CVE-2017-13719

Name of the Vulnerable Software and Affected Versions Amcrest IPM-721S Amcrest IPC-AWXX Eng N V2.420.AC00.17.R.20170322

Description The issue allows an attacker to send HTTP requests to enable various camera functionalities using HTTP APIs, bypassing the web management interface. The HTTP API receives credentials as base64 encoded in the Authorization HTTP header. A missing length check in the code enables an attacker to send a string of 1024 characters in the password field, allowing exploitation of a memory corruption issue. This can permit an attacker to circumvent account protection and brute force credentials. The vulnerable function is located in the sonia binary and performs the credential check for the HTTP API specification. The function at address 00415364 starts the HTTP authentication process and calls another function at address 0041549C, which performs a strchr operation after base64 decoding the credentials, resulting in a stack-based buffer overflow.

Recommendations As a temporary workaround, consider disabling the HTTP API functionality until a patch is available. Restrict access to the sonia binary to minimize the risk of exploitation. Avoid using the password field in the affected HTTP API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.