CVE-2018-3894
Description
An exploitable buffer overflow vulnerability exists in the /cameras/XXXX/clips handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250-Firmware version 0.20.17. The strncpy call overflows the destination buffer, which has a size of 52 bytes. An attacker can send an arbitrarily long "startTime" value in order to exploit this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A buffer overflow in Samsung SmartThings Hub's video-core HTTP server allows authenticated remote attackers to achieve code execution via a crafted startTime parameter.
Vulnerability
A stack-based buffer overflow vulnerability exists in the /cameras/XXXX/clips handler of the video-core HTTP server in Samsung SmartThings Hub STH-ETH-250 firmware version 0.20.17. The handler uses a strncpy call to copy the user-controlled "startTime" parameter into a 52-byte destination buffer without proper length checking, leading to a buffer overflow [1].
Exploitation
An attacker with low privileges (authenticated user) can send a crafted HTTP request to the /cameras/XXXX/clips endpoint with an arbitrarily long "startTime" value. The malicious payload overflows the stack buffer, potentially enabling control of execution flow [1].
Impact
Successful exploitation allows the attacker to achieve arbitrary code execution on the hub. Given the CVSSv3 score of 9.9, the impact is critical, with high confidentiality, integrity, and availability impact, and a scope change indicating potential compromise of other resources [1].
Mitigation
As of the publication date, no official fix or workaround has been disclosed in the available references. Users should monitor Samsung's advisory and apply any firmware updates when released [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 0.20.17
- Samsung/SmartThings Hub STH-ETH-250v5Range: Firmware version 0.20.17
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input-length validation in the strncpy call for the "startTime" JSON key allows overflowing a 52-byte stack buffer."
Attack vector
An attacker sends a crafted HTTP POST request to `http://127.0.0.1:3000/cameras/${sCameraId}/clips` with an arbitrarily long "startTime" value in the JSON body [ref_id=1]. The `strncpy` call copies this oversized value into a 52-byte stack buffer, causing a buffer overflow that can overwrite adjacent memory and lead to arbitrary code execution [ref_id=1]. The request can be delivered by anyone able to impersonate the remote SmartThings servers (relaying through hubCore), or by a malicious SmartApp running inside hubCore that makes localhost connections to the video-core process [ref_id=1].
Affected code
The vulnerability resides in the HTTP server of the video-core process on the Samsung SmartThings Hub STH-ETH-250 (firmware version 0.20.17). The handler for the `/cameras/${sCameraId}/clips` endpoint uses `strncpy` to copy the JSON key "startTime" into a destination buffer of only 52 bytes, without validating the input length [ref_id=1].
What the fix does
The advisory states the vendor patched the vulnerability on 2018-07-17, but the specific patch diff is not included in the bundle [ref_id=1]. To close the vulnerability, the video-core handler must validate the length of the "startTime" input before copying it into the fixed-size buffer, or use a safer string-copy function that prevents overflow. The advisory does not provide further details on the exact code change [ref_id=1].
Preconditions
- configA camera must already be present on the hub and its ID known to the attacker
- networkAttacker must be able to send HTTP requests to the video-core process on localhost port 3000 (via a malicious SmartApp or by impersonating the remote SmartThings servers)
- authNo authentication is required on the localhost endpoint
Reproduction
Send the following curl command (replacing `${sCameraId}` with a valid camera ID and `OVERFLOW` with a long string such as `"A"*1000`):
``` $ curl -X POST "http://127.0.0.1:3000/cameras/${sCameraId}/clips" -d '{"captureTime":"2000-01-01T00:00:00","startTime":"OVERFLOW","endTime":"x","callbackUrl":"x","correlationId":"x"}' ```
This causes the device to crash due to a stack buffer overflow [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2018-0570mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.