CVE-2018-3905
Description
An exploitable buffer overflow vulnerability exists in the camera "create" feature of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 devices with firmware version 0.20.17. The video-core process incorrectly extracts the "state" field from a user-controlled JSON payload, leading to a buffer overflow on the stack. An attacker can send an HTTP request to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stack buffer overflow in the camera 'create' feature of Samsung SmartThings Hub allows authenticated remote attackers to execute arbitrary code.
Vulnerability
The video-core process in Samsung SmartThings Hub STH-ETH-250 firmware version 0.20.17 contains a stack buffer overflow vulnerability in the camera "create" feature of its HTTP server. The server incorrectly extracts the state field from a user-controlled JSON payload without proper bounds checking, leading to a buffer overflow on the stack. This vulnerability is classified as CWE-120: Buffer Copy without Checking Size of Input. [1]
Exploitation
An attacker with network access and low privileges (authenticated user) can exploit this vulnerability by sending a crafted HTTP request to the video-core HTTP server. The request must include a JSON payload with an oversized state field. The server then copies this data into a fixed-size stack buffer, causing a buffer overflow. The attack complexity is high due to the need for precise payload construction, but no user interaction is required. [1]
Impact
Successful exploitation allows the attacker to achieve arbitrary code execution on the hub. Given the hub's role as a central controller for smart home devices, this could lead to full compromise of the device and potentially the home network. The CVSSv3 score is 8.5, with high impact on confidentiality, integrity, and availability, and a changed scope. [1]
Mitigation
As of the publication date (2018-08-23), no official patch or firmware update was available from Samsung to address this vulnerability. Users are advised to monitor for firmware updates and consider network segmentation to limit exposure. The affected firmware version 0.20.17 may be end-of-life; upgrading to a newer hardware revision or applying vendor-supplied patches when available is recommended. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =0.20.17
- Samsung/SmartThings Hub STH-ETH-250v5Range: Firmware version 0.20.17
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing length validation on the "state" field extracted from a user-controlled JSON payload allows an unbounded stack buffer copy via memcpy."
Attack vector
An attacker sends a POST request to the video-core HTTP server at "http://127.0.0.1:3000/cameras" with a JSON body containing a "state" field of arbitrary length [ref_id=1]. The video-core process extracts the "state" value via json_object_to_json_string and copies it into a fixed stack buffer using memcpy with the source string's length (from strlen), performing no bounds check [CWE-120]. This can be triggered by impersonating the remote SmartThings servers (which relay HTTP requests through hubCore), by a malicious SmartApp running inside hubCore that makes localhost connections, or potentially through the SmartThings mobile application with a valid OAuth token [ref_id=1].
Affected code
The vulnerable code is in the sub_48438 function of the video-core process, which handles the "state" parameter from a JSON payload. At offset 0x489E0-0x48A04, the function calls json_object_to_json_string on the "state" value, then strlen to get its length, and finally memcpy to copy it into a stack buffer at R6+0x818 without any size check [ref_id=1].
What the fix does
The advisory states the vendor patched the vulnerability on 2018-07-17, but no patch diff is included in the bundle [ref_id=1]. The recommended remediation is to validate the length of the "state" parameter before copying it into the stack buffer, ensuring the copy size does not exceed the destination buffer capacity, similar to how the "url" parameter is truncated to a maximum length of 0x200 [ref_id=1].
Preconditions
- networkAttacker must be able to send HTTP requests to the video-core process on localhost port 3000, either by impersonating the remote SmartThings servers, running a malicious SmartApp, or using the mobile app with a valid OAuth token.
- authFor the server-impersonation vector, the attacker must be able to impersonate the remote SmartThings servers. For the mobile app vector, the attacker needs a valid OAuth bearer token or username/password pair.
Reproduction
$ curl -X POST "http://127.0.0.1:3000/cameras" -d '{"cameraId":"00000000-0000-0000-0000-000000000000","locationId":"00000000-0000-0000-0000-000000000000","dni":"000000000000","url":"x","state":"'$(perl -e 'print "A"x700')'"}'
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.talosintelligence.com/vulnerability_reports/TALOS-2018-0575mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.