Friday, July 2, 2021

Scary, funny, and then scary again

So, anyway, I recently noticed that a firmware update seemingly had support for RTSP (Real Time Streaming Protocol), and my initial thought was, "Why the hell would firmware want to be able to stream media?". Further investigation showed that the same module seemingly had Gopher (Yes, Gopher) support, and SMTP support, and RTMP (Real Time Messaging Protocol) as well as HTTP, and FTP.

I was starting to get a bit nervious about this, and then the funny bit happened. I noticed a reference to LibCurl.

Wait ... so this is using LibCurl?

That probably explains why this has exotic capabilities such as RTSP. These capabilities are there, but probably not being used.

But then it got scary again...

The LibCurl version seems to be 7.56.1.

That's kind of old, and there have been a lot of vulnerabilities patched since that version was released.

I hope I'm wrong about that version number, because if I'm not wrong, that's a pretty good attack surface.

Investigation continues. Stay tuned.

Firmware is fun.