Wyze Cam v3 RCE Exploit

Wyze Cam v3 RCE Exploit

vC by Prapattimynk

Wyze has a daemon (iCamera) that listens on UDP port 32761 speaking some derivative of the TUTK protocol. The outer layer of the protocol consists out of scrambled/XOR'd frames using a funny constant

Android Android 5.0Exploits And POCs
( 517 ratings )
Price: $0
File Wyze Cam v3 RCE Exploit
Publisher Prapattimynk
Genre Exploits And POCs
File Type C
Os All
Mod Version C
Report Report
Wyze Cam v3 RCE Exploit is the most famous version in the Wyze Cam v3 RCE Exploit series of publisher
Download

Wyze has a daemon (iCamera) that listens on UDP port 32761 speaking some derivative of the TUTK protocol. The outer layer of the protocol consists out of scrambled/XOR’d frames using a funny constant (shout out to Charlie; the engineer!). Inside of this custom framing format you can establish a DTLS session with the camera. The only supported ciphersuite is ECDHE-PSK-CHACHA20-POLY1305 and a typical attacker does not have access to the (device unique) PSK. However there was a fallback method where you could specify a PSK identity that starts with ‘AUTHTKN_’ during the TLS handshake in order to be able to pick an arbitrarily chosen PSK.

The exploit will use the vulnerabilities described above to spawn an interactive (connectback)shell. I have taken the liberty to backport the exploit to some older Wyze cam V3 versions as well, just because.

The exploit has been tested on the following firmwares:

  • v4.36.10.4054
  • v4.36.11.4679
  • v4.36.11.5859


Recommended for You

You may also like

Comments

Your email address will not be published. Required fields are marked *

Next Post X
Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.