Samsung NET-i ware 1.37 – Multiple Vulnerabilities

• Exploit Database
• 14 阅读

• 作者： Luigi Auriemma
  日期： 2012-04-22
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/18765/

• #######################################################################
  
   Luigi Auriemma
  
  Application:Samsung NET-i ware
  http://www.samsungsecurity.com/product/product_view.asp?idx=6447
  http://www.samsungsecurity.com/product/product_view.asp?idx=5828
  Versions: <= 1.37
  Platforms:Windows
  Bugs: A] Endless loop in remote services
  B] Code execution in ConnectDDNS ActiveX
  C] Stack overflow in BackupToAvi ActiveX
  Exploitation: remote
  Date: 21 Apr 2012
  Author: Luigi Auriemma
  e-mail: aluigi@autistici.org
  web:aluigi.org
  
  
  #######################################################################
  
  
  1) Introduction
  2) Bugs
  3) The Code
  4) Fix
  
  
  #######################################################################
  
  ===============
  1) Introduction
  ===============
  
  
  "Recording software for Samsung network cameras".
  
  
  #######################################################################
  
  =======
  2) Bugs
  =======
  
  
  ----------------------------------
  A] Endless loop in remote services
  ----------------------------------
  
  All the NET-i ware services are affected by an endless loop caused by
  the wrong handling of negative 32bit size fields.
  
  
  ----------------------------------------
  B] Code execution in ConnectDDNS ActiveX
  ----------------------------------------
  
  Code execution vulnerability in the ConnectDDNS method used by the
  following ActiveX components:
  - EEDBA32E-5C2D-48f1-A58E-0AAB0BC230E3
  - 17A7F731-C9EC-461C-B813-2F42A1BB58EB
  
  10022F80 8B02 MOV EAX,DWORD PTR DS:[EDX]
  10022F82 8B4D E8MOV ECX,DWORD PTR SS:[EBP-18]
  10022F85 FF10 CALL DWORD PTR DS:[EAX]
  
  The bug is not much reliable to replicate so I report it just for
  reference.
  No additional research performed.
  
  
  ----------------------------------------
  C] Stack overflow in BackupToAvi ActiveX
  ----------------------------------------
  
  Stack overflow in the BackupToAvi method used by the ActiveX components
  3D6F2DBA-F4E5-40A6-8725-E99BC96CC23A and
  208650B1-3CA1-4406-926D-45F2DBB9C299.
  
  
  #######################################################################
  
  ===========
  3) The Code
  ===========
  
  
  A]
  http://aluigi.org/testz/udpsz.zip
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18112.zip
  
  NiwMasterService:
  udpsz -b 0x80 -T SERVER 4505 0x28
  
  NiwStorageService:
  udpsz -T -c "REM" 0 -C 80808080 0x10 SERVER 4508 0x14
  
  B,C]
  http://aluigi.org/poc/netiware_1b.zip
  
  
  #######################################################################
  
  ======
  4) Fix
  ======
  
  
  No fix.
  
  
  #######################################################################