A security researcher has published a proof-of-concept exploit for Wyze Cam v3 devices that opens a reverse shell and allows the takeover of vulnerable devices. Wyze Cam v3 is a top-selling, inexpensive indoor/outdoor security camera with support for color night vision, SD card storage, cloud connectivity for smartphone control, IP65 weatherproofing, and more. Security researcher Peter Geissler recently discovered two flaws in the latest Wyze Cam v3 firmware that can be chained together for remote code execution on vulnerable devices. The iCamera code that parses that object can be exploited due to bad handling of a specific array, leading to a stack buffer overflow where data is written into unintended parts of the memory. The exploit released by Geissler on GitHub chains these two flaws to give attackers an interactive Linux root shell, turning vulnerable Wyze v3 cameras into persistent backdoors and allowing attackers to pivot to other devices in the network. The exploit was tested and confirmed to work on firmware versions 4.36.10.4054, 4.36.11.4679, and 4.36.11.5859. Wyze released firmware update version 4.36.11.7071, which addresses the identified issues, on October 22, 2023, so users are recommended to apply the security update as soon as possible. In a private discussion, Geissler explained to BleepingComputer that he made his exploit available to the public before most Wyze users could apply the patch to express his disapproval of Wyze's patching strategies. Specifically, Wyze's patch came right after the competition registration deadline for the recent Pwn2Own Toronto event. Releasing the fixes right after the registration had caused several teams that had a working exploit in their hands up until that moment to abandon the effort. Wyze told the researcher that the timing was a coincidence and that they were merely trying to safeguard their customers against a threat they had learned about a few days before. "I want to clarify a few things; we didn't know about this issue for years, this is an issue in the third-party library we use and we got a report about it just a few days before pwn2own and once we got the report in our bugbounty program we patched the issue in 3 days and released to public," reads an email sent from Wyze. While Geissler admits that it is common for vendors to patch a bug that breaks exploit chains before the competition, he accuses Wyze of singling out that specific device to avoid negative PR from the competition, as the bug was allegedly not fixed in other devices. BleepingComputer reached out to Wyze for a comment about Geissler's accusations but has not received a response at this time. Wyze told another security researcher that they were only notified of the Wyze Cam v3 bug a few days before the competition and are now investigating whether it is in other devices' firmware. If unable to apply the firmware update, users should isolate their Wyze cameras from networks that serve critical devices. Fake WinRAR proof-of-concept exploit drops VenomRAT malware. Citrix Bleed exploit lets hackers hijack NetScaler accounts. Exploits released for Linux flaw giving root on major distros. Exploit available for critical WS FTP bug exploited in attacks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000