Command execution due to unsanitized input in LifeShield DIY HD Video Doorbell

Vulnerability

The ADT LifeShield DIY HD Video Doorbell (version 1.0.02R09 and prior) contains a command injection vulnerability in its HTTP interface. The software fails to properly neutralize special elements used in commands, allowing an attacker to inject arbitrary commands via crafted HTTP requests. This issue affects the HTTP interface of the device.

Exploitation

An attacker on the same local network as the doorbell can send specially crafted HTTP requests to the device's HTTP interface. No authentication is required to reach the vulnerable endpoint. The attacker can inject commands that are executed with the privileges of the web server process.

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the device. This can lead to full compromise of the doorbell, including unauthorized access to the live video stream, modification of device settings, and potential lateral movement within the network.

Mitigation

As of the publication date (2021-02-02), no official patch has been disclosed in the available references [1]. Users should ensure the device is not exposed to untrusted networks and consider isolating it on a separate VLAN. The vendor may have released a firmware update after this date; consult ADT support for the latest firmware.