- Jul 22, 2014
- 2,525
A vulnerability codenamed Devil's Ivy is putting thousands of Internet-connected devices at risk of hacking.
Discovered by security researchers from Senrio, the flaw affects gSOAP, a C/C++ library widely used in the development of firmware for embedded devices.
gSOAP is a dual licensed (free and commercial) product developed by Genivia, who on its website says the library will help companies in the "development of [...] products [that] meet the latest industry standards for XML, XML Web services, WSDL and SOAP, REST, JSON, WS-Security, WS-Trust with SAML, WS-ReliableMessaging, WS-Discovery, TR-069, ONVIF, AWS, WCF, and more."
Vulnerability initially discovered in security camera firmware
Senrio researchers initially discovered the vulnerability while analyzing the firmware of the Axis M3004 security camera.
After contacting the camera vendor with their findings, Axis told Senrio that the Devil's Ivy vulnerability affects 249 of 252 security camera models the company makes, which use firmware that includes the gSOAP toolkit.
The vulnerability is a simple buffer overflow, but Senrio researchers have managed to use it to execute code on the Axis security camera. A video recorded by researchers is embedded below, demoing the attack:
.....
Discovered by security researchers from Senrio, the flaw affects gSOAP, a C/C++ library widely used in the development of firmware for embedded devices.
gSOAP is a dual licensed (free and commercial) product developed by Genivia, who on its website says the library will help companies in the "development of [...] products [that] meet the latest industry standards for XML, XML Web services, WSDL and SOAP, REST, JSON, WS-Security, WS-Trust with SAML, WS-ReliableMessaging, WS-Discovery, TR-069, ONVIF, AWS, WCF, and more."
Vulnerability initially discovered in security camera firmware
Senrio researchers initially discovered the vulnerability while analyzing the firmware of the Axis M3004 security camera.
After contacting the camera vendor with their findings, Axis told Senrio that the Devil's Ivy vulnerability affects 249 of 252 security camera models the company makes, which use firmware that includes the gSOAP toolkit.
The vulnerability is a simple buffer overflow, but Senrio researchers have managed to use it to execute code on the Axis security camera. A video recorded by researchers is embedded below, demoing the attack:
.....
