CVE-2018-3903
Description
On Samsung SmartThings Hub STH-ETH-250 devices with firmware version 0.20.17, the video-core process incorrectly extracts fields from a user-controlled JSON payload, leading to a buffer overflow on the stack. An attacker can send an HTTP request to trigger this vulnerability. The memcpy call overflows the destination buffer, which has a size of 512 bytes. An attacker can send an arbitrarily long "url" value in order to overwrite the saved-PC with 0x42424242.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Buffer overflow in Samsung SmartThings Hub video-core allows remote authenticated attackers to overwrite saved-PC via crafted JSON payload.
Vulnerability
The video-core process on Samsung SmartThings Hub STH-ETH-250 devices with firmware version 0.20.17 incorrectly extracts fields from a user-controlled JSON payload, leading to a stack buffer overflow. The memcpy call copies the "url" value into a 512-byte destination buffer without proper bounds checking. Affected versions: firmware 0.20.17 [1].
Exploitation
An attacker with network access and low-privileged authentication (e.g., a user with access to the hub's HTTP server) can send an HTTP request containing a crafted JSON payload with an arbitrarily long "url" value. This causes the memcpy to overflow the stack buffer, overwriting the saved program counter with attacker-controlled data (e.g., 0x42424242) [1].
Impact
Successful exploitation allows the attacker to overwrite the saved return address and achieve arbitrary code execution. Given the CVSS score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), the attacker can execute code with root privileges on the hub, leading to full compromise of the device and potential lateral movement within the network [1].
Mitigation
As of the publication date (2018-08-23), no patched firmware version has been publicly disclosed by Samsung. Users should monitor the vendor's security advisory page for updates. No known workarounds exist [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =0.20.17
- Talos/Samsungv5Range: Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds checking in a memcpy call that copies a user-controlled JSON parameter value into a fixed-size stack buffer, using strlen of the source as the length."
Attack vector
An attacker can send a crafted HTTP PATCH request to the `video-core` process on port 3000, targeting a known camera ID endpoint. The request contains a JSON body with an arbitrarily long "url" value. Because the `memcpy` length is taken directly from `strlen` of the attacker-controlled JSON parameter, the copy overflows the 512-byte stack buffer, allowing the attacker to overwrite the saved program counter (saved-PC) with a controlled value (e.g., `0x42424242`) [ref_id=1]. The attacker can reach the vulnerable process by impersonating the remote SmartThings servers, by installing a malicious SmartApp that makes localhost connections, or potentially by relaying a malicious payload through the SmartThings mobile application and cloud servers [ref_id=1].
Affected code
The vulnerability resides in the `video-core` process on Samsung SmartThings Hub STH-ETH-250 devices running firmware version 0.20.17. The code extracts a user-controlled JSON parameter (the "url" key) via `json_object_object_get_ex` and `json_object_to_json_string`, then copies the value into a 512-byte stack buffer using `memcpy` with a length derived from `strlen` of the source string [ref_id=1]. No bounds checking is performed on the copy operation.
What the fix does
The vendor patched this vulnerability on 2018-07-17 [ref_id=1]. While the patch itself is not shown in the bundle, the advisory indicates the fix addresses the unbounded `memcpy` that copies attacker-controlled JSON parameter values into a fixed 512-byte stack buffer. The remediation would require either validating the length of the input before copying, using a bounds-checked copy function, or allocating a dynamically sized buffer to prevent stack overflow [ref_id=1].
Preconditions
- networkThe attacker must be able to send HTTP requests to the video-core process on port 3000 of the SmartThings Hub (e.g., by impersonating SmartThings servers, installing a malicious SmartApp, or relaying through the mobile app and cloud APIs).
- configA camera must already be present on the device and its ID known to the attacker.
- authNo authentication is required for the localhost endpoint; for the cloud relay vector, a valid OAuth bearer token or username/password is needed.
Reproduction
$ curl -X PATCH "http://127.0.0.1:3000/cameras/${sCameraId}" -d '{"url":"'$(perl -e 'print "A"x6740')BBBBX'","state":"x"}'
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.talosintelligence.com/vulnerability_reports/TALOS-2018-0574mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.