The Lorex 2K Indoor Wi-Fi Security Camera is a consumer security device that provides cloud-based video camera surveillance capabilities. This device was a target at the 2024 Pwn2Own IoT competition. Rapid7 developed an unauthenticated remote code execution (RCE) exploit chain as an entry for the competition. On November 25, 2024, Lorex released a firmware update to resolve the five vulnerabilities that comprise the exploit chain reported by Rapid7. As of December 3, 2024, we are disclosing these issues publicly in coordination with the vendor.
Technical analysis
A detailed technical analysis for the exploit chain described in this blog can be found in Rapid7’s whitepaper here.
The accompanying source code for the exploit chain can be found here.
The exploit chain consists of five distinct vulnerabilities, which operate together in two phases to achieve unauthenticated RCE. The five vulnerabilities are listed below.
CVE
Description
Affected Component
CVSS
CVE-2024-52544
An unauthenticated attacker can trigger a stack-based buffer overflow.
DP Service (TCP port 3500)
9.8 (Critical)
CVE-2024-52545
An unauthenticated attacker can perform an out-of-bounds heap read.
IQ Service (TCP port 9876)
6.5 (Medium)
CVE-2024-52546
An unauthenticated attacker can perform a null pointer dereference.
DHIP Service (UDP port 37810)
lorex indoor security camera multiple vulnerabilities fixed
){kind=link}