A security researcher has revealed a proof-of-concept (PoC) exploit for Wyze Cam v3 gadgets that opens a reverse shell and permits the takeover of susceptible gadgets.
Wyze Cam v3 is a top-selling, cheap indoor/out of doors security digital camera with help for coloration evening imaginative and prescient, SD card storage, cloud connectivity for smartphone management, IP65 weatherproofing, and extra.
Safety researcher Peter Geissler (aka bl4sty) lately found two flaws within the newest Wyze Cam v3 firmware that may be chained collectively for distant code execution on susceptible gadgets.
The primary is a DTLS (Datagram Transport Layer Safety) authentication bypass downside within the ‘iCamera’ daemon, permitting attackers to make use of arbitrary PSKs (Pre-Shared Keys) in the course of the TLS handshake to bypass security measures.
The second flaw manifests after the DTLS authenticated session has been established when the shopper sends a JSON object.
The iCamera code that parses that object may be exploited as a consequence of dangerous dealing with of a selected array, resulting in a stack buffer overflow the place knowledge is written into unintended components of the reminiscence.
Attackers can leverage the second vulnerability to overwrite the stack reminiscence and, given the shortage of security options like stack canaries and position-independent execution within the iCamera code, execute their very own code on the digital camera.
The exploit launched by Geissler on GitHub chains these two flaws to present attackers an interactive Linux root shell, turning susceptible Wyze v3 cameras into persistent backdoors and permitting attackers to pivot to different gadgets within the community.
The exploit was examined and confirmed to work on firmware variations 4.36.10.4054, 4.36.11.4679, and 4.36.11.5859.
Wyze launched firmware replace model 4.36.11.7071, which addresses the recognized points, on October 22, 2023, so customers are advisable to use the security replace as quickly as doable.
Patching controversy
In a non-public dialogue, Geissler defined to BleepingComputer that he made his exploit obtainable to the general public earlier than most Wyze customers may apply the patch to precise his disapproval of Wyze’s patching methods.
Particularly, Wyze’s patch got here proper after the competitors registration deadline for the latest Pwn2Own Toronto occasion.
Releasing the fixes proper after the registration had induced a number of groups that had a working exploit of their palms up till that second to desert the hassle.
Wyze informed the researcher that the timing was a coincidence and that they have been merely making an attempt to safeguard their clients in opposition to a risk that they had discovered about just a few days earlier than.
“I wish to make clear just a few issues; we did not find out about this problem for years, this is a matter within the third-party library we use and we obtained a report about it just some days earlier than pwn2own and as soon as we obtained the report in our bugbounty program we patched the problem in 3 days and launched to public,” reads an e mail despatched from Wyze.
Whereas Geissler admits that it is not uncommon for distributors to patch a bug that breaks exploit chains earlier than the competitors, he accuses Wyze of singling out that particular machine to keep away from unfavourable PR from the competitors, because the bug was allegedly not fastened in different gadgets.
BleepingComputer reached out to Wyze for a remark about Geissler’s accusations however has not acquired a response at the moment.
Nonetheless, Wyze informed one other security researcher that they have been solely notified of the Wyze Cam v3 bug just a few days earlier than the competitors and at the moment are investigating whether or not it’s in different gadgets’ firmware.
At this level, the PoC is now public, so it’s prone to see mass exploitation sooner or later, and customers are advisable to take speedy motion to repair the bug.
If unable to use the firmware replace, customers ought to isolate their Wyze cameras from networks that serve important gadgets.
