CVE-2018-3865
Description
An exploitable buffer overflow vulnerability exists in the Samsung WifiScan handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The strcpy overflows the destination buffer, which has a size of 40 bytes. An attacker can send an arbitrarily long "cameraIp" value in order to exploit this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stack buffer overflow in the Samsung SmartThings Hub's video-core HTTP server allows authenticated attackers to execute arbitrary code via a crafted 'cameraIp' JSON field.
Vulnerability
The Samsung SmartThings Hub STH-ETH-250 running firmware version 0.20.17 contains a stack buffer overflow vulnerability in the samsungWifiScan handler of the video-core HTTP server [1]. The handler extracts the cameraIp field from a user-controlled JSON payload and copies it into a fixed 40-byte stack buffer using strcpy without bounds checking [1]. This allows an attacker to overflow the buffer by providing an arbitrarily long cameraIp value [1].
Exploitation
An attacker with low-privilege network access to the hub can send a crafted HTTP request containing a JSON payload with an excessively long cameraIp string [1]. No user interaction is required beyond the attacker's authenticated session. The strcpy call overwrites adjacent stack memory, potentially corrupting the return address and other critical data [1].
Impact
Successful exploitation leads to arbitrary code execution on the hub with the privileges of the video-core process [1]. The CVSSv3 score of 9.9 (Critical) reflects the high impact on confidentiality, integrity, and availability, as well as a changed scope that could allow the attacker to affect other components of the SmartThings ecosystem [1].
Mitigation
At the time of disclosure (September 2018), no official patch or firmware update was available from Samsung [1]. Users are advised to restrict network access to the hub, disable the camera feature if not needed, and monitor for vendor updates.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 0.20.17
- Samsung/SmartThings Hub STH-ETH-250v5Range: Firmware version 0.20.17
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds checking in the Samsung WifiScan handler allows strcpy to overflow a 40-byte destination buffer with an arbitrarily long "cameraIp" value."
Attack vector
An attacker sends a crafted HTTP POST request to the video-core HTTP server at port 3000 on the endpoint `/samsungWifiScan` with an arbitrarily long `"cameraIp"` JSON value [ref_id=1]. The `strcpy` call at [7] copies this value into a fixed 40-byte stack buffer without length validation, causing a buffer overflow [ref_id=1]. The attacker can reach the vulnerable process through three vectors: impersonating the remote SmartThings servers to relay requests to hubCore, creating a malicious SmartApp that makes localhost connections to the video-core process, or (untested) sending a malicious request from the SmartThings mobile app via the remote servers using a valid OAuth bearer token [ref_id=1].
Affected code
The vulnerability resides in the Samsung WifiScan handler of the video-core HTTP server on the SmartThings Hub STH-ETH-250 (firmware 0.20.17) [ref_id=1]. The `strcpy` at [7] copies the `"cameraIp"` JSON field into a 40-byte stack buffer without bounds checking [ref_id=1].
What the fix does
The vendor patched this vulnerability on 2018-07-17 [ref_id=1]. While the advisory does not include the patch diff, the remediation would replace the unbounded `strcpy` with a bounded string copy (e.g., `strncpy` or equivalent) that limits the `"cameraIp"` value to the 40-byte destination buffer size, preventing the overflow [ref_id=1]. No further technical details of the fix are provided in the reference.
Preconditions
- networkAttacker must be able to send HTTP requests to the video-core process on port 3000, either directly (via localhost from a SmartApp or relayed from SmartThings servers) or indirectly via the mobile app with a valid OAuth bearer token.
Reproduction
curl -X POST 'http://127.0.0.1:3000/samsungWifiScan' -d '{"cameraIp":"{OVERFLOW}"}' where {OVERFLOW} can be replaced with "A"*0x700 to crash the device [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2018-0548mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.