← Advisories

COMMAX UMS Client ActiveX Control 1.7.0.2 (CNC_Ctrl.dll) Heap Buffer Overflow

High
Advisory ID
ZSL-2021-5664
Release Date
15 August 2021
Vendor
COMMAX Co., Ltd. - https://www.commax.com
Affected Version
1.7.0.2
CVE
N/A
Tested On
Microsoft Windows 10 Home (64bit) EN, Microsoft Internet Explorer 20H2
Summary

COMMAX activex web viewer client (32bit) for COMMAX DVR/NVR.

Description

The vulnerability is caused due to a boundary error in the processing of user input, which can be exploited to cause a heap based buffer overflow when a user inserts overly long array of string bytes through several functions. Successful exploitation could allow execution of arbitrary code on the affected node.

(5b1c.59e8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for CNC_Ctrl.DLL - CNC_Ctrl!DllUnregisterServer+0x19e34: 10028cf2 83a1d412000000 and dword ptr [ecx+12D4h],0 ds:002b:000012d4=???????? 0:000:x86> r eax=00000001 ebx=10119db8 ecx=00000000 edx=81ff6f2e esi=058c0048 edi=00000001 eip=10028cf2 esp=030fcf10 ebp=030fe33c iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 CNC_Ctrl!DllUnregisterServer+0x19e34: 10028cf2 83a1d412000000 and dword ptr [ecx+12D4h],0 ds:002b:000012d4=???????? 0:000:x86> !exchain 030feab4: 41414141 Invalid exception stack at 41414141 0:000:x86> d esp 030fcf10 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 030fcf20 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 030fcf30 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 030fcf40 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 030fcf50 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 030fcf60 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 030fcf70 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 030fcf80 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0:000:x86> d ebp 030fe33c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa 030fe34c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa 030fe35c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa 030fe36c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa 030fe37c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa 030fe38c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa 030fe39c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa 030fe3ac 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
Proof of Concept
commax_heap.txtTXT
Disclosure Timeline
02.08.2021Vulnerability discovered.
03.08.2021Vendor contacted.
04.08.2021Vendor contacted.
05.08.2021No response from the vendor.
06.08.2021Vendor contacted.
14.08.2021No response from the vendor.
15.08.2021Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.zeroscience.mk/#/advisories/ZSL-2021-5663
[2]https://packetstormsecurity.com/files/163848
[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/207579
[4]https://cert.civis.net/en/index.php?action=alert&param=CCN-207579
[5]https://cxsecurity.com/issue/WLB-2021080099
[6]https://www.exploit-db.com/exploits/50232
Changelog
15.08.2021Initial release
23.08.2021Added reference [2], [3] and [4]
09.09.2021Added reference [5] and [6]