Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27861
HistoryApr 02, 2012 - 12:00 a.m.

TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow

2012-04-0200:00:00
vulners.com
53

TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX
Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow

camera demo
http://67.203.184.58:9193/admin/view.cgi?profile=0
username=guest
password=guest

Background:
The mentioned product, when browsing the device web interface,
asks to install an ActiveX control to stream video content.
It has the following settings:

File version: 1, 1, 52, 18
Product name: UltraMJCam device ActiveX Control
Binary path: C:\WINDOWS\Downloaded Program Files\UltraMJCamX.ocx
ProgID: UltraMJCam.UltraMJCam.1
CLSID: {707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11}
Implements IObjectSafety: yes
Safe for Scripting (IObjectSafety): True
Safe for Initialization (IObjectSafety): True

Vulnerability:
This ActiveX control exposed the vulnerable
OpenFileDlg() method, see typelib:


/* DISPID=101 /
/
VT_BSTR [8] /
function OpenFileDlg(
/
VT_BSTR [8] [in] / $sFilter
)
{
/
method OpenFileDlg */
}

By invoking this method with an overlong argument is possible
to overflow a buffer. This is because of an insecure
WideCharToMultiByte() call inside UltraMJCamX.ocx:

Call stack of main thread
Address Stack Procedure / arguments Called from Frame
001279FC 77E6F20B kernel32.77E637DE kernel32.77E6F206 00127A0C
00127A10 0299F958 kernel32.WideCharToMultiByte UltraMJC.0299F952 00127A0C
00127A14 00000003 CodePage = 3
00127A18 00000000 Options = 0
00127A1C 03835C5C WideCharStr = "&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
00127A20 FFFFFFFF WideCharCount = FFFFFFFF (-1.)
00127A24 00127A50 MultiByteStr = 00127A50
00127A28 00007532 MultiByteCount = 7532 (30002.)
00127A2C 00000000 pDefaultChar = NULL
00127A30 00000000 pDefaultCharUsed = NULL
00127A3C 029B11D0 UltraMJC.0299F920 UltraMJC.029B11CB 00127A38


0299F934 8B45 08 mov eax,dword ptr ss:[ebp+8]
0299F937 C600 00 mov byte ptr ds:[eax],0
0299F93A 6A 00 push 0
0299F93C 6A 00 push 0
0299F93E 8B4D 10 mov ecx,dword ptr ss:[ebp+10]
0299F941 51 push ecx
0299F942 8B55 08 mov edx,dword ptr ss:[ebp+8]
0299F945 52 push edx
0299F946 6A FF push -1
0299F948 8B45 0C mov eax,dword ptr ss:[ebp+C]
0299F94B 50 push eax
0299F94C 6A 00 push 0
0299F94E 8B4D 14 mov ecx,dword ptr ss:[ebp+14]
0299F951 51 push ecx
0299F952 FF15 20319F02 call dword ptr ds:[<&KERNEL32.WideCharTo>; kernel32.WideCharToMultiByte <------------

The result is that critical structures are overwritten (SEH)
allowing to execute arbitrary code against the target browser.

As attachment, basic proof of concept code.

original url: http://retrogod.altervista.org/9sg_trendnet_adv.htm

poc: http://retrogod.altervista.org/9sg_trendnet_poc.htm