An unauthenticated
format string vulnerability exists in vlsvr in GeoVision GV-LPC2011 and
GV-LPC2211 V1.12 and earlier. The vulnerability is caused by improper handling
of externally controlled input during log message formatting in the login
processing path. A remote attacker may exploit this vulnerability by sending
crafted login data, potentially causing information disclosure, memory
corruption, or a denial of service.
Credits
Jincheng Wang (@winmt), Professor Le Yu of Nanjing University of Posts and Telecommunications, and Professor Xiapu Luo of The Hong Kong Polytechnic University has reported:
