The researchers provided more technical details here and also included the following video demonstration: 'Because the webserver runs as root, the filename is user supplied, and the input is used without sanitization, we are able to inject our own commands within the achieve root remote command execution.' 'The iWatch Install.php vulnerability can be exploited by crafting a special filename which is then stored within a tar command passed to a php system() call,' the researchers wrote in a blog post published to the Exploitee.rs website. As a result, attackers who know the IP address of a vulnerable camera can exploit the vulnerability to inject commands that are executed with unfettered root privileges. It stems from the failure to properly filter malicious input included in the name of uploaded files. The bug resides in PHP code responsible for updating a video monitoring system known as iWatch. The flaw allows attackers to inject commands into a Web interface built into the devices.
The remote code-execution vulnerability has been confirmed in the Samsung SmartCam SNH-1011. Smart cameras marketed under the Samsung brand name are vulnerable to attacks that allow hackers to gain full control, a status that allows the viewing of what are supposed to be private video feeds, researchers said.