← Advisories

TRENDnet SecurView Wireless Network Camera TV-IP422WN (UltraCamX.ocx) Stack BoF

High

Advisory ID

ZSL-2014-5211

Release Date

25 November 2014

Vendor

TRENDnet - http://www.trendnet.com

Affected Version

TV-IP422WN/TV-IP422W

CVE

CVE-2014-10011

Tested On

Microsoft Windows 7 Professional SP1 (EN)

Summary

SecurView Wireless N Day/Night Pan/Tilt Internet Camera, a powerful dual-codec wireless network camera with the 2-way audio function that provides the high-quality image and on-the-spot audio via the Internet connection.

Description

The UltraCam ActiveX Control 'UltraCamX.ocx' suffers from a stack buffer overflow vulnerability when parsing large amount of bytes to several functions in UltraCamLib, resulting in memory corruption overwriting severeal registers including the SEH. An attacker can gain access to the system of the affected node and execute arbitrary code.

0:000> r
eax=41414141 ebx=100ceff4 ecx=0042df38 edx=00487900 esi=00487a1c edi=0042e9fc
eip=100203fb esp=0042d720 ebp=0042e9a8 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210212
UltraCamX!DllUnregisterServer+0xeb2b:
100203fb 8b48e0          mov     ecx,dword ptr [eax-20h] ds:002b:41414121=????????
0:000> !exchain
0042eda8: 41414141
Invalid exception stack at 41414141

Proof of Concept

trendnet_bof.txtTXT

Disclosure Timeline

N/A

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://www.exploit-db.com/exploits/35363/

[2]http://packetstormsecurity.com/files/129262

[3]http://cxsecurity.com/issue/WLB-2014110169

[4]http://osvdb.org/show/osvdb/115037

[5]http://www.securityfocus.com/bid/71292