[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow
- From: nospam@xxxxxxxx
- Date: Wed, 28 Mar 2012 17:16:15 GMT
TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX
Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow
camera demo
http://67.203.184.58:9193/admin/view.cgi?profile=0
username=guest
password=guest
Background:
The mentioned product, when browsing the device web interface,
asks to install an ActiveX control to stream video content.
It has the following settings:
File version: 1, 1, 52, 18
Product name: UltraMJCam device ActiveX Control
Binary path: C:\WINDOWS\Downloaded Program Files\UltraMJCamX.ocx
ProgID: UltraMJCam.UltraMJCam.1
CLSID: {707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11}
Implements IObjectSafety: yes
Safe for Scripting (IObjectSafety): True
Safe for Initialization (IObjectSafety): True
Vulnerability:
This ActiveX control exposed the vulnerable
OpenFileDlg() method, see typelib:
..
/* DISPID=101 */
/* VT_BSTR [8] */
function OpenFileDlg(
/* VT_BSTR [8] [in] */ $sFilter
)
{
/* method OpenFileDlg */
}
..
By invoking this method with an overlong argument is possible
to overflow a buffer. This is because of an insecure
WideCharToMultiByte() call inside UltraMJCamX.ocx:
Call stack of main thread
Address Stack Procedure / arguments
Called from Frame
001279FC 77E6F20B kernel32.77E637DE
kernel32.77E6F206 00127A0C
00127A10 0299F958 kernel32.WideCharToMultiByte
UltraMJC.0299F952 00127A0C
00127A14 00000003 CodePage = 3
00127A18 00000000 Options = 0
00127A1C 03835C5C WideCharStr =
"&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
00127A20 FFFFFFFF WideCharCount = FFFFFFFF (-1.)
00127A24 00127A50 MultiByteStr = 00127A50
00127A28 00007532 MultiByteCount = 7532 (30002.)
00127A2C 00000000 pDefaultChar = NULL
00127A30 00000000 pDefaultCharUsed = NULL
00127A3C 029B11D0 UltraMJC.0299F920
UltraMJC.029B11CB 00127A38
..
0299F934 8B45 08 mov eax,dword ptr ss:[ebp+8]
0299F937 C600 00 mov byte ptr ds:[eax],0
0299F93A 6A 00 push 0
0299F93C 6A 00 push 0
0299F93E 8B4D 10 mov ecx,dword ptr ss:[ebp+10]
0299F941 51 push ecx
0299F942 8B55 08 mov edx,dword ptr ss:[ebp+8]
0299F945 52 push edx
0299F946 6A FF push -1
0299F948 8B45 0C mov eax,dword ptr ss:[ebp+C]
0299F94B 50 push eax
0299F94C 6A 00 push 0
0299F94E 8B4D 14 mov ecx,dword ptr ss:[ebp+14]
0299F951 51 push ecx
0299F952 FF15 20319F02 call dword ptr ds:[<&KERNEL32.WideCharTo>;
kernel32.WideCharToMultiByte <------------
..
The result is that critical structures are overwritten (SEH)
allowing to execute arbitrary code against the target browser.
As attachment, basic proof of concept code.
original url: http://retrogod.altervista.org/9sg_trendnet_adv.htm
poc: http://retrogod.altervista.org/9sg_trendnet_poc.htm