Vivotek Remote Stack Overflow Vulnerability

By Brian Karas, Published Nov 14, 2017, 11:58am EST

A stack overflow vulnerability in Vivotek cameras has been discovered by bashis, the security researcher who has also found vulnerabilities in cameras from Axis and Dahua, among other brands. The vulnerability is very easy to exploit, and opens up a variety of ways for attackers to impact affected cameras from Vivotek.

Details of the vulnerability have been made public, after Vivotek failed to provide agreed-upon responses to bashis during the initial disclosure process.

In this report we analyze the vulnerability, and Vivotek's handling of it that caused details to be released prior to patched firmware being fully available.

Vulnerability ********

**** ******* ** *** vulnerability **** *************** ** ****, *** ********' ****** *******. *** ************* ****** on ********** ******* **** to ****** ************* ** ******* ** their ****** *****. * specially-crafted **** ** *** URL ******** *** ************* when *** *** ******** data ** ****** ** what *** ******'* ********* expects. ********* *** **** able ** *********** ********* memory *********, ***** *** cause *** ****** ** crash, ** ** ******* arbitrary ****.

Very **** *******

** ******* ********, *********, or ******-******** *******/****** *** required ** ******* ** exploit ******* ** ******** camera. ****** ******* * long *** **** *** malicious *******, ** ***** in ******' *****-**-*******, *** trigger *** ********. **** makes ** ********* **** to ******** ******* **** this *************.

Affected ********

********* ** ******' ********, the ********* ****** *** have ******** **** **** vulnerability:

******, ******, ******, ******, FD8166A, *******, *******-*, *******, FD8167A, ********, ********, *******, FD8169A, *******, ********, ********, FD816B, ******, *******, *******, FD816C, ******, *******, *******, FD816D, ******, ******, ******, FD8182, ******-**, **********, *******, FD8367A, *******, *******, ******, FD836BA, ******, ******, ******, FD8382, ******, ******, ******, FD9381, *********, *********, ******, FE8374_v2, *********,******, ******, ******, FE9382, *******, *******, ******, IB836BA, ******, ******, ******, IB8382, ******, ******, ******, IP9171, ******, ******, ******, MD8564, ******, ******, ******, SD9362, ******, ******, ******, SD9366, ******

*** ************* *** ** present ** ***** ******* products ** ****, ******* is ** ******* ** verifying ***** ****** *** affected.

Firmware ******* ********

*******'* ******** ** *** initial ************* ********** ********** indicates **** ******** **** start ** ****** ********* on ******** ****:

***** *** ******** *** updated ** *** ********* affected ****** ******** ** November **** *** ******** 24th.

Risk ******

***** ** *********** ********* by ******, ** ** unlikely **** ************* *** be **** ** **** access ** * ***** shell, ** ** ****/*** external ****. ***** ** to ***** *** ****** to ****/****** ** *** most ****** ********, ***** could ** **** ** a **** ** ****** of ******* ****** ** the ******.

Vivotek ****** ********

*** ***** ** ****** outlined ** ****** ** his *********** ***** **** ***** Vivotek *** ********* **********, the ******* *** *** respond ** ** ***** from ******, ***** ******** him ** ******** *** vulnerability ********, ** ********* agreed ****.

** ** ***** ** IPVM, ******* ************ *** lack ** ************** ** their ****, ******* **** had ******** ** *** for ********** **** ** complete ******* ** *** firmware.

Disclosure ***** ************ ************

***** ****** ***** **** chosen ** **** ** disclose *** *******, ******* that ******* *** ********** to *** *************, ** was ***** ** ********** to ** **. ** these *********, ************* *** at * ************ ******** to ******** ***********, *** upon *********** *************** *** effectively ******* *** ***** of *** *** **** the ************* **** ** disclosed.

***** ************* *** ****** to *** **** ********** as * ******** ** training ********** *** ***** internal *****. ******* ********* *********, and ******, ** ****** lines ** ************** *** kept **** **** *********** in ***** ** ******** chances ** ************* *********** happening ****** **** *** fully ******** **** ******* firmware.

 

Comments (11)

VIVOTEK has just released the latest firmware for 41 camera models for this vulnerability issue.  We encourage our users to update the firmware ASAP.  (Check out the model list here: http://download.vivotek.com/downloadfile/support/cyber-security/vivotek-cyber-security-advisory-remote-stack-overflow-of-web-server.pdf). Be assured that we are committed to helping minimize and stop cyber security issues on our customers and VIVOTEK products

The chain of events outlined by bashis in his disclosures claim that while Vivotek was initially responsive, the company did not respond to an email from bashis, which prompted him to disclose the vulnerability publicly, as initially agreed upon.

I asked bashis this exact question, I got the sense that he discloses regardless of manufacturer status, though reading it now can’t say for sure what he meant.

Future FD from my side are communicated from day one to the vendor, date is set from start more or less, no surprise here.

If you would start reading my FD a bit more careful, you would see that fixed FW already started to be pushed out in October 2017.

Actually, I went from November 1 to November 13 regarding FD by my own will, in this particular case (communicated to the vendor, of course).

I always start to communicate with 30 days until FD after initial contact to vendor, but I am alway flexible for the FD date, and the two upcoming are set to 90 days, to allow the vendor have proper QA and release cycle. 

U1, I don't know who you are, and I really don't care, but please remember one thing - I could choose to not disclose anything, not even to the vendor.

 

 

If you would start reading my FD a bit more careful, you would see that fixed FW already started to be pushed out in October 2017.

I see that, however the article makes this point, which gives the impression that you were aware that Vivotek would have liked more time:

While bashis could have chosen to wait to disclose the details, knowing that Vivotek was responding to the vulnerability, he was under no obligation to do so.

Assuming that is accurate, I was wondering if you did so because your FD is immovable once set.

Which you have now made clear by this statement

Actually, I went from November 1 to November 13 regarding FD by my own will, in this particular case (communicated to the vendor, of course).

However, your FD makes no mention of the FD date actually being moved or for what reason, and no matter how carefully I read it, I would not know the circumstances around the changing of the date.

 

Dude, I'm not walking into public battle with you.

I don't give a shit about you and your thoughts, and in that i don't care if you would be Mr. Krebs or Mr. Trump, it's your damn problem, not mine.

From my own point of view;

I could be off radar for your eyes, with no FD and no vendor notifications, I could sold my discoveries and you would been happy, since you have never seen me and have no damn clue whats happening. But I choose not to do so, I prefer to have them public so even you can have your own opinion.

 

So tell me, what do you personally prefer - open eyes or closed eyes?

 

Dude, I'm not walking into public battle with you.

Seriously bashis?

I wasn’t attacking you or your motives in any way.  I was just asking a simple question, in essence, “is your FD date absolute or is it open to negotiation?”

I have too much respect for your work to respond to the rest of your provocations.

/have a nice day.

 

Fair enough.

I'm always open to timely negotiations.

Last vendor I contacted (EDIT: Not Vivotek!), I actually asked specifically if they would would like to have more time (after my I initial 30 days), after all it was 15+ vulnerabilities and some very simple - but critical, and they said "should be end of January", to which i respond "OK, i agree on timeline, lets try with 1st February".

1st February isn't fixed, but that is the setup timeline as of today.

However, if there is silent communication from the vendor before 1st February, even if I tried to re-establish, there will for sure be FD on the agreed date. (I will not try months to re-establish contact).

Have a nice day

/bashis

 

I believe it is important that the vulnerabilities are disclosed, and more importantly, that Vivotek is aware and has already released a new firmware day 17.
Serious manufacturer of Vivotek, I do not know why it does not give so much space in the materials, emphasizing more Chinese equipment.
We have to value the good manufacturers, and Vivotek is one of them.
Talk about Axis, Vivotek, Avigilon, Bosch (in OEM..hehe), Panasonic (on OEM ... hehe) .. ISS, Genetec, Miletone..etctecetc. Congratulations to the comments and the IPVM.

Family Feud - Contractor Edition

“Name another manufacturer quality manufacturer besides Axis, Avigilon, Bosch, Panasonic, ISS, Genetec, Milestone”

“Vivotek?”

“Survey Says” 

“Number one answer is Sony”

Well remembered ... yes, I forgot about Sony ... but I do not think Sony is the number, I think it's among the best.
Now to say that Vivotek is not among the best, I think you should first disclose your name, and then know the products.

VIVOTEK has released the firmware for the rest of 45 camera models for this vulnerability issue. We encourage our users to update the firmware ASAP. (Check out the model list here: http://download.vivotek.com/downloadfile/support/cyber-security/vivotek-cyber-security-advisory-remote-stack-overflow-of-web-server.pdf).

Read this IPVM report for free.

This article is part of IPVM's 6,653 reports, 896 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports