| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| An unauthenticated
stack-based buffer overflow vulnerability exists in ssvr in GeoVision
GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by
insufficient bounds checking when parsing RTSP Digest authentication fields. A
remote attacker may exploit this vulnerability by sending a crafted RTSP
request containing overly long authentication data, resulting in memory
corruption, denial of service, or potentially arbitrary code execution. |
| An unauthenticated
stack-based buffer overflow vulnerability exists in vlsvr in GeoVision
GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by
insufficient length validation when processing remote login data. A remote
attacker may exploit this vulnerability by sending crafted login data with
overly long input, resulting in memory corruption, denial of service, or potentially
arbitrary code execution. |
| An unauthenticated
stack-based buffer overflow vulnerability exists in ssvr in GeoVision
GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by
insufficient bounds checking when processing RTSP custom authentication data. A
remote attacker may exploit this vulnerability by sending a crafted RTSP
request, resulting in memory corruption, denial of service, or potentially
arbitrary code execution. |
| An unauthenticated
stack-based buffer overflow vulnerability exists in thttpd in GeoVision
GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by
insufficient bounds checking when processing web request parameters in a
specific request path. A remote attacker may exploit this vulnerability by
sending a crafted HTTP request with overly long input, resulting in memory
corruption, denial of service, or potentially arbitrary code execution. |
| An unauthenticated
format string vulnerability exists in vlsvr in GeoVision GV-LPC2011 and
GV-LPC2211 V1.12 and earlier. The vulnerability is caused by improper handling
of externally controlled input during log message formatting in the login
processing path. A remote attacker may exploit this vulnerability by sending
crafted login data, potentially causing information disclosure, memory
corruption, or a denial of service. |
| An unauthenticated
out-of-bounds write vulnerability exists in onvif.cgi in GeoVision GV-LPC2011
and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient
bounds checking when processing HTTP request body data. A remote attacker may
exploit this vulnerability by sending a crafted request with excessive input,
causing memory corruption and resulting in a denial of service. |
| An unauthenticated
NULL pointer dereference vulnerability exists in the HTTP request parsing logic
of multiple CGI components in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and
earlier. The vulnerability is caused by improper validation of required HTTP
request metadata before it is used by the affected components. A remote attacker
may exploit this vulnerability by sending a specially crafted HTTP request,
causing the affected process to crash and resulting in a denial of service. |
| An unauthenticated
buffer overflow vulnerability exists in IEEE8021x_upload.cgi in GeoVision
GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by
insufficient bounds checking when parsing filename values in multipart upload
data. A remote attacker may exploit this vulnerability by sending a crafted
upload request with overly long input, causing memory corruption and resulting
in a denial of service. |
| An unauthenticated
NULL pointer dereference vulnerability exists in IEEE8021x_upload.cgi in GeoVision
GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by
improper validation of multipart upload headers when processing
certificate-related upload fields. A remote attacker may exploit this
vulnerability by sending a malformed multipart request, causing the affected
CGI process to crash and resulting in a denial of service. |
| An unauthenticated
directory traversal vulnerability exists in get_fcont.cgi in GeoVision
GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by
insufficient validation of user-supplied file path input before the requested
file is accessed by the CGI component. A remote attacker may exploit this
vulnerability by sending a crafted request to read arbitrary files accessible
to the affected process, resulting in information disclosure. |
| GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.
DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.
Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:
#### IP field stack overflow
The following code is vulnerable to a stack overflow that is attacker-controlled:
v3 = strlen(g_network_config->ip_addr);
memcpy(&reply_buf[36], g_network_config->ip_addr, v3); |
| Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.
`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)
#### CNetSetObj::m_F_n_Set_DNS_Addr command injection
The following function can take up to two addresses, performs no sanitization and then calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint.
int __fastcall CNetSetObj::m_F_n_Set_DNS_Addr(CNetSetObj *this, char *dns1, char *dns2)
{
int result; // r0
char v5[80]; // [sp+0h] [bp-50h] BYREF
if ( !dns1 )
result = 0;
if ( dns1 )
{
sprintf(v5, "/bin/echo nameserver %s > /etc/resolv.conf", dns1); // attacker controlled dns1 field
system(v5);
if ( dns2 )
{
sprintf(v5, "/bin/echo nameserver %s >> /etc/resolv.conf", dns2);
system(v5);
}
return 1;
}
return result; |
| GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.
DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.
Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:
#### Gateway field stack overflow
The following code is vulnerable to a stack overflow that is attacker-controlled:
v7 = strlen(g_network_config->gateway);
memcpy(&reply_buf[216], g_network_config->gateway, v7); |
| GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.
DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.
Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:
#### Net Mask field stack overflow
The following code is vulnerable to a stack overflow that is attacker-controlled:
v6 = strlen(g_network_config->net_mask);
memcpy(&reply_buf[184], g_network_config->net_mask, v6); |
| A memory corruption vulnerability exists in the GV-Cloud functionality of GeoVision GV-VMS V20 20.0.2.
A specially crafted network request can lead to a denial of service. An attacker can impersonate the legitimate server to trigger this vulnerability. |
| Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.
`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)
#### CNetSetObj::m_F_n_Set_IP_Addr command injection
The following function takes a string as an ip address, performs no sanitization and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint.
int __fastcall CNetSetObj::m_F_n_Set_IP_Addr(const char **this, char *ip_addr)
{
bool v2; // zf
char v4[72]; // [sp+0h] [bp-48h] BYREF
v2 = *this == 0;
if ( *this )
v2 = ip_addr == 0;
if ( v2 )
return 0;
sprintf(v4, "/sbin/ifconfig %s %s", *this, ip_addr); // attacker controlled ip address
system(v4);
return 1;
} |
| Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.
`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)
#### CNetSetObj::m_F_n_Set_Net_Mask command injection
The following function takes a string as a net mask address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint.
int __fastcall CNetSetObj::m_F_n_Set_Net_Mask(const char **this, char *netmask_addr)
{
bool v2; // zf
char v4[72]; // [sp+0h] [bp-48h] BYREF
v2 = *this == 0;
if ( *this )
v2 = netmask_addr == 0;
if ( v2 )
return 0;
sprintf(v4, "/sbin/ifconfig %s netmask %s", *this, netmask_addr); // attacker controlled netmask_addr
system(v4);
return 1;
} |
| Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.
`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)
#### CNetSetObj::m_F_n_Set_Gate_way command injection
The following function takes a string as a gatewy address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint.
int __fastcall CNetSetObj::m_F_n_Set_Gate_way(const char **this, char *gw, char *dev)
{
char s[324]; // [sp+4h] [bp-144h] BYREF
if ( !dev && !*this || !gw )
return 0;
system("/sbin/route del -net 224.0.0.0 netmask 224.0.0.0");
system("/sbin/route del default ");
if ( dev )
sprintf(s, "/sbin/route add default gw %s dev %s", gw, dev); //attacker controlled gw string
else
sprintf(s, "/sbin/route add default gw %s dev %s", gw, *this); //attacker controlled gw string
system(s);
sprintf(s, "/sbin/route add -net 224.0.0.0 netmask 224.0.0.0 gw %s dev %s", gw, *this); //attacker controlled gw string
system(s);
return 1;
} |
| GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.
DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.
Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:
#### DNS field stack overflow
The following code is vulnerable to a stack overflow that is attacker-controlled:
v8 = strlen(g_network_config->dns_addr);
memcpy(&reply_buf[248], g_network_config->dns_addr, v8); |
| An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability.
When interacting with various Geovision devices on the network, the utility may send privileged commands; in order to do so, the username and password of the device need to be provided. In some instances the command is broadcasted over UDP and the username/password are encrypted using a cryptographic protocol that appears to be derivated from Blowfish. However the symmetric key used for the encryption is also included in the packet, and thus the security of the username/password only relies on the "obscurity" of the encryption scheme. An attacker on the same LAN can listen to the broadcast traffic once an admin user interacts with the device, and decrypt the credentials using their own implementation of the algorithm. With this password the attacker would have full control over the device configuration, allowing them to change its ip address or even reset it to factory default. |
