'TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX Control OpenFileDlg WideCh'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX Control OpenFileDlg WideCh
From:       nospam () gmail ! it
Date:       2012-03-28 17:16:15
Message-ID: 201203281716.q2SHGFG2009421 () sf01web3 ! securityfocus ! com
[Download RAW message or body]

TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX
Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow

camera demo
http://67.203.184.58:9193/admin/view.cgi?profile=0
username=guest
password=guest


Background:
The mentioned product, when browsing the device web interface,
asks to install an ActiveX control to stream video content.
It has the following settings:

File version: 1, 1, 52, 18
Product name: UltraMJCam device ActiveX Control
Binary path: C:\WINDOWS\Downloaded Program Files\UltraMJCamX.ocx
ProgID: UltraMJCam.UltraMJCam.1
CLSID: {707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11}
Implements IObjectSafety: yes
Safe for Scripting (IObjectSafety): True
Safe for Initialization (IObjectSafety): True


Vulnerability:
This ActiveX control exposed the vulnerable
OpenFileDlg() method, see typelib:

..
/* DISPID=101 */
/* VT_BSTR [8] */
function OpenFileDlg(
        /* VT_BSTR [8] [in] */ $sFilter
        )
{
        /* method OpenFileDlg */
}
..

By invoking this method with an overlong argument is possible
to overflow a buffer. This is because of an insecure 
WideCharToMultiByte() call inside UltraMJCamX.ocx:


Call stack of main thread
Address    Stack      Procedure / arguments                                           \
Called from                   Frame 001279FC   77E6F20B   kernel32.77E637DE           \
kernel32.77E6F206             00127A0C 00127A10   0299F958   \
kernel32.WideCharToMultiByte                                                          \
UltraMJC.0299F952             00127A0C 00127A14   00000003     CodePage = 3
00127A18   00000000     Options = 0
00127A1C   03835C5C     WideCharStr = \
"&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
 00127A20   FFFFFFFF     WideCharCount = FFFFFFFF (-1.)
00127A24   00127A50     MultiByteStr = 00127A50
00127A28   00007532     MultiByteCount = 7532 (30002.)
00127A2C   00000000     pDefaultChar = NULL
00127A30   00000000     pDefaultCharUsed = NULL
00127A3C   029B11D0   UltraMJC.0299F920                                               \
UltraMJC.029B11CB             00127A38


..
0299F934   8B45 08          mov eax,dword ptr ss:[ebp+8]
0299F937   C600 00          mov byte ptr ds:[eax],0
0299F93A   6A 00            push 0
0299F93C   6A 00            push 0
0299F93E   8B4D 10          mov ecx,dword ptr ss:[ebp+10]
0299F941   51               push ecx
0299F942   8B55 08          mov edx,dword ptr ss:[ebp+8]
0299F945   52               push edx
0299F946   6A FF            push -1
0299F948   8B45 0C          mov eax,dword ptr ss:[ebp+C]
0299F94B   50               push eax
0299F94C   6A 00            push 0
0299F94E   8B4D 14          mov ecx,dword ptr ss:[ebp+14]
0299F951   51               push ecx
0299F952   FF15 20319F02    call dword ptr ds:[<&KERNEL32.WideCharTo>; \
                kernel32.WideCharToMultiByte <------------
..

The result is that critical structures are overwritten (SEH)
allowing to execute arbitrary code against the target browser.
 
As attachment, basic proof of concept code.

original url: http://retrogod.altervista.org/9sg_trendnet_adv.htm

poc: http://retrogod.altervista.org/9sg_trendnet_poc.htm


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic