• October 01, 2022, 11:33:42 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  


This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: CVE-2019-10999 :: Authenticated Buffer Overflow (Various DCS Cameras)  (Read 3962 times)


  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting

Affected Models:
DCS-930L / 931L / 932L / 933L / 934L / 5009L/ 5010L / 5020L / 5025L / 5030L

In November 28, 2018, D-Link became a aware of a 3rd Party security researcher that accused the DCS-5020L Hardware Rev. Ax of a command injection vulnerability in the web-GUI.
After an investigation, this vulnerability is only accessible via the local-network since the cameras Web-GUI only responds on the same subnet was the PC Host web-browser. and not directly from the Internet (WAN-side))
CVE-2019-10999 :: https://nvd.nist.gov/vuln/detail/CVE-2019-10999
Github :: https://github.com/fuzzywalls/CVE-2019-10999
Onward Security :: http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201905-138

Note: The exploit requires credentials to be successful.
There exists an authenticated buffer overflow vulnerability in the accused cameras  that can be exploited by malicious users. It occurs when a large string is passed in the WEPEncryption parameter provided to wireless.htm. The variable is expected to be a single character of some value between 0 and 4 based on radio buttons selected by the user. Because of this assumption the length of the string is never verified and passed directly to strcpy() which copies directly to a stack variable. This overwrite can be used to gain control of the return address and possible to execute arbitrary code.

Links to updated FW files per DCS model here:
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.