Xchg-Rax-Rax

**Name of the Vulnerable Software and Affected Versions** VIVOTEK FD8136 firmware FD8136-VVTK-0300a **Description** A stack-based buffer overflow exists in the `export language.cgi` binary. Authenticated remote attackers can execute arbitrary code with root privileges by sending a crafted POST request to the '/cgi-bin/admin/export language.cgi' endpoint. The issue occurs because the handler passes the attacker-controlled `Content-Length` value directly to the `fread()` function as the read size into a fixed-size 0x60-byte stack buffer, which allows the saved link register to be overwritten. The binary lacks stack canaries, which are security mechanisms used to detect stack buffer overflows before execution of malicious code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

A post-authentication remote buffer overflow vulnerability exists in the /cgi-bin/admin/eventtask.cgi endpoint of the admin interface of Vivotek FD8136 cameras running firmware version FD8136-VVTK-0300a. This flaw allows an authenticated attacker to execute arbitrary code as root on the device remotely.

**Name of the Vulnerable Software and Affected Versions** VIVOTEK FD8136 version FD8136-VVTK-0300a **Description** A stack-based buffer overflow occurs in the motion privacy.cgi binary. Authenticated remote attackers can execute arbitrary code with root privileges by sending an oversized `n1` parameter in a POST request to the "/cgi-bin/admin/setpm.cgi", "/cgi-bin/admin/setmd.cgi", or "/cgi-bin/admin/setmd profile.cgi" endpoints. The issue arises because the parameter value is copied into a fixed-size 0xa4-byte stack buffer without bounds checking, which overwrites the saved link register. The binary lacks stack canaries, which are security mechanisms used to detect stack buffer overflows before execution can be hijacked. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.