "**, * ***** ** ********, **** *** **** *** February".

*** ******** ***'* *****, *** **** ** *** ***** ******** as ** *****.

*******, ** ***** ** ****** ************* **** *** ****** ****** 1st ********, **** ** * ***** ** **-*********, ***** **** for **** ** ** ** *** ****** ****. (* **** not *** ****** ** **-********* *******).

**** * **** ***

/******

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on Hacking

Dahua Forbes 'Next Web Crisis' Vulnerability Dispute on Nov 16, 2017
The buffer overflow vulnerability in Dahua products is not in dispute, in fact we covered it when it was first published. What is in dispute is...
WSJ Investigates Hikvision on Nov 13, 2017
The Wall Street Journal (WSJ) has released a detailed investigation into Hikvision's government ownership and cybersecurity problems, hitting the...
Hikvision Admits Backdoor 'PR Issue' on Oct 24, 2017
Hikvision is admitting a problem. The backdoor itself is evidently not the problem for them. The problem, according to Hikvision, is a public...
Dahua Trying, Struggling To Respond To Hacking Attacks on Oct 04, 2017
Now, 2 weeks since large-scale hacking attacks commenced against Dahua vulnerable devices, we analyze Dahua's response. On the positive side,...
Hikvision USA Misleads Dealers On Backdoor on Oct 03, 2017
Hikvision USA emailed their dealers overnight with their 5th cyber security 'special bulletin' of the year. Misleading Unfortunately, they...
FLIR Thermal Camera Multiple Vulnerabilities, Patch Released on Oct 03, 2017
Multiple cyber security vulnerabilities exist in FLIR thermal cameras, which have not been fixed, despite being reported months ago. In this note,...
Hackers Globally Attacking Dahua Recorders on Sep 25, 2017
Dahua recorders are being hacked and vandalized around the world, as confirmed by dozens of reports to IPVM since the attacks surged 5 days...
September IP Networking Course on Sep 14, 2017
LAST Chance - Registration is ending. Register now. This is the only networking course designed specifically for video surveillance professionals...
Hikvision Backdoor Exploit on Sep 03, 2017
Full disclosure to the Hikvision backdoor has been released, allowing easy exploit of vulnerable Hikvision IP cameras. As the researcher, Monte...

Most Recent Industry Reports

Panasonic Unified Surveillance Strategy Analyzed on Nov 17, 2017
Panasonic is now a "Unified Surveillance" offering, as their ASIS 2017 booth proclaimed: Looking to make a comeback in the security industry,...
Amazon Cloud Cam Is Poor (Tested) on Nov 17, 2017
Retail behemoth Amazon has entered the surveillance market with the Amazon Cloud Cam, the eyes of its just-announced Amazon Key delivery...
Nest Secure Alarm System Tested on Nov 16, 2017
Google's expansion continues, this time into home security with their Nest subsidiary's move into alarm systems. They paid more than a...
Dahua Forbes 'Next Web Crisis' Vulnerability Dispute on Nov 16, 2017
The buffer overflow vulnerability in Dahua products is not in dispute, in fact we covered it when it was first published. What is in dispute is...
Isonas Cofounders Split, Launch Partner/Competitor on Nov 16, 2017
Breaking up is hard to do, especially when door access security is at stake. But that is exactly what has happened at Isonas. Senior employees...
Hikvision China Criticizes The WSJ on Nov 15, 2017
Hikvision, through the Chinese government's authoritative news service, has criticized the WSJ investigation into Hikvision. In this...
Axis Commits To Long-Term Firmware Support on Nov 15, 2017
With the rise of cyber security awareness, and a general increase in hardware reliability, "software warranties" may prove more valuable than...
Hikvision NVR 4.0 Improvements Tested on Nov 14, 2017
Hikvision has released firmware version 4.0 for select NVRs, touting two years of research and development, and claiming "the new generation GUI...
Vivotek Remote Stack Overflow Vulnerability on Nov 14, 2017
A stack overflow vulnerability in Vivotek cameras has been discovered by bashis, the security researcher who has also found vulnerabilities in...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact