CVE-2017-8410

{"id": "CVE-2017-8410", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 10.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2019-07-02T20:15:11.120", "references": [{"url": "http://packetstormsecurity.com/files/153226/Dlink-DCS-1130-Command-Injection-CSRF-Stack-Overflow.html", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "https://github.com/ethanhunnt/IoT_vulnerabilities/blob/master/Dlink_DCS_1130_security.pdf", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://seclists.org/bugtraq/2019/Jun/8", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-119"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The binary rtspd in /sbin folder of the device handles all the rtsp connections received by the device. It seems that the binary performs a memcpy operation at address 0x00011E34 with the value sent in the \"Authorization: Basic\" RTSP header and stores it on the stack. The number of bytes to be copied are calculated based on the length of the string sent in the RTSP header by the client. As a result, memcpy copies more data then it can hold on stack and this results in corrupting the registers for the caller function sub_F6CC which results in memory corruption. The severity of this attack is enlarged by the fact that the same value is then copied on the stack in the function 0x00011378 and this allows to overflow the buffer allocated and thus control the PC register which will result in arbitrary code execution on the device."}, {"lang": "es", "value": "Se detect\u00f3 un problema en los dispositivos DCS-1100 y DCS-1130 de D-Link. El rtspd binario en la carpeta /sbin del dispositivo maneja todas las conexiones rtsp recibidas por el dispositivo. Al parecer el binario realiza una operaci\u00f3n memcpy en la direcci\u00f3n 0x00011E34 con el valor enviado en el encabezado RTSP \"Authorization: Basic\" y lo almacena en la pila. El n\u00famero de bytes que se copiar\u00e1n se calcula seg\u00fan la longitud de la cadena enviada por el cliente en el encabezado RTSP. Como resultado, memcpy copia m\u00e1s datos que luego puede mantener en la pila y esto resulta en una corrupci\u00f3n de los registros sub_F6CC de la funci\u00f3n caller, lo que resulta en la corrupci\u00f3n de la memoria. La severidad de este ataque se incrementa por el hecho de que el mismo valor se copia en la pila en la funci\u00f3n 0x00011378 y esto permite desbordar el b\u00fafer asignado y, por lo tanto, controlar el registro de la PC, que resultar\u00e1 en una ejecuci\u00f3n de c\u00f3digo arbitraria en el dispositivo."}], "lastModified": "2021-04-26T16:56:28.040", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:dlink:dcs-1100_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "554817F7-7E3D-4D69-90AC-46D86056143B"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:dlink:dcs-1100:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "704F9608-72CE-49C0-B7D2-F2FE84DF0C74"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:dlink:dcs-1130_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0DB53465-4FE2-43EF-B2C6-839DFEA80D62"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:dlink:dcs-1130:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "33A388EC-275D-4180-83E2-AD73F7EEB54F"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}