{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2019-06-07T00:00:00", "descriptions": [{"lang": "en", "value": "Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi name. This application is installed on the device and an attacker who can provide the right payload can execute code on the user's system directly. Any breach of this system can allow an attacker to get access to all the data that the user has access too. The application uses a dynamic link library(DLL) called \"avilib.dll\" which is used by the application to send binary packets to the device that allow to control the device. One such action that the DLL provides is change password in the function \"sendchangename\" which allows a user to change the Wi-Fi name on the device. This function calls a sub function \"sub_75876EA0\" at address 0x758784F8. The function determines which action to execute based on the parameters sent to it. The \"sendchangename\" passes the datastring as the second argument which is the name we enter in the textbox and integer 1 as first argument. The rest of the 3 arguments are set to 0. The function \"sub_75876EA0\" at address 0x75876F19 uses the first argument received and to determine which block to jump to. Since the argument passed is 1, it jumps to 0x75876F20 and proceeds from there to address 0x75876F56 which calculates the length of the data string passed as the first parameter. This length and the first argument are then passed to the address 0x75877001 which calls the memmove function which uses a stack address as the destination where the password typed by us is passed as the source and length calculated above is passed as the number of bytes to copy which leads to a stack overflow."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-06-17T21:42:04", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "20190609 Newly releases IoT security issues", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "https://seclists.org/bugtraq/2019/Jun/8"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/153241/Shekar-Endoscope-Weak-Default-Settings-Memory-Corruption.html"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Shekar_boriscope_sec_issues.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-10720", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi name. This application is installed on the device and an attacker who can provide the right payload can execute code on the user's system directly. Any breach of this system can allow an attacker to get access to all the data that the user has access too. The application uses a dynamic link library(DLL) called \"avilib.dll\" which is used by the application to send binary packets to the device that allow to control the device. One such action that the DLL provides is change password in the function \"sendchangename\" which allows a user to change the Wi-Fi name on the device. This function calls a sub function \"sub_75876EA0\" at address 0x758784F8. The function determines which action to execute based on the parameters sent to it. The \"sendchangename\" passes the datastring as the second argument which is the name we enter in the textbox and integer 1 as first argument. The rest of the 3 arguments are set to 0. The function \"sub_75876EA0\" at address 0x75876F19 uses the first argument received and to determine which block to jump to. Since the argument passed is 1, it jumps to 0x75876F20 and proceeds from there to address 0x75876F56 which calculates the length of the data string passed as the first parameter. This length and the first argument are then passed to the address 0x75877001 which calls the memmove function which uses a stack address as the destination where the password typed by us is passed as the source and length calculated above is passed as the number of bytes to copy which leads to a stack overflow."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20190609 Newly releases IoT security issues", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2019/Jun/8"}, {"name": "http://packetstormsecurity.com/files/153241/Shekar-Endoscope-Weak-Default-Settings-Memory-Corruption.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/153241/Shekar-Endoscope-Weak-Default-Settings-Memory-Corruption.html"}, {"name": "https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Shekar_boriscope_sec_issues.pdf", "refsource": "MISC", "url": "https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Shekar_boriscope_sec_issues.pdf"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T17:41:55.621Z"}, "title": "CVE Program Container", "references": [{"name": "20190609 Newly releases IoT security issues", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "https://seclists.org/bugtraq/2019/Jun/8"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/153241/Shekar-Endoscope-Weak-Default-Settings-Memory-Corruption.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Shekar_boriscope_sec_issues.pdf"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-10720", "datePublished": "2019-06-17T21:41:30", "dateReserved": "2017-07-01T00:00:00", "dateUpdated": "2024-08-05T17:41:55.621Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ishekar:endoscope_camera_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "4D620235-1706-4284-A45B-308C32A8DB90", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ishekar:endoscope_camera:-:*:*:*:*:*:*:*", "matchCriteriaId": "46805FDE-1451-44FF-86EF-B52C0A39F6ED", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi name. This application is installed on the device and an attacker who can provide the right payload can execute code on the user's system directly. Any breach of this system can allow an attacker to get access to all the data that the user has access too. The application uses a dynamic link library(DLL) called \"avilib.dll\" which is used by the application to send binary packets to the device that allow to control the device. One such action that the DLL provides is change password in the function \"sendchangename\" which allows a user to change the Wi-Fi name on the device. This function calls a sub function \"sub_75876EA0\" at address 0x758784F8. The function determines which action to execute based on the parameters sent to it. The \"sendchangename\" passes the datastring as the second argument which is the name we enter in the textbox and integer 1 as first argument. The rest of the 3 arguments are set to 0. The function \"sub_75876EA0\" at address 0x75876F19 uses the first argument received and to determine which block to jump to. Since the argument passed is 1, it jumps to 0x75876F20 and proceeds from there to address 0x75876F56 which calculates the length of the data string passed as the first parameter. This length and the first argument are then passed to the address 0x75877001 which calls the memmove function which uses a stack address as the destination where the password typed by us is passed as the source and length calculated above is passed as the number of bytes to copy which leads to a stack overflow."}, {"lang": "es", "value": "Recientemente, como parte de la investigaci\u00f3n sobre dispositivos IoT en el firmware m\u00e1s reciente para el Endoscopio Shekar, la aplicaci\u00f3n de escritorio utilizada para conectarse al dispositivo sufre un desbordamiento de pila si se le pasan m\u00e1s de 26 caracteres como nombre del Wi-Fi. Esta aplicaci\u00f3n est\u00e1 instalada en el dispositivo y un atacante que puede proporcionar la carga correcta puede ejecutar el c\u00f3digo directamente en el sistema de usuario. Cualquier violaci\u00f3n de este sistema puede permitir que un atacante tenga acceso a todos los datos a los que el usuario tiene acceso. La aplicaci\u00f3n utiliza una biblioteca de enlace din\u00e1mico (DLL) llamada \"avilib.dll\", que es usada por la aplicaci\u00f3n para enviar paquetes binarios al dispositivo que permiten controlarlo. Una de las acciones que proporciona la DLL es cambiar la contrase\u00f1a en la funci\u00f3n \"sendchangename\" que le permite a un usuario cambiar el nombre del Wi-Fi en el dispositivo. Esta funci\u00f3n llama a una subfunci\u00f3n \"sub_75876EA0\" en la direcci\u00f3n 0x758784F8. La funci\u00f3n determina cual acci\u00f3n ejecutar de acuerdo a los par\u00e1metros que se le env\u00eden. El \"sendchangename\" pasa la cadena de datos como el segundo argumento, que es el nombre que ingresamos en el cuadro de texto y el entero 1 como primer argumento. El resto de los 3 argumentos se establecen en 0. La funci\u00f3n \"sub_75876EA0\" en la direcci\u00f3n 0x75876F19 utiliza el primer argumento recibido y determina hacia qu\u00e9 bloque saltar. Dado que el argumento pasado es 1, salta a 0x75876F20 y procede de all\u00ed a la direcci\u00f3n 0x75876F56, que calcula la longitud de la cadena de datos pasada como primer par\u00e1metro. Esta longitud y el primer argumento son entonces pasados a la direcci\u00f3n 0x75877001 que llama a la funci\u00f3n memmove que utiliza una direcci\u00f3n de pila como el destino donde la contrase\u00f1a escrita por nosotros es pasada como la fuente y la longitud calculada anteriormente se pasa como el n\u00famero de bytes a copiar lo que conlleva a un desbordamiento de pila."}], "id": "CVE-2017-10720", "lastModified": "2024-11-21T03:06:20.083", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-06-17T22:15:10.030", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/153241/Shekar-Endoscope-Weak-Default-Settings-Memory-Corruption.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Shekar_boriscope_sec_issues.pdf"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://seclists.org/bugtraq/2019/Jun/8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/153241/Shekar-Endoscope-Weak-Default-Settings-Memory-Corruption.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Shekar_boriscope_sec_issues.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://seclists.org/bugtraq/2019/Jun/8"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}