lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <201203281716.q2SHGFG2009421@sf01web3.securityfocus.com>
Date: Wed, 28 Mar 2012 17:16:15 GMT
From: nospam@...il.it
To: bugtraq@...urityfocus.com
Subject: TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam
 ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer
 Overflow

TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX
Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow

camera demo
http://67.203.184.58:9193/admin/view.cgi?profile=0
username=guest
password=guest


Background:
The mentioned product, when browsing the device web interface,
asks to install an ActiveX control to stream video content.
It has the following settings:

File version: 1, 1, 52, 18
Product name: UltraMJCam device ActiveX Control
Binary path: C:\WINDOWS\Downloaded Program Files\UltraMJCamX.ocx
ProgID: UltraMJCam.UltraMJCam.1
CLSID: {707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11}
Implements IObjectSafety: yes
Safe for Scripting (IObjectSafety): True
Safe for Initialization (IObjectSafety): True


Vulnerability:
This ActiveX control exposed the vulnerable
OpenFileDlg() method, see typelib:

..
/* DISPID=101 */
/* VT_BSTR [8] */
function OpenFileDlg(
        /* VT_BSTR [8] [in] */ $sFilter
        )
{
        /* method OpenFileDlg */
}
..

By invoking this method with an overlong argument is possible
to overflow a buffer. This is because of an insecure 
WideCharToMultiByte() call inside UltraMJCamX.ocx:


Call stack of main thread
Address    Stack      Procedure / arguments                                                                                                                   Called from                   Frame
001279FC   77E6F20B   kernel32.77E637DE                                                                                                                       kernel32.77E6F206             00127A0C
00127A10   0299F958   kernel32.WideCharToMultiByte                                                                                                            UltraMJC.0299F952             00127A0C
00127A14   00000003     CodePage = 3
00127A18   00000000     Options = 0
00127A1C   03835C5C     WideCharStr = "&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
00127A20   FFFFFFFF     WideCharCount = FFFFFFFF (-1.)
00127A24   00127A50     MultiByteStr = 00127A50
00127A28   00007532     MultiByteCount = 7532 (30002.)
00127A2C   00000000     pDefaultChar = NULL
00127A30   00000000     pDefaultCharUsed = NULL
00127A3C   029B11D0   UltraMJC.0299F920                                                                                                                       UltraMJC.029B11CB             00127A38


..
0299F934   8B45 08          mov eax,dword ptr ss:[ebp+8]
0299F937   C600 00          mov byte ptr ds:[eax],0
0299F93A   6A 00            push 0
0299F93C   6A 00            push 0
0299F93E   8B4D 10          mov ecx,dword ptr ss:[ebp+10]
0299F941   51               push ecx
0299F942   8B55 08          mov edx,dword ptr ss:[ebp+8]
0299F945   52               push edx
0299F946   6A FF            push -1
0299F948   8B45 0C          mov eax,dword ptr ss:[ebp+C]
0299F94B   50               push eax
0299F94C   6A 00            push 0
0299F94E   8B4D 14          mov ecx,dword ptr ss:[ebp+14]
0299F951   51               push ecx
0299F952   FF15 20319F02    call dword ptr ds:[<&KERNEL32.WideCharTo>; kernel32.WideCharToMultiByte <------------
..

The result is that critical structures are overwritten (SEH)
allowing to execute arbitrary code against the target browser.
 
As attachment, basic proof of concept code.

original url: http://retrogod.altervista.org/9sg_trendnet_adv.htm

poc: http://retrogod.altervista.org/9sg_trendnet_poc.htm

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ