A safety researcher has printed a proof-of-concept (PoC) exploit for Wyze Cam v3 units that opens a reverse shell and permits the takeover of susceptible units.
Wyze Cam v3 is a top-selling, cheap indoor/out of doors safety digital camera with help for colour night time imaginative and prescient, SD card storage, cloud connectivity for smartphone management, IP65 weatherproofing, and extra.
Safety researcher Peter Geissler (aka bl4sty) not too long ago found two flaws within the newest Wyze Cam v3 firmware that may be chained collectively for distant code execution on susceptible units.
The primary is a DTLS (Datagram Transport Layer Safety) authentication bypass drawback within the ‘iCamera’ daemon, permitting attackers to make use of arbitrary PSKs (Pre-Shared Keys) throughout the TLS handshake to bypass safety measures.
The second flaw manifests after the DTLS authenticated session has been established when the consumer sends a JSON object.
The iCamera code that parses that object will be exploited on account of dangerous dealing with of a selected array, resulting in a stack buffer overflow the place information is written into unintended components of the reminiscence.
Attackers can leverage the second vulnerability to overwrite the stack reminiscence and, given the dearth of security measures like stack canaries and position-independent execution within the iCamera code, execute their very own code on the digital camera.
The exploit launched by Geissler on GitHub chains these two flaws to provide attackers an interactive Linux root shell, turning susceptible Wyze v3 cameras into persistent backdoors and permitting attackers to pivot to different units within the community.
The exploit was examined and confirmed to work on firmware variations 4.36.10.4054, 4.36.11.4679, and 4.36.11.5859.
Wyze launched firmware replace model 4.36.11.7071, which addresses the recognized points, on October 22, 2023, so customers are advisable to use the safety replace as quickly as attainable.
Patching controversy
In a non-public dialogue, Geissler defined to BleepingComputer that he made his exploit accessible to the general public earlier than most Wyze customers may apply the patch to precise his disapproval of Wyze’s patching methods.
Particularly, Wyze’s patch got here proper after the competitors registration deadline for the latest Pwn2Own Toronto occasion.
Releasing the fixes proper after the registration had induced a number of groups that had a working exploit of their fingers up till that second to desert the hassle.
Wyze instructed the researcher that the timing was a coincidence and that they had been merely attempting to safeguard their clients towards a risk that they had realized about a couple of days earlier than.
“I need to make clear a couple of issues; we did not find out about this challenge for years, this is a matter within the third-party library we use and we bought a report about it only a few days earlier than pwn2own and as soon as we bought the report in our bugbounty program we patched the problem in 3 days and launched to public,” reads an e-mail despatched from Wyze.
Whereas Geissler admits that it is not uncommon for distributors to patch a bug that breaks exploit chains earlier than the competitors, he accuses Wyze of singling out that particular gadget to keep away from destructive PR from the competitors, because the bug was allegedly not fastened in different units.
BleepingComputer reached out to Wyze for a remark about Geissler’s accusations however has not obtained a response presently.
Nonetheless, Wyze instructed one other safety researcher that they had been solely notified of the Wyze Cam v3 bug a couple of days earlier than the competitors and are actually investigating whether or not it’s in different units’ firmware.
At this level, the PoC is now public, so it’s more likely to see mass exploitation sooner or later, and customers are advisable to take speedy motion to repair the bug.
If unable to use the firmware replace, customers ought to isolate their Wyze cameras from networks that serve essential units.
