Advisory Details

October 2nd, 2014

(0Day) GoPro HERO 3+ gpExec start Remote Code Execution Vulnerability

ZDI-14-347
ZDI-CAN-2162

CVE ID CVE-2014-6433
CVSS SCORE 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
AFFECTED VENDORS GoPro
AFFECTED PRODUCTS HERO 3+
VULNERABILITY DETAILS


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of GoPro HERO 3+. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the gpExec component. This component performs insufficient parameter validation on the a1/a2 parameters when the c1/c2 parameters are set to "start". Successful exploitation will allow an attacker to execute an arbitrary file on the target device.

ADDITIONAL DETAILS


This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 180 day deadline.

03/08/2014 - ZDI reached out to the vendor
03/08/2014 - Vendor sent an automated reply
03/18/2014 - ZDI reached out to the vendor
03/19/2014 - Vendor replied that they are not "interested in such services"
03/24/2014 - ZDI requested escalation with the vendor
03/25/2014 - Vendor reached out to ZDI w/appropriate contact person and PGP
03/26/2014 - ZDI disclosed to the vendor
03/26/2014 - Vendor acknowledged
06/18/2014 - ZDI sent request for update
06/18/2014 - Vendor replied 'no update'
08/25/2014 - ZDI sent request for update/ETA
08/25/2014 - Vendor replied 'no ETA'
09/15/2014 - ZDI sent request for update/ETA

-- Vendor Response:

GoPro intends to address this Hero 3 Plus issue in the next release for the product, and will update ZDI with a link to the GoPro website at that time.


DISCLOSURE TIMELINE
  • 2014-03-08 - Case submitted to the ZDI
  • 2014-10-02 - Public release of advisory
CREDIT Anonymous
BACK TO ADVISORIES