CVE-2018-14496

Vulnerability

The Vivotek FD8136 network camera contains a stack-based buffer overflow in the set_getparam.cgi CGI script, triggered by the unsafe use of sprintf on the vlocal_buff_4326 buffer. The vulnerability affects firmware versions prior to the latest update as of the vendor's advisory. The vendor disputes this as a vulnerability, claiming it does not cause a crash or affect performance, but the issue is present in the device's HTTP handling code.

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP GET request to the set_getparam.cgi endpoint with an overly long parameter value. The attacker needs no prior authentication on the camera—the endpoint is accessible from the local network or directly if the camera is exposed to the internet. The request triggers the overflow in the stack buffer, potentially allowing the attacker to overwrite the return address.

Impact

Successful exploitation results in a stack-based buffer overflow, which an attacker can leverage to achieve remote memory corruption and execute arbitrary code. This gives the attacker full control of the device, including the ability to access the video stream, modify configuration files, and pivot to internal networks. The vendor disputes the severity, but analysis from [1] demonstrates code execution is possible.

Mitigation

Vivotek has disputed this report, and no official patch has been confirmed by the vendor as of the publication date. Users are advised to restrict network access to the device's web interface by placing the camera behind a firewall, disabling remote administration, and using a VPN for remote monitoring. No workaround for the buffer overflow itself is available aside from network segmentation.